Why self-host OpenClaw on a VPS?
Running OpenClaw on a dedicated VPS instead of your personal computer offers several advantages:
- 24/7 availability: Your AI assistant runs even when your laptop is closed
- Security isolation: Keep the powerful agent separate from your main machine
- Access from anywhere: Connect via messaging apps from any device
- Consistent environment: No interruptions from system updates or restarts
What is OpenClaw?
OpenClaw (formerly known as Clawdbot and Moltbot) is an open-source AI personal assistant with over 250,000 GitHub stars. It connects to messaging apps like WhatsApp, Telegram, Discord, Slack, and Signal, and can execute real actions on your behalf - sending emails, running commands, managing files, and more.
For a full overview, see our article on what OpenClaw is and why it’s gone viral.
Requirements
- A VPS with at least 2 GB RAM and 20 GB disk space
- Ubuntu 22.04 or newer (this guide uses Ubuntu)
- An API key from Anthropic (Claude) or OpenAI
- Basic familiarity with Linux command line
Step 1: Deploy your VPS on ColossusCloud
Deploy a Linux VPS through ServerPoint’s Client Portal. Ubuntu 24.04 LTS is recommended. Choose your preferred data center location - your VPS will be online in under a minute.
Once deployed, SSH into your server:
ssh root@your-server-ipStep 2: Initial server setup
Update your system and create a non-root user:
apt update && apt upgrade -y
adduser openclaw
usermod -aG sudo openclawSwitch to the new user:
su - openclawStep 3: Install Node.js
OpenClaw requires Node.js 22 or newer:
curl -fsSL https://deb.nodesource.com/setup_22.x | sudo -E bash -
sudo apt install -y nodejsVerify the installation:
node --version
npm --versionStep 4: Install OpenClaw
Install OpenClaw globally:
sudo npm install -g openclawRun the onboarding wizard:
openclaw onboardThis will prompt you to:
- Enter your Anthropic or OpenAI API key
- Connect messaging platforms (WhatsApp, Telegram, etc.)
- Configure memory and preferences
Step 5: Configure the firewall
Critical: Never expose OpenClaw’s gateway port (18789) to the public internet.
Configure UFW to block external access:
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow ssh
sudo ufw enableThe gateway should only be accessible from localhost or through a secure tunnel.
You should also configure ServerPoint’s Cloud Firewall in the Client Portal for network-level protection - it’s included with every ColossusCloud VPS at no additional cost.
Step 6: Install Tailscale for secure remote access
Tailscale provides a zero-trust network that lets you access your OpenClaw instance securely without exposing ports:
curl -fsSL https://tailscale.com/install.sh | sh
sudo tailscale upFollow the authentication link to connect your server to your Tailscale network.
Once connected, you can access OpenClaw’s gateway via your server’s Tailscale IP address, which is only accessible from devices on your Tailscale network.
Step 7: Secure the configuration
Set proper permissions on OpenClaw’s configuration files:
chmod 700 ~/.openclaw
chmod 600 ~/.openclaw/config.jsonGenerate a strong gateway token:
openssl rand -hex 32Add this token to your configuration at ~/.openclaw/config.json:
{
"gateway": {
"bind": "127.0.0.1",
"port": 18789,
"token": "your-generated-token-here"
}
}Binding to 127.0.0.1 ensures the gateway only accepts local connections.
Step 8: Run OpenClaw as a service
Create a systemd service for automatic startup:
sudo nano /etc/systemd/system/openclaw.serviceAdd the following:
[Unit]
Description=OpenClaw AI Assistant
After=network.target
[Service]
Type=simple
User=openclaw
WorkingDirectory=/home/openclaw
ExecStart=/usr/bin/openclaw
Restart=on-failure
RestartSec=10
[Install]
WantedBy=multi-user.targetEnable and start the service:
sudo systemctl daemon-reload
sudo systemctl enable openclaw
sudo systemctl start openclawCheck the status:
sudo systemctl status openclawStep 9: Security hardening
Enable DM pairing mode
By default, OpenClaw requires verification before processing messages from unknown contacts. Verify this is enabled in your configuration.
Use allowlists
For maximum security, configure an allowlist to only accept messages from specific contacts:
{
"access": {
"denyByDefault": true,
"allowlist": ["your-phone-number", "your-telegram-id"]
}
}Run security audits
Periodically audit your OpenClaw installation:
openclaw security audit --deepRotate tokens regularly
Change your gateway token and API keys every 30-90 days.
Alternative: Docker installation
For additional isolation, run OpenClaw in Docker:
docker pull openclaw/openclaw
docker run -d \
--name openclaw \
--restart unless-stopped \
-v ~/.openclaw:/root/.openclaw \
openclaw/openclawAccessing your OpenClaw assistant
Once running, interact with your OpenClaw assistant through the messaging platforms you configured during onboarding. Messages are processed 24/7 as long as your VPS is running.
For direct gateway access (debugging, admin tasks), connect through Tailscale:
# From a device on your Tailscale network
curl -H "Authorization: Bearer your-token" http://your-tailscale-ip:18789/healthOfficial resources
- OpenClaw on GitHub - Source code, issues, and releases
- OpenClaw website - Official documentation
- OpenClaw Discord - Community support and discussions
Costs
- VPS: Starting around $8/month at ServerPoint
- OpenClaw: Free (open source, MIT license)
- API usage: Pay-per-use for Claude/OpenAI (varies by usage)
- Tailscale: Free for personal use
Deploy a VPS and run your own secure OpenClaw instance today. Need more power as your usage grows? Upgrading your ColossusCloud VPS takes just a few clicks in the Client Portal.