diff --git a/CHANGELOG.md b/CHANGELOG.md index 1a554ba02ee..14b96e0a978 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,6 +13,7 @@ Docs: https://docs.openclaw.ai ### Fixes +- Docs/Hetzner: clarify that SSH tunnel access requires `AllowTcpForwarding local` before running `ssh -L`, so hardened VPS sshd configs do not block loopback Gateway access. Fixes #54557; carries forward #54564; refs #54954. Thanks @satishkc7, @blackstrype, and @Aftabbs. - Gateway/shutdown: report structured shutdown warnings and HTTP close timeout warnings through `ShutdownResult` while preserving lifecycle hook hardening. Carries forward #41296. Thanks @edenfunf. - Plugins/QA: prebuild the private QA channel runtime before plugin gauntlet source runs so wrapper CPU/RSS measurements are not polluted by private QA dist rebuild work. Thanks @vincentkoc. - Gateway/reload: bound default restart deferral and SIGUSR1 restart drain to five minutes while preserving explicit `deferralTimeoutMs: 0` indefinite waits, so stale active work accounting cannot block config reloads forever. Thanks @vincentkoc. diff --git a/docs/install/hetzner.md b/docs/install/hetzner.md index fce0db56f39..4500d3d707d 100644 --- a/docs/install/hetzner.md +++ b/docs/install/hetzner.md @@ -218,7 +218,22 @@ For the generic Docker flow, see [Docker](/install/docker). - After the shared build and launch steps, tunnel from your laptop: + After the shared build and launch steps, complete the following setup to open the tunnel: + + **Prerequisite:** Ensure your VPS sshd config allows TCP forwarding. If you + have hardened your SSH config, check `/etc/ssh/sshd_config` and set: + + ``` + AllowTcpForwarding local + ``` + + `local` allows `ssh -L` local forwards from your laptop while blocking + remote forwards from the server. Setting it to `no` will fail the tunnel + with: + `channel 3: open failed: administratively prohibited: open failed` + + After confirming TCP forwarding is enabled, restart the SSH service + (`systemctl restart ssh`) and run the tunnel from your laptop: ```bash ssh -N -L 18789:127.0.0.1:18789 root@YOUR_VPS_IP