OpenClaw turns a Mac into an autonomous agent that can run tests, open pull requests, and drive development workflows. Running it on a remote, dedicated Mac gives you a full automated iOS pipeline without tying up your laptop. This guide walks through the official remote gateway setup and why a physical cloud Mac beats VMs for reliability and performance.
Why Put OpenClaw on a Remote Mac?
OpenClaw relies on macOS accessibility APIs, system automation, and often on services like iMessage or AppleScript. In virtualized or shared environments, these either do not exist or behave inconsistently. Accessibility and device pairing can fail; IP-based restrictions and headless limitations make VMs a poor fit for long-running agents. A dedicated physical Mac gives you a stable, predictable environment and full control over the machine.
From a pipeline perspective, a remote Mac can run the OpenClaw gateway 24/7, handle CI jobs (Xcode, Fastlane, simulators), and stay on while you disconnect. Teams report more consistent build times and fewer "flaky" agent runs when moving from shared cloud VMs to a single-tenant Mac mini. For cost, a rented dedicated Mac often compares favorably to Xcode Cloud or third-party Mac CI when you factor in build hours and the need for a persistent agent host.
Architecture: OpenClaw.app and the Remote Gateway
OpenClaw.app (the menu-bar companion on your client machine) talks to a Gateway. The Gateway can run locally or on a remote host. For a remote setup, the app connects to ws://127.0.0.1:18789 on your Mac; an SSH tunnel forwards that port to the same port on the remote machine where the Gateway is running. So from the app’s perspective, it still connects to localhost; the tunnel does the rest.
"LocalForward 18789 forwards your local port to the remote Gateway. ssh -N keeps the connection open without a remote shell. The app never needs to know the Gateway is elsewhere." — OpenClaw docs
Prerequisites: a remote Mac with the OpenClaw Gateway installed and listening on port 18789, SSH access, and your local machine with OpenClaw.app and an SSH client. The remote Mac should be a physical machine or a dedicated instance; avoid generic macOS VMs for the reasons above.
Step 1: Add SSH Config
On your local machine, edit ~/.ssh/config and add a host block for the remote Gateway. Use a short alias so you can reuse it for the tunnel and any manual SSH.
Host remote-gateway
HostName <REMOTE_IP>
User <REMOTE_USER>
LocalForward 18789 127.0.0.1:18789
IdentityFile ~/.ssh/id_rsa
Replace <REMOTE_IP> with the IP or hostname of your cloud Mac (e.g. the address provided by VNCMac) and <REMOTE_USER> with your SSH username. LocalForward 18789 127.0.0.1:18789 is what forwards your local port 18789 to the Gateway on the remote host.
Step 2: Copy SSH Key
Use key-based auth so the tunnel can run non-interactively (e.g. from a Launch Agent). Copy your public key to the remote Mac:
ssh-copy-id -i ~/.ssh/id_rsa <REMOTE_USER>@<REMOTE_IP>
After this, ssh remote-gateway should connect without a password. If you use a different key, set IdentityFile in the config to that key.
Step 3: Set Gateway Token
The Gateway uses a token for authentication. Set it in your environment so OpenClaw.app can use it when connecting through the tunnel:
launchctl setenv OPENCLAW_GATEWAY_TOKEN "<your-token>"Use the token value from your OpenClaw/Gateway setup. This is typically done once per user session or configured in your shell profile if you start the app from a terminal.
Step 4: Start the SSH Tunnel
Start the tunnel in the background. -N means no remote command (port forwarding only).
ssh -N remote-gateway &
Verify with lsof -i :18789; you should see the SSH process listening on 18789. Leave this running whenever you use OpenClaw.app against the remote Gateway.
Step 5: Restart OpenClaw.app
Quit OpenClaw.app (Cmd+Q), then reopen it. It will connect to ws://127.0.0.1:18789, which is now forwarded to the remote Gateway. The app does not need any special "remote" mode; the tunnel is transparent.
Auto-Start the Tunnel on Login
To avoid starting the tunnel by hand every time, use a Launch Agent. Create ~/Library/LaunchAgents/bot.molt.ssh-tunnel.plist with the following (adjust the Label and path if you use a different name):
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>bot.molt.ssh-tunnel</string>
<key>ProgramArguments</key>
<array>
<string>/usr/bin/ssh</string>
<string>-N</string>
<string>remote-gateway</string>
</array>
<key>KeepAlive</key>
<true/>
<key>RunAtLoad</key>
<true/>
</dict>
</plist>Load the agent so it runs at login and restarts if the tunnel drops:
launchctl bootstrap gui/$UID ~/Library/LaunchAgents/bot.molt.ssh-tunnel.plist
To restart the tunnel later: launchctl kickstart -k gui/$UID/bot.molt.ssh-tunnel. To stop it: launchctl bootout gui/$UID/bot.molt.ssh-tunnel.
Integrating with Your iOS Pipeline
With the Gateway on a remote Mac, that same host can run your iOS CI: Xcode builds, Fastlane lanes, TestFlight uploads, and simulators. OpenClaw agents can trigger or monitor these jobs. Keep the Gateway and CI runner on one machine to reduce network hops and to use one set of credentials and signing assets. Many teams use a single dedicated Mac mini for both the OpenClaw Gateway and a GitLab Runner or GitHub Actions runner, with Fastlane for builds and distribution.
- Xcode & Command Line Tools: Install and update on the remote Mac; keep Command Line Tools in sync after Xcode updates.
- Fastlane: Use for building, testing, and TestFlight/App Store submission from the same host.
- Code signing: Store certificates and provisioning profiles on the remote Mac (Keychain or Fastlane match) so both the agent and CI use the same setup.
On a dedicated Mac mini, build times stay consistent because CPU and memory are not shared. No noisy neighbors means fewer timeouts and more reliable agent runs. For teams that have moved from shared Mac CI to a rented dedicated Mac, 20–40% more consistent build times are common, with the added benefit of a stable Gateway for OpenClaw.
Troubleshooting
If OpenClaw.app cannot connect, check that the tunnel is up: ps aux | grep "ssh -N remote-gateway" | grep -v grep and lsof -i :18789. Restart the Launch Agent if needed. Ensure the remote Gateway is running and listening on 18789. Firewall rules on the remote host must allow localhost access to 18789; SSH only needs port 22 open. If you use a different SSH key, confirm IdentityFile in ~/.ssh/config and that the key is loaded (e.g. ssh-add -l).
Summary
Deploying OpenClaw on a remote Mac gives you a full automated iOS pipeline: the app on your laptop, the Gateway and optional CI on a dedicated cloud Mac. Configure SSH with LocalForward 18789, copy your key, set the Gateway token, start the tunnel (or use a Launch Agent), and restart OpenClaw.app. Prefer a physical or dedicated Mac over VMs for accessibility, stability, and consistent build performance. For a ready-to-use remote Mac with SSH and full control, consider a dedicated Mac mini from VNCMac.