On this page
📋 VPS requirements
| Resource | Minimum | Recommended |
|---|---|---|
| CPU | 1 vCPU | 2 vCPU |
| RAM | 1 GB | 2 GB |
| Storage | 20 GB SSD | 40 GB SSD |
| OS | Ubuntu 22.04+ | Ubuntu 24.04 LTS |
| Network | Public IP, outbound HTTPS | Same |
Budget options: Hostinger KVM1 (~$5/mo), Hetzner CX22 (~$4/mo), DigitalOcean Basic ($6/mo). All work fine — OpenClaw is lightweight.
🔧 Initial server setup
# SSH in
ssh root@your-vps-ip
# Update system
apt update && apt upgrade -y
# Create a non-root user
adduser openclaw
usermod -aG sudo openclaw
# Switch to new user
su - openclaw
# Harden SSH (optional but recommended)
sudo sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config
sudo systemctl restart sshd
✅ Always use a non-root user for running OpenClaw. This limits the blast radius if the agent is compromised.
📦 Install Node.js & OpenClaw
# Install Node.js 22 via NodeSource
curl -fsSL https://deb.nodesource.com/setup_22.x | sudo -E bash -
sudo apt install -y nodejs
# Verify
node --version # Should be 22.x+
# Install OpenClaw
sudo npm install -g openclaw
# Run onboarding
openclaw onboard --install-daemon
# Test it works
openclaw --version
openclaw doctor
⚙️ systemd service
Make OpenClaw start automatically on boot and restart on crashes:
sudo nano /etc/systemd/system/openclaw.service
[Unit]
Description=OpenClaw Gateway
After=network-online.target
Wants=network-online.target
[Service]
Type=simple
User=openclaw
Group=openclaw
WorkingDirectory=/home/openclaw
ExecStart=/usr/bin/openclaw gateway
Restart=always
RestartSec=10
Environment=NODE_ENV=production
[Install]
WantedBy=multi-user.target
# Enable and start
sudo systemctl daemon-reload
sudo systemctl enable openclaw
sudo systemctl start openclaw
# Check status
sudo systemctl status openclaw
# View logs
sudo journalctl -u openclaw -f
🔥 Firewall
# Enable UFW
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow ssh
sudo ufw enable
# Do NOT expose port 18789 to the internet
# The Control UI should only be accessible locally
🔐 Never open port 18789 to the public internet. Attackers actively scan for exposed OpenClaw gateways. Use SSH tunnels or Tailscale for remote access. See the Security Guide.
🌐 Remote access with Tailscale
Tailscale creates an encrypted private network so you can access the Control UI from anywhere without exposing ports.
# Install Tailscale on VPS
curl -fsSL https://tailscale.com/install.sh | sh
sudo tailscale up
# Install Tailscale on your Mac/phone too
# Now access Control UI via Tailscale IP:
# http://100.x.x.x:18789
Alternative: SSH tunnel
# From your local machine
ssh -L 18789:localhost:18789 openclaw@your-vps-ip
# Open http://localhost:18789 in your browser
💾 Backup strategy
# Automated daily backup of config + workspace
cat <<'EOF' | sudo tee /etc/cron.d/openclaw-backup
0 3 * * * openclaw tar czf /home/openclaw/backups/openclaw-$(date +\%F).tar.gz \
/home/openclaw/.openclaw/openclaw.json \
/home/openclaw/.openclaw/workspace/ \
/home/openclaw/.openclaw/credentials/ 2>/dev/null
EOF
# Create backup directory
mkdir -p /home/openclaw/backups
# Keep last 30 days
echo '0 4 * * * openclaw find /home/openclaw/backups -name "*.tar.gz" -mtime +30 -delete' | \
sudo tee -a /etc/cron.d/openclaw-backup
✅ Git-track your config for instant rollback:
cd ~/.openclaw && git init && git add openclaw.json && git commit -m "baseline". Commit before every significant change.📊 Monitoring
# Quick health check
openclaw doctor --deep --yes
# Check if gateway is running
openclaw status
systemctl is-active openclaw
# Token usage summary
openclaw status --usage
# Check channel connections
openclaw channels status --probe
# Watch logs live
journalctl -u openclaw -f --no-pager
# Add a watchdog cron (restart if down)
echo '*/5 * * * * openclaw systemctl is-active openclaw || systemctl restart openclaw' | \
sudo tee /etc/cron.d/openclaw-watchdog