ClawBox
All posts
OpenClawTutorialsDeployment
11 min read

How to Deploy OpenClaw: Complete Step-by-Step Tutorial (2026)

The most thorough OpenClaw deployment guide on the internet. VPS setup, Node.js, channel configuration, browser automation, security hardening, and troubleshooting -- all covered.

This is the deployment guide I wish existed when I first set up OpenClaw.

I have deployed OpenClaw on DigitalOcean, AWS, Hetzner, a Mac Mini at home, and inside Docker containers. Some attempts went smoothly. Others did not. The first time took me an entire weekend. By the fifth time, I had it down to under an hour.

This guide contains everything I learned across those deployments. It is long and detailed on purpose -- every section exists because I (or someone I helped) hit that exact issue.

We will cover:

  • Choosing and provisioning a VPS
  • Installing Node.js and OpenClaw
  • Configuring Telegram and WhatsApp channels
  • Setting up browser automation on a headless server
  • Security hardening (this part is critical and most guides skip it)
  • Running OpenClaw as a persistent service
  • Troubleshooting the most common issues

If at any point the process feels like too much, there is a managed alternative at the end that skips all of this. No shame in that -- managing infrastructure is a skill, not a requirement for using AI.

Prerequisites

Before you start, make sure you have:

  • A credit card for the VPS provider (most offer free credits for new accounts)
  • An AI model subscription -- Claude Pro/Max ($20/month from Anthropic, recommended) or ChatGPT Plus ($20/month from OpenAI)
  • A Telegram account (for the Telegram channel) and/or a WhatsApp account (for the WhatsApp channel)
  • Basic command line comfort -- you should know what ssh, cd, ls, and sudo mean
  • 2-4 hours of uninterrupted time for the first deployment

About model choice: OpenClaw works with any supported model, but Claude (specifically Opus 4.6 via Pro/Max subscription) is recommended for its long-context strength and better resistance to prompt injection attacks. Since OpenClaw processes messages from real people on real messaging platforms, prompt injection resistance matters.

Step 1: Choose and Provision a VPS

You need a Linux server with at least 2GB RAM, 2 CPU cores, and 20GB storage. Here are the three most common choices:

Option A: Hetzner (Best Value)

Hetzner offers the best price-to-performance ratio, especially if you are in Europe or do not mind slightly higher latency from the US.

  • CX22 -- 2 vCPUs, 4GB RAM, 40GB SSD -- about $4.50/month
  • CX32 -- 4 vCPUs, 8GB RAM, 80GB SSD -- about $7.50/month

The CX22 is sufficient for most single-user OpenClaw setups.

  1. Create an account at hetzner.com
  2. Go to Cloud Console and create a new project
  3. Add a server: select Ubuntu 24.04, choose the CX22 plan
  4. Add your SSH key (do NOT use password authentication -- see the security section below)
  5. Create the server and note the IP address

Option B: DigitalOcean (Most Beginner-Friendly)

DigitalOcean has the best documentation and UI for beginners. Slightly more expensive than Hetzner.

  • Basic Droplet -- 2 vCPUs, 2GB RAM, 50GB SSD -- $12/month
  • Regular Droplet -- 2 vCPUs, 4GB RAM, 80GB SSD -- $24/month

The 2GB plan works but can be tight with the browser. 4GB is more comfortable.

  1. Create an account at digitalocean.com
  2. Create a Droplet: Ubuntu 24.04, Basic plan, choose your size
  3. Add your SSH key
  4. Create and note the IP address

Option C: AWS EC2 (Most Flexible, Most Complex)

AWS is the most powerful option but also the most complex to set up. Only choose this if you are already familiar with AWS.

  • t3.small -- 2 vCPUs, 2GB RAM -- about $15/month
  • t3.medium -- 2 vCPUs, 4GB RAM -- about $30/month
  1. Launch an EC2 instance with Ubuntu 24.04 AMI
  2. Choose t3.small or t3.medium
  3. Configure security group: allow SSH (port 22), and port 18789 for the Gateway (restrict to your IP if possible)
  4. Create/select a key pair
  5. Launch and note the public IP

Connecting to Your Server

Once your VPS is provisioned, connect via SSH:

ssh root@YOUR_SERVER_IP

If you used an SSH key during provisioning, this should work immediately. If prompted for a password, enter the one from your VPS provider's email.

First thing after connecting:

apt update && apt upgrade -y

This updates all system packages. Do it now so you are working with current software.

Step 2: Create a Non-Root User

Running OpenClaw as root is a bad practice. Create a dedicated user:

adduser openclaw
usermod -aG sudo openclaw

Set a strong password when prompted. Then copy your SSH key to the new user:

mkdir -p /home/openclaw/.ssh
cp /root/.ssh/authorized_keys /home/openclaw/.ssh/
chown -R openclaw:openclaw /home/openclaw/.ssh
chmod 700 /home/openclaw/.ssh
chmod 600 /home/openclaw/.ssh/authorized_keys

Now log out and reconnect as the new user:

exit
ssh openclaw@YOUR_SERVER_IP

From this point forward, everything runs as the openclaw user, using sudo only when needed.

Step 3: Install Node.js 22

OpenClaw requires Node.js 22 or later. Most Ubuntu images ship with an older version (or none at all).

Install Node.js 22 via NodeSource:

curl -fsSL https://deb.nodesource.com/setup_22.x | sudo -E bash -
sudo apt install -y nodejs

Verify the installation:

node --version   # Should show v22.x.x
npm --version    # Should show 10.x.x or later

Troubleshooting: If node --version shows something older than 22, you may have a conflicting installation. Remove it with sudo apt remove nodejs and re-run the NodeSource script.

Step 4: Install OpenClaw

Install OpenClaw globally:

sudo npm install -g openclaw@latest

Verify it installed correctly:

openclaw --version

Now run the onboarding wizard:

openclaw onboard --install-daemon

The wizard will walk you through:

  1. Gateway configuration -- port, bind address, authentication
  2. Model setup -- connecting your Claude or GPT subscription (OAuth recommended)
  3. Channel setup -- which messaging platforms to connect (we will cover this in detail below)
  4. Skill installation -- which bundled skills to enable

Important settings during onboarding:

  • Gateway port: Default is 18789. Keep it unless you have a conflict.
  • Gateway bind: For a VPS, bind to 127.0.0.1 (loopback only). Do NOT bind to 0.0.0.0 unless you have authentication configured. Binding to all interfaces without auth exposes your Gateway to the internet.
  • Authentication: Set up password auth or use Tailscale Serve for secure remote access.

Step 5: Configure Channels

Telegram (Recommended First Channel)

Telegram is the easiest channel to set up on a headless VPS because it uses a Bot API token -- no QR code scanning required.

  1. Create a Telegram bot:
  • Open Telegram and message @BotFather
  • Send /newbot
  • Choose a name and username for your bot
  • BotFather gives you an API token -- copy it
  1. Configure in OpenClaw:

During onboarding, select Telegram as a channel and paste the API token. Or configure it manually:

   openclaw config set channels.telegram.token YOUR_BOT_TOKEN
  1. Start a conversation:
  • Find your bot on Telegram by its username
  • Send it a message
  • OpenClaw should respond
  1. Approve the pairing:

By default, OpenClaw uses pairing mode for DMs. Your first message will trigger a pairing code. Approve it:

   openclaw pairing approve telegram CODE

WhatsApp

WhatsApp is more complex on a headless server because it requires QR code scanning, similar to WhatsApp Web.

  1. Enable the WhatsApp channel:
   openclaw config set channels.whatsapp.enabled true
  1. Generate the QR code:

Start the gateway and look for the QR code in the terminal output:

   openclaw gateway --verbose

On a headless VPS, the QR code renders as ASCII art in the terminal. It can be hard to scan. Tips:

  • Make your terminal window very wide (at least 80 columns)
  • Reduce terminal font size
  • If the QR code is unreadable, use the Gateway's web dashboard (see the Tailscale section below) to scan it from a browser
  1. Scan with your phone:
  • Open WhatsApp on your phone
  • Go to Settings > Linked Devices > Link a Device
  • Scan the QR code from your terminal or web dashboard
  1. Verify the connection:

Send yourself a WhatsApp message. OpenClaw should respond.

Common issue: The QR code expires after about 60 seconds. If you miss it, restart the gateway to generate a new one.

Common issue: WhatsApp may disconnect after some time and require re-pairing. This is a known limitation of the Baileys library. The gateway handles reconnection automatically in most cases, but occasionally you will need to re-scan.

Other Channels

For Slack, Discord, Signal, iMessage, and other channels, refer to the official OpenClaw channel documentation. Each channel has its own setup requirements:

  • Slack -- requires creating a Slack App and installing it to your workspace
  • Discord -- requires creating a Discord Bot and adding it to your server
  • Signal -- requires signal-cli, which has its own installation process
  • iMessage -- requires a Mac (BlueBubbles is the recommended method)

Step 6: Set Up the Browser

This is where most VPS deployments hit trouble. OpenClaw needs a real Chrome/Chromium instance for web browsing, but your headless VPS has no display server.

Install Chrome

# Install dependencies
sudo apt install -y wget gnupg

# Add Google Chrome repository
wget -q -O - https://dl.google.com/linux/linux_signing_key.pub | sudo gpg --dearmor -o /usr/share/keyrings/google-chrome.gpg
echo "deb [signed-by=/usr/share/keyrings/google-chrome.gpg] http://dl.google.com/linux/chrome/deb/ stable main" | sudo tee /etc/apt/sources.list.d/google-chrome.list

# Install Chrome
sudo apt update
sudo apt install -y google-chrome-stable

Install Xvfb (Virtual Display)

Since there is no physical display, you need a virtual framebuffer:

sudo apt install -y xvfb

Start Xvfb:

Xvfb :99 -screen 0 1920x1080x24 &
export DISPLAY=:99

To make this persistent, add the export to your shell profile:

echo 'export DISPLAY=:99' >> ~/.bashrc

Verify the Browser Works

google-chrome --headless --disable-gpu --no-sandbox --screenshot https://example.com

This should create a screenshot file. If it does, Chrome is working.

Configure OpenClaw to Use the Browser

OpenClaw manages its own Chrome instance. You just need to ensure Chrome is installed and accessible. The Gateway will launch it automatically when a skill or task requires web browsing.

Common issue: Chrome crashes with "no usable sandbox." Fix:

echo 'kernel.unprivileged_userns_clone=1' | sudo tee /etc/sysctl.d/99-openclaw.conf
sudo sysctl -p /etc/sysctl.d/99-openclaw.conf

Common issue: Chrome runs out of memory on 2GB VPS. Solutions:

  • Upgrade to 4GB RAM
  • Add swap space: sudo fallocate -l 2G /swapfile && sudo chmod 600 /swapfile && sudo mkswap /swapfile && sudo swapon /swapfile
  • Add to /etc/fstab for persistence: /swapfile swap swap defaults 0 0

Step 7: Security Hardening

This section is not optional. Your OpenClaw instance connects to your messaging apps and can browse the web. If someone gains access to it, they can read your messages, impersonate you, and access any website you are logged into.

SSH Security

Disable password authentication (use SSH keys only):

sudo nano /etc/ssh/sshd_config

Change or add these lines:

PasswordAuthentication no
PermitRootLogin no
PubkeyAuthentication yes

Restart SSH:

sudo systemctl restart sshd

Before restarting SSH, verify your SSH key works. Open a new terminal and try to connect. If it works, you are safe. If it does not, fix it before closing your current session -- otherwise you will be locked out.

Firewall

Set up UFW (Uncomplicated Firewall):

sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow ssh
sudo ufw allow 18789/tcp comment 'OpenClaw Gateway'  # Only if you need direct access
sudo ufw enable

Better approach: Do not open port 18789 publicly at all. Use Tailscale (see below) for remote access to the Gateway dashboard.

Fail2ban

Install fail2ban to block brute-force SSH attempts:

sudo apt install -y fail2ban
sudo systemctl enable fail2ban
sudo systemctl start fail2ban

The default configuration bans IPs after 5 failed SSH attempts. This is sufficient for most setups.

Tailscale (Recommended for Remote Access)

Tailscale creates a private network between your devices. It is the best way to access your Gateway dashboard without exposing ports publicly.

curl -fsSL https://tailscale.com/install.sh | sh
sudo tailscale up

Follow the authentication URL to connect to your Tailscale network.

Then configure OpenClaw to use Tailscale Serve:

openclaw config set gateway.tailscale.mode serve
openclaw config set gateway.bind loopback

Now you can access the Gateway dashboard from any device on your Tailscale network at https://YOUR_MACHINE_NAME.your-tailnet.ts.net.

For public access (from devices not on your Tailscale network), use Funnel mode -- but you must set a password:

openclaw config set gateway.tailscale.mode funnel
openclaw config set gateway.auth.mode password
openclaw config set gateway.auth.password YOUR_STRONG_PASSWORD

Skill Security

This is the most important security consideration and the one most people ignore.

OpenClaw's skill system lets you install plugins that extend the AI's capabilities. These skills have broad access to your system -- they can read files, interact with the browser, send messages, and more.

Rules for skill security:

  1. Only install skills from trusted sources. Read the source code before installing any community skill.
  2. Review what each skill can access. Some skills request broad permissions. Be skeptical.
  3. Check the skill author. Is this a known contributor? Do they have other reputable projects?
  4. Watch for updates. A skill that was safe when you installed it can become malicious after an update.

There is a documented post on Reddit's r/hacking about OpenClaw skills being used as attack vectors. This is not theoretical -- it has happened. Take skill security seriously.

Environment Variables

Never hardcode API keys, tokens, or passwords in configuration files. Use environment variables:

# Add to ~/.bashrc or a separate .env file
export ANTHROPIC_API_KEY="your-key-here"
export TELEGRAM_BOT_TOKEN="your-token-here"

Make sure environment files are not readable by other users:

chmod 600 ~/.bashrc

Step 8: Run OpenClaw as a Persistent Service

You want OpenClaw to start automatically on boot and restart if it crashes.

Using systemd (Recommended)

The onboarding wizard can install the daemon automatically (--install-daemon flag). If you need to do it manually:

Create the service file:

sudo nano /etc/systemd/system/openclaw.service

Contents:

[Unit]
Description=OpenClaw Gateway
After=network.target

[Service]
Type=simple
User=openclaw
WorkingDirectory=/home/openclaw
Environment=DISPLAY=:99
Environment=NODE_OPTIONS=--max-old-space-size=1536
ExecStartPre=/usr/bin/Xvfb :99 -screen 0 1920x1080x24 &
ExecStart=/usr/bin/openclaw gateway --port 18789
Restart=always
RestartSec=10

[Install]
WantedBy=multi-user.target

Enable and start:

sudo systemctl daemon-reload
sudo systemctl enable openclaw
sudo systemctl start openclaw

Check status:

sudo systemctl status openclaw

View logs:

sudo journalctl -u openclaw -f

Using PM2 (Alternative)

If you prefer PM2:

sudo npm install -g pm2
pm2 start "openclaw gateway --port 18789" --name openclaw
pm2 save
pm2 startup

Step 9: Verify Everything Works

Run through this checklist:

  1. Gateway is running:
   sudo systemctl status openclaw
   # or: pm2 status
  1. Channels are connected:
  • Send a message on Telegram or WhatsApp
  • Verify OpenClaw responds
  1. Browser works:
  • Ask your AI to "go to example.com and tell me what you see"
  • It should describe the page content
  1. Security is configured:
   openclaw doctor

This command checks for common security misconfigurations.

  1. Persistence works:
  • Reboot the server: sudo reboot
  • Wait 2 minutes and reconnect
  • Verify OpenClaw is running and channels are connected

Troubleshooting Common Issues

"Command not found: openclaw"

Node.js global binaries may not be in your PATH. Fix:

echo 'export PATH=$PATH:$(npm config get prefix)/bin' >> ~/.bashrc
source ~/.bashrc

WhatsApp QR Code Is Unreadable

The ASCII QR code in the terminal can be garbled if your terminal is too narrow or uses the wrong encoding.

Solutions:

  • Widen your terminal to at least 100 columns
  • Use the Gateway web dashboard to scan the QR code instead (access via Tailscale)
  • Try a different terminal emulator (iTerm2 on Mac, Windows Terminal on Windows)

Chrome Crashes or Won't Start

Most common causes:

  • Not enough RAM -- add swap space (see Step 6)
  • Missing dependencies -- run sudo apt install -y libgbm1 libnss3 libxss1 libasound2
  • Sandbox issues -- create /etc/sysctl.d/99-openclaw.conf with kernel.unprivileged_userns_clone=1

Channel Disconnects After Some Time

WhatsApp and some other channels can disconnect due to session expiry or network issues.

  • Check the logs: sudo journalctl -u openclaw | grep -i disconnect
  • OpenClaw usually reconnects automatically. If it does not, restart the service: sudo systemctl restart openclaw
  • For WhatsApp specifically: the Baileys library sessions can expire. You may need to re-scan the QR code periodically.

"EACCES: permission denied"

Usually means the openclaw user does not have permission to write to its data directory.

sudo chown -R openclaw:openclaw /home/openclaw/.openclaw

High Memory Usage

OpenClaw with a browser can use 1-2GB of RAM. On a 2GB VPS, this is tight.

Solutions:

  • Add 2GB swap (see Step 6)
  • Set NODE_OPTIONS=--max-old-space-size=1536 to limit Node.js memory
  • Upgrade to a 4GB VPS ($12-24/month)

Gateway Is Accessible from the Internet

If you can reach port 18789 from any IP, your Gateway is publicly exposed. Fix immediately:

sudo ufw deny 18789/tcp

Use Tailscale for remote access instead. See the security hardening section.

Skills Not Working

  • Check that the skill is enabled: look in the OpenClaw configuration
  • Check that the skill's dependencies are installed
  • Check the logs for errors related to the skill
  • For browser-dependent skills, verify Chrome is working (Step 6)

Maintaining Your Deployment

Updating OpenClaw

Check for updates:

openclaw update --check

Apply updates:

sudo npm update -g openclaw@latest
sudo systemctl restart openclaw

Tip: Subscribe to the OpenClaw releases on GitHub so you know when important updates drop. Security patches should be applied promptly.

Monitoring

Set up basic monitoring to know when something breaks:

# Add to crontab: check every 5 minutes if the gateway is running
crontab -e

Add this line:

*/5 * * * * systemctl is-active --quiet openclaw || systemctl restart openclaw

This restarts OpenClaw automatically if it crashes.

For more sophisticated monitoring (uptime alerts, memory alerts), consider tools like Uptime Kuma, Healthchecks.io, or Cronitor.

Backups

Your OpenClaw data (conversations, configuration, skill data) lives in ~/.openclaw/ by default. Back it up:

# Manual backup
tar -czf openclaw-backup-$(date +%Y%m%d).tar.gz ~/.openclaw/

# Automated daily backup (add to crontab)
0 2 * * * tar -czf /home/openclaw/backups/openclaw-$(date +\%Y\%m\%d).tar.gz /home/openclaw/.openclaw/

Time and Cost Summary

Here is the honest accounting of what this deployment costs:

Item

First Month

Ongoing Monthly

Your time (setup)

4-20 hours

--

Your time (maintenance)

--

2-5 hours

VPS

$5-24

$5-24

AI model subscription

$20

$20

Domain (optional)

$12/year

~$1

Total money

$25-44

$25-45

Total time

4-20 hours

2-5 hours/month

At $50/hour for your time, the first month costs $225-$1,044 in combined money and time. Months 2+ cost $125-$295/month.

These numbers are real. If you enjoy this kind of work, the time investment is fine -- it is learning, and you end up with a deep understanding of how OpenClaw works. If you do not enjoy it, or if your time is better spent elsewhere, keep reading.

The Managed Alternative

If you have made it this far and are thinking "this is a lot," you are right. It is.

That is exactly why managed hosting exists. Services like ClawBox handle everything in this tutorial -- VPS provisioning, Node.js, channel configuration, browser setup, security hardening, persistence, monitoring, updates -- and reduce it to a 2-minute signup flow.

What you get with ClawBox specifically:

  • Dedicated Fly Machine (2 CPUs, 2048MB RAM) -- not a shared server
  • Real browser with takeover -- your credentials never touch the AI
  • Curated skills -- vetted before you can install them, so no supply chain risk
  • Zero-trust security -- open-source, auditable, isolated
  • $49/month -- less than most people spend in time maintaining a self-hosted setup

I built ClawBox because I deployed OpenClaw five times and realized nobody should have to go through this process unless they genuinely want to. The AI assistant should be the product, not the infrastructure project.

If you want to self-host, this tutorial gives you everything you need. If you would rather skip straight to using your AI, tryclawbox.com gets you there in 2 minutes.

Either way, the end result is the same: a powerful AI assistant that lives on your messaging apps and actually gets things done.

New to OpenClaw? Read our What Is OpenClaw? complete guide first.

Deciding between self-hosting and managed? See our Self-Host vs Managed comparison.

Comparing managed providers? Check our Best OpenClaw Hosting in 2026 guide.

Back to all postsTry ClawBox free