Many teams can run OpenClaw on a local Mac, but production breaks on a different set of problems: they need the Gateway online 24x7 on datacenter-grade bare metal, while Canvas, screen recording, camera, and system.run must stay on a local Mac with TCC grants. The 2026 macOS docs describe this as Remote mode — Gateway on the remote host, node host on the laptop, control plane over SSH or Tailscale on default port 18789. This guide gives you a reproducible dual-machine layout, a decision matrix, a six-step connect playbook, and triage for the most common tunnel errors. Node and tier options are on the CALMVPS pricing page.
By the end you should answer three questions. First, whether your workload should stay on Local single-Mac or move to Remote dual-machine. Second, which CALMVPS region hosts the Gateway and how to switch the macOS App to Remote with node host running. Third, when the tunnel fails, port 18789 is busy, or the Gateway shows node IP 127.0.0.1, which commands to run first.
01 Pain points the dual-machine topology solves
Stacking every capability on one Mac feels smooth in a demo. In production you pay three hidden costs:
- Compute and permissions fused. The Gateway holds long-lived sockets, cron, and multi-channel sessions. The same box must grant screen recording and automation. On 16GB hardware, overnight batch jobs swap while TCC prompts break unattended flows.
- Uncontrolled egress. Residential ISP or office NAT is hostile to WebSocket longevity. Channels drop and get misread as model failures, so triage starts in the wrong place.
- Blurry ops boundaries. Sleep, OS updates, Spotlight, and launchd overlap. It is hard to tell whether the Gateway died or macOS suspended the process.
Remote dual-machine splits roles cleanly. A remote bare-metal Mac (for example CALMVPS Hong Kong, Singapore, or US West) runs Gateway, channels, and scheduling. The local Mac is only the Node with UI and TCC, exposing Canvas, Camera, Screen, and system.run through node host. The control plane still uses 18789, but the macOS App maintains the SSH control tunnel so operators do not maintain a pile of port-forward scripts by hand.
A short rule beats a long debate. Gateway in the cloud, Node on the desk, control plane only on 18789. Draw the topology before you argue M4 tiers or rental terms.
02 Local single-Mac vs Remote dual-machine decision matrix
Not every team needs dual-machine on day one. The table below draws a line between staying on Local and switching to Remote so engineering and ops can align in one review.
| Dimension | Local (Gateway on laptop) | Remote (Gateway on CALMVPS bare metal) |
|---|---|---|
| Best stage | Personal validation, single-channel bot | 24x7 channels, multi-agent, cross-timezone cron |
| Local Mac role | Gateway and Node combined | Node only (TCC, Canvas, system.run) |
| Remote Mac role | None | Gateway, launchd persistence, logs on disk |
| Control plane | 127.0.0.1:18789 direct |
SSH -L or Tailscale MagicDNS plus App tunnel |
| Typical risks | Sleep, updates, memory contention | Tunnel health, version skew, token drift |
| Rental term | Owned hardware is enough | Monthly or quarterly Gateway node; no extra local purchase |
If you also need a multi-region hub-and-spoke (Gateway where users cluster, workers in the next cluster), Remote dual-machine is the prerequisite. For regional placement see the OpenClaw remote Mac node selection article. This post focuses on the smallest production topology: one remote Gateway plus one local Node.
03 Deploy Gateway on CALMVPS bare metal
Pick the CALMVPS region closest to your users and channel webhooks (Hong Kong, Japan, Korea, Singapore, US East, US West). Bind the Gateway to loopback only and expose the control plane through SSH or Tailscale — do not publish the Web UI on a public port. Install commands follow the official installer; re-open the link after each upstream release to confirm behavior:
https://openclaw.ai/install.sh
macOS platform notes (Local/Remote modes, launchd label ai.openclaw.gateway) are documented here:
https://docs.openclaw.ai/platforms/macos
curl -fsSL https://openclaw.ai/install.sh | bash
openclaw onboard --install-daemon
openclaw gateway status
launchctl kickstart -k gui/$UID/ai.openclaw.gateway
Gateway WS default 18789; bind 127.0.0.1 on the remote host- Node runtime. Official guidance uses Node for the Gateway process. Pin one major version on bare metal so launchd and your interactive shell do not diverge.
- State directory. Do not place
OPENCLAW_STATE_DIRon an iCloud-synced path. Use~/.openclawand fix anythingopenclaw doctorflags. - Disk headroom. Logs, cron history, and memory persistence grow without pause. Reserve at least 80GB for the OpenClaw tree on a production Gateway; choose 1TB or 2TB tiers or parallel workers when queues spike.
04 Local macOS Remote mode and SSH/Tailscale six steps
After installing OpenClaw.app on the local Mac and completing the TCC permission checklist, switch to Remote mode using the six steps below. Behavior follows the official macOS documentation; verify against docs after each App upgrade.
- Confirm remote Gateway health. On the CALMVPS node run
openclaw gateway statusand verify 18789 answers on loopback. - Prepare SSH keys. The App opens the control tunnel in BatchMode. Configure key-based login for the ops account so the tunnel does not stall on a password prompt.
- Optional Tailscale. If the team already runs a tailnet, prefer MagicDNS hostnames over raw tailnet IPs that change when machines rejoin.
- Switch the App to Remote. Enter the remote host. The App reuses or rebuilds a tunnel shaped like
ssh -N -L 18789:127.0.0.1:18789and does not spawn a local Gateway child process. - Start local node host. In Remote mode the App runs node host so the remote Gateway can call Canvas, Camera, Screen, and
system.rununder Exec approvals policy. - Cross-check with debug CLI. From the local repo
apps/macosrunswift run openclaw-mac connect --jsonanddiscover --timeout 3000 --jsonto match the App discovery and handshake path and separate tunnel issues from Gateway config issues.
macOS remote access (Direct ws/wss and reporting real client IP) is covered here:
https://docs.openclaw.ai/platforms/mac/remote
ssh -N -L 18789:127.0.0.1:18789 user@your-calmvps-node
curl -fsS http://127.0.0.1:18789/healthz
Over SSH loopback the Gateway may show node IP 127.0.0.1; use Direct ws/wss for real IP05 Port 18789 control tunnel triage and citable technical facts
In dual-machine setups, most “cannot connect” incidents sit in the control tunnel or version alignment, not the model provider. Hard parameters and a symptom table you can quote in runbooks:
- Default Gateway WebSocket port:
18789per official macOS remote docs. The control tunnel maps the same local and remote port; the App reuses a healthy tunnel instead of random local ports. - LaunchAgent label:
ai.openclaw.gateway(withOPENCLAW_PROFILEset,ai.openclaw.<profile>). Restart withlaunchctl kickstart -k gui/$UID/ai.openclaw.gateway. - Exec approvals path: Local
system.runpolicy lives in~/.openclaw/exec-approvals.json, separate from remote Gateway config — back it up when you migrate nodes.
| Symptom | Check first | First fix |
|---|---|---|
| App shows Gateway unreachable | SSH tunnel alive, port 18789 free | Restart App tunnel; on remote lsof -i :18789 for conflicts |
| Health OK but channel offline | Gateway vs CLI/App version | Align openclaw --version on both sides, restart Gateway |
| Node IP stuck at 127.0.0.1 | Connection via SSH tunnel | Expected over tunnel; use Direct ws/wss when you need real IP |
| Canvas or camera silent | Local node host, TCC grants | Confirm node host in Remote mode; rerun permission checklist |
| Tailscale discovery fails | MagicDNS enabled, hostname drift | Reconfigure with MagicDNS name; avoid hard-coded tailnet IP |
Field pattern: an iOS team placed Gateway plus Discord and Telegram channels on a CALMVPS Singapore node (monthly M4 24GB) while a local MacBook Pro served only as Node for screen.record and Xcode side scripts. Peak load added a weekly parallel worker for batch builds without touching the Gateway, so channel sessions stayed up. That split produced fewer overnight pages than a single Mac carrying everything.
06 M4 tiers, storage, rental term, and purchasing checklist
Size dual-machine deployments by role, not as one oversized box for both sides:
- Remote Gateway (CALMVPS). Multi-channel plus cron: start at M4 24GB. Hub nodes or local model fallback: M4 Pro. Disk: 1TB for validation, 2TB for production retention.
- Local Node Mac. TCC and UI tools dominate; 16GB is usually enough. Bottlenecks are permissions and network, not Gateway compute.
- Parallel capacity. One-off backfills or parallel builds on daily or weekly worker nodes instead of upgrading the hub tier.
- Term mix. Lock Gateway on monthly or quarterly rental; pulse work on daily or weekly parallel nodes. Blended cost often beats one max-spec long rental.
Keeping the Gateway on a personal laptop or home NAS fails on long-socket jitter, sleep interrupts, and unaudited token reuse. Pure Linux cloud VMs lack macOS TCC and Apple tooling, so the local Node in Remote topology is not optional. For teams that need a stable 18789 control plane, multi-region bare metal, and reproducible triage, CALMVPS multi-region bare-metal Mac is the natural Gateway host: dedicated Apple Silicon, 24x7 uptime, roughly 120-second provisioning, and parallel nodes to absorb channel spikes without a hub upgrade. See the pricing page for current nodes and tiers.