草擬一份可以直接貼到 GitHub / Discord 的英文求助內容

Here is a clean English template you can copy‑paste to GitHub / Discord. You只需要把 <host-ip> 改成你自己的伺服器 IP（或用 xxx.xxx.xxx.xxx 遮掉）。

Title (for GitHub issue): Control UI “origin not allowed” when accessing via SSH tunnel from NemoClaw/OpenShell sandbox (OpenClaw 2026.3.11)

Body:

text Environment

• OpenClaw version: 2026.3.11 (29dc654)
• Running inside: NVIDIA NemoClaw / OpenShell sandbox
  • sandbox name: buddy
  • namespace: openshell
• Host OS: Ubuntu 22.04 on a VPS (DigitalOcean droplet)
• Client: Windows 11 PC with Chrome, connecting over SSH port forwarding

Setup

1. Inside the sandbox I start the dashboard:

   nemoclaw buddy connect # from host, to enter sandbox openclaw --version # OpenClaw 2026.3.11 (29dc654) nohup openclaw dashboard >dashboard.log 2>&1 &

   In the sandbox:

   • ss -ltnp | grep 18789 shows: LISTEN 127.0.0.1:18789 and [::1]:18789
   • dashboard.log shows: "Dashboard URL: http://127.0.0.1:18789/#token=..."

2. On the host I forward the port from host → sandbox:

   openshell sandbox list

   buddy / openshell / Ready

   openshell forward start 18789 buddy

   Output: "✓ Forwarding port 18789 to sandbox buddy Access at: http://127.0.0.1:18789/ Press Ctrl+C to stop"

3. From my Windows PC I forward from Windows → host:

   ssh -N -L 18789:127.0.0.1:18789 root@<host-ip>

4. In the browser on Windows I open:

   http://localhost:18789/chat?session=main

   The UI loads, I see the OpenClaw Control / Gateway Dashboard.

Problem

• The chat UI shows a red error and I cannot type anything:

  origin not allowed (open the Control UI from the gateway host or allow it in gateway.controlUi.allowedOrigins)

• This error remains even after restarting the dashboard and clearing the browser cache/incognito.

• The bottom bar says: "Connect to the gateway to start chatting..." and the input box stays disabled.

What I already tried

1. Config file inside the sandbox: ~/.config/openclaw/config.json

   { "gateway": { "bind": "127.0.0.1", "port": 18789, "controlUi": { "allowedOrigins": [ "http://localhost:18789", "http://127.0.0.1:18789", "http://localhost", "http://127.0.0.1" ] } } }

   Then restart:

   pkill -f "openclaw dashboard" || true pkill -f "openclaw gateway" || true nohup openclaw dashboard >dashboard.log 2>&1 &

2. Starting dashboard with env vars (tried both):

   GATEWAY_CONTROL_UI_ALLOWED_ORIGINS="http://localhost:18789,http://127.0.0.1:18789,http://localhost,http://127.0.0.1"
   openclaw dashboard ...

   GATEWAY_CONTROL_UI_DISABLE_ORIGIN_CHECK=true
   openclaw dashboard ...

3. After each change I confirm:

   • In the sandbox, ss still shows 127.0.0.1:18789 listening.
   • dashboard.log shows the Dashboard URL and the usual "No GUI detected" message, but there is NO "origin not allowed" line in the log at all.

However, in the browser I still always see:

origin not allowed (open the Control UI from the gateway host or allow it in gateway.controlUi.allowedOrigins)

Questions

• Is Control UI origin checking in 2026.3.11 currently ignoring config/env when running inside a NemoClaw/OpenShell sandbox?
• Is there a recommended way to allow remote Control UI access (via SSH port forwarding) in this setup?
• Is this a known bug in 2026.3.11, and if so is there a workaround or config flag that actually disables the origin check?

Any guidance, example config, or confirmation that this is a known issue would be greatly appreciated. I’m happy to test patches or provide more logs if needed.

Fix / Workaround

Questions

• Is Control UI origin checking in 2026.3.11 currently ignoring config/env when running inside a NemoClaw/OpenShell sandbox?
• Is there a recommended way to allow remote Control UI access (via SSH port forwarding) in this setup?
• Is this a known bug in 2026.3.11, and if so is there a workaround or config flag that actually disables the origin check?

Any guidance, example config, or confirmation that this is a known issue would be greatly appreciated. I’m happy to test patches or provide more logs if needed.