docs: add AllowTcpForwarding requirement to Hetzner SSH tunnel guide

[Aftabbs]

Closes #54557

Problem

The Hetzner SSH tunnel setup silently fails when AllowTcpForwarding is disabled on the server (which is the default on many Hetzner configurations). Users get no error message, making this hard to diagnose.

Fix

Added a note to the Hetzner deployment guide explaining that AllowTcpForwarding yes must be set in /etc/ssh/sshd_config on the remote server for SSH tunnels to work.

[greptile-apps]

Greptile Summary

This PR adds a small but useful diagnostic note to both the English (docs/install/hetzner.md) and Simplified Chinese (docs/zh-CN/install/hetzner.md) Hetzner deployment guides, explaining that SSH local-port-forwarding requires AllowTcpForwarding yes in the server's /etc/ssh/sshd_config. The note is well-placed immediately before the ssh -N -L … command, explains the symptom (tunnel connects but port is unreachable), and provides the remediation step (systemctl restart sshd). The Chinese translation accurately reflects the English note.

• Documentation-only change; no code is modified.
• Technically accurate: local TCP port forwarding is gated by AllowTcpForwarding in OpenSSH.
• Both language variants are updated consistently.
• No issues found.

Confidence Score: 5/5

Documentation-only fix with accurate technical content; safe to merge as-is.

Both changed files contain only a single-sentence note with correct technical information, proper placement, and a matching translation. There are no logic, syntax, or style concerns.

No files require special attention.

Important Files Changed

Filename	Overview
docs/install/hetzner.md	Added a note before the SSH tunnel command explaining the AllowTcpForwarding requirement.
docs/zh-CN/install/hetzner.md	Added the Chinese translation of the same AllowTcpForwarding note, consistent with the English version.

_{Reviews (1): Last reviewed commit: "docs: add AllowTcpForwarding requirement..." | Re-trigger Greptile}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: e911158acf

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Revert manual edit in generated zh-CN doc

This line introduces a direct edit under docs/zh-CN/**, but AGENTS.md explicitly marks that tree as generated and requires the i18n pipeline flow (update English docs, then regenerate translations) instead of manual changes. Keeping this hand-edited line risks it being overwritten on the next scripts/docs-i18n run and creates avoidable drift between source docs and generated translations, so this should be regenerated through the documented pipeline rather than committed directly.

Useful? React with 👍 / 👎.

[clawsweeper]

Closing this as duplicate or superseded after Codex automated review.

Close PR #54954 as duplicate/superseded by open PR #54564. Current main still lacks the Hetzner AllowTcpForwarding note, so this is not implemented-on-main; however #54564 already tracks the same #54557 docs gap with an English-only patch, while #54954 also edits generated localized docs and is currently dirty.

Best possible solution:

Close #54954 as a duplicate/superseded PR and continue the Hetzner SSH tunnel documentation fix in #54564. The best final patch should update only docs/install/hetzner.md, recommend the safer AllowTcpForwarding local setting for ssh -L, and let the docs i18n pipeline regenerate localized output.

What I checked:

• Current main still lacks the requested Hetzner note: At current main 06d409d, the Hetzner access step goes directly from the tunnel intro to ssh -N -L 18789:127.0.0.1:18789 root@YOUR_VPS_IP; rg finds no AllowTcpForwarding mention in the current Hetzner guide. Public docs: docs/install/hetzner.md. (docs/install/hetzner.md:220, 06d409dc2738)
• Canonical open duplicate PR exists: GitHub API search for AllowTcpForwarding PRs in openclaw/openclaw returns two open PRs: docs: add AllowTcpForwarding prerequisite to Hetzner SSH tunnel step #54564 and docs: add AllowTcpForwarding requirement to Hetzner SSH tunnel guide #54954. PR docs: add AllowTcpForwarding prerequisite to Hetzner SSH tunnel step #54564 is older, open, also closes [Feature]: Hetzner guide: SSH tunnel requires AllowTcpForwarding to be enabled in sshd config #54557, and its current head b41adf6 changes only docs/install/hetzner.md with an AllowTcpForwarding local prerequisite matching the original issue request. (b41adf6e3caf)
• Target PR has a generated-docs blocker: PR docs: add AllowTcpForwarding requirement to Hetzner SSH tunnel guide #54954 changes both docs/install/hetzner.md and docs/zh-CN/install/hetzner.md; an existing Codex review comment flags the localized edit. Current docs policy says foreign-language docs are not maintained in this repo and localized docs under docs/<locale>/** should not be added or edited here. Public docs: docs/AGENTS.md. (docs/AGENTS.md:21, 06d409dc2738)
• OpenSSH contract supports the docs premise: The OpenBSD/OpenSSH sshd_config manual describes AllowTcpForwarding as controlling TCP forwarding and lists local as allowing local forwarding only, which is the relevant mode for ssh -L.

So I’m closing this here and keeping the remaining discussion on the canonical linked item.

Codex Review notes: model gpt-5.5, reasoning high; reviewed against 06d409dc2738.