Skip to main content

Remote Gateway Setup

Run the SimpleClaw Gateway on a remote server (VPS, cloud instance) and connect from your local devices.

Why Run Remotely?

  • Always-on - Gateway runs 24/7 without tying up your laptop
  • Centralized - One gateway for all your devices
  • Resource efficient - Small VPS can handle multiple channels
  • Device flexibility - Connect from macOS, iOS, Android, web

Architecture

┌─────────────────────────────────────────┐
│            Remote Server (VPS)            │
│                                          │
│  ┌──────────────────────────────────┐  │
│  │      SimpleClaw Gateway        │  │
│  │   ws://127.0.0.1:18789         │  │
│  │                                  │  │
│  │  • Channels (Telegram, etc.)   │  │
│  │  • Agent sessions              │  │
│  │  • Bash tool execution         │  │
│  └──────────────────────────────────┘  │
│                  │                       │
│        Tailscale / SSH Tunnel          │
└─────────────────────────────────────────┘

         ┌────────┼────────┐
         │               │
    ┌────┴────┐    ┌────┴────┐
    │ macOS App│    │ iOS App │
    │  + Nodes │    │ + Nodes │
    └─────────┘    └─────────┘

Quick Start

1

Provision Server

Recommended specs:
  • 1-2 CPU cores
  • 2GB RAM
  • 20GB storage
  • Ubuntu 22.04 or Debian 12
Popular providers: DigitalOcean, Linode, Hetzner, Vultr
2

Install SimpleClaw on Server

SSH into your server:
ssh [email protected]
Install Node.js 22+:
curl -fsSL https://deb.nodesource.com/setup_22.x | sudo -E bash -
sudo apt-get install -y nodejs
Install SimpleClaw:
npm install -g simpleclaw@latest
3

Run Onboarding

simpleclaw onboard --install-daemon
This will:
  • Create config directory
  • Configure Gateway
  • Set up systemd service (for Linux)
  • Start the Gateway
4

Configure Remote Access

Choose Tailscale or SSH Tunnel for secure access.

Access Methods

Tailscale provides secure, zero-config networking.
1

Install Tailscale on Server

curl -fsSL https://tailscale.com/install.sh | sh
sudo tailscale up
2

Configure Tailscale Serve

Enable Tailscale Serve for Gateway:
simpleclaw config set gateway.tailscale.mode '"serve"' --json
simpleclaw config set gateway.bind '"loopback"' --json
The Gateway will be available at:
https://<hostname>.tailnet.ts.net
3

Connect from Client

Install Tailscale on your local machine, then:
simpleclaw gateway connect --url wss://<hostname>.tailnet.ts.net
Or use in macOS app:
  1. Open SimpleClaw Preferences
  2. Set Gateway URL: wss://<hostname>.tailnet.ts.net
  3. Click Connect

Option 2: SSH Tunnel

Use SSH port forwarding for secure access.
1

Create SSH Tunnel

On your local machine:
ssh -L 18789:127.0.0.1:18789 [email protected] -N
Keep this terminal open.
2

Connect Locally

The Gateway is now available at ws://127.0.0.1:18789:
simpleclaw agent --message "Hello from remote!"
3

Persistent Tunnel (Optional)

Set up autossh for automatic reconnection:
sudo apt-get install autossh
autossh -M 0 -L 18789:127.0.0.1:18789 [email protected] -N

Option 3: Public HTTPS (Advanced)

Expose Gateway with reverse proxy (nginx/caddy) + TLS. Security warning: Only do this with strong authentication enabled.
1

Install Caddy

sudo apt install -y debian-keyring debian-archive-keyring apt-transport-https
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | sudo gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg
echo "deb [signed-by=/usr/share/keyrings/caddy-stable-archive-keyring.gpg] https://dl.cloudsmith.io/public/caddy/stable/deb/debian any-version main" | sudo tee /etc/apt/sources.list.d/caddy-stable.list
sudo apt update
sudo apt install caddy
2

Configure Caddy

Edit /etc/caddy/Caddyfile:
gateway.yourdomain.com {
  reverse_proxy localhost:18789
}
Reload:
sudo systemctl reload caddy
3

Enable Password Auth

Required for public access:
simpleclaw config set gateway.auth.mode '"password"' --json
simpleclaw config set gateway.auth.password '"your-strong-password"' --json
4

Connect

simpleclaw gateway connect --url wss://gateway.yourdomain.com --password your-strong-password

Configuration

Gateway Bind Settings

{
  "gateway": {
    "bind": "loopback",  // Only bind to 127.0.0.1
    "port": 18789,
    "auth": {
      "mode": "password",
      "password": "strong-password-here"
    }
  }
}
Important: Always use "loopback" bind for remote setups. Access via Tailscale/tunnel/reverse proxy.

Tailscale Configuration

{
  "gateway": {
    "tailscale": {
      "mode": "serve",        // or "funnel" for public
      "resetOnExit": true      // Cleanup on shutdown
    },
    "auth": {
      "mode": "tailscale"      // Use Tailscale auth headers
    }
  }
}

Managing the Gateway

Systemd Service (Linux)

After simpleclaw onboard --install-daemon, the Gateway runs as a systemd service. 
# Status
sudo systemctl status simpleclaw-gateway

# Restart
sudo systemctl restart simpleclaw-gateway

# Stop
sudo systemctl stop simpleclaw-gateway

# View logs
sudo journalctl -u simpleclaw-gateway -f

Manual Start

Run Gateway manually in tmux/screen: 
tmux new -s gateway
simpleclaw gateway run --bind loopback --port 18789
# Detach: Ctrl+B, D
Reattach: 
tmux attach -t gateway

Device Nodes

Device nodes (macOS, iOS, Android) can execute device-specific commands when paired:
1

Pair Device from Server

On the server:
simpleclaw nodes pair --platform macos
This displays a QR code or pairing code.
2

Scan on Device

  • macOS App: Preferences → Nodes → Pair Device
  • iOS App: Settings → Pair Device
  • Android App: Settings → Pair Device
3

Verify Pairing

simpleclaw nodes list
You should see your device.

Node Commands

Once paired, the Gateway can invoke device commands: 
# Camera snapshot (iOS/Android)
simpleclaw agent --message "Take a photo" --deliver --to whatsapp

# System command (macOS node only)
simpleclaw agent --message "Run 'sw_vers' on my Mac"

# Screen recording (all platforms)
simpleclaw agent --message "Record my screen for 10 seconds"

Security Best Practices

Never expose Gateway without authentication. Always use:
  • Tailscale Serve (recommended)
  • SSH tunnels
  • Password auth for public exposure

Security Checklist

  • Gateway bind set to loopback
  • Strong password configured if using public access
  • Firewall rules limit access to port 18789
  • SSH key-based auth (disable password SSH)
  • Tailscale ACLs configured
  • Regular system updates
  • Channel allowlists configured
  • DM policy set to pairing or blocked

Monitoring

Health Checks

# Gateway status
simpleclaw gateway status

# Channel health
simpleclaw channels status --probe

# Resource usage
top -bn1 | grep simpleclaw

Log Monitoring

# Tail Gateway logs
simpleclaw gateway logs --tail 100 --follow

# Filter errors
simpleclaw gateway logs --level error

# Systemd logs
sudo journalctl -u simpleclaw-gateway --since "1 hour ago"

Backups

Important directories to back up: 
# Config and credentials
~/.simpleclaw/simpleclaw.json
~/.simpleclaw/credentials/

# Session history
~/.simpleclaw/agents/*/sessions/

# Skills
~/.simpleclaw/workspace/skills/
Backup script: 
#!/bin/bash
tar -czf simpleclaw-backup-$(date +%Y%m%d).tar.gz \
  ~/.simpleclaw/simpleclaw.json \
  ~/.simpleclaw/credentials \
  ~/.simpleclaw/agents \
  ~/.simpleclaw/workspace

Upgrading

1

Upgrade SimpleClaw

npm install -g simpleclaw@latest
2

Restart Gateway

sudo systemctl restart simpleclaw-gateway
3

Verify

simpleclaw --version
simpleclaw gateway status

Troubleshooting

  1. Verify Gateway is running: 
    ssh user@server "simpleclaw gateway status"
  2. Check Tailscale status: 
    tailscale status
  3. Test SSH tunnel: 
    ssh -L 18789:127.0.0.1:18789 user@server "curl localhost:18789"
  1. Check server logs: 
    ssh user@server "simpleclaw gateway logs --tail 50"
  2. Verify channel config: 
    ssh user@server "simpleclaw config get channels"
  3. Test channel authentication: 
    ssh user@server "simpleclaw channels login --channel telegram"
  • Use Tailscale for better routing
  • Check server location (closer is better)
  • Monitor server resources: 
    ssh user@server "top"

Next Steps

Custom Skills

Add custom tools to your remote Gateway

Webhooks

Trigger agent runs from external services

Multi-Agent Setup

Run multiple specialized agents

Troubleshooting

Common remote setup issues

Build docs developers (and LLMs) love

Get started for freeTalk to us