OpenClaw is one of the fastest-growing open-source projects of 2026 — 247,000 GitHub stars and counting. It acts as a self-hosted gateway between the messaging apps you already use (WhatsApp, Telegram, Discord, Slack) and AI models like Claude or GPT-4. Instead of paying for yet another SaaS AI assistant, you run it on your own VPS, keep your data private, and pay only for the API calls you actually make.
This guide walks you through setting up OpenClaw on a Ubuntu VPS from scratch: provisioning, security hardening, Nginx with SSL, systemd service management, and automating configuration deployments with DeployHQ.
What You'll Need
- A VPS running Ubuntu 22.04 LTS (minimum 2 vCPU, 4 GB RAM, 20 GB SSD — DigitalOcean, Contabo, or Hetzner all work)
- A domain name pointed at your VPS IP
- An API key from an AI provider (Anthropic, OpenAI, or Google Gemini)
- An account on your preferred messaging platform (Telegram is the easiest to start with)
- A DeployHQ account for automating updates (free tier covers this)
Step 1 — Initial Server Setup
Connect as root, then immediately create a non-root user with sudo access:
ssh root@<your-vps-ip>
adduser openclawops
usermod -aG sudo openclawops
Copy your SSH key to the new user so you can log back in without a password:
rsync --archive --chown=openclawops:openclawops ~/.ssh /home/openclawops
Switch to the new user for all remaining steps:
su - openclawops
Tighten SSH configuration to disable password auth and root login:
sudo nano /etc/ssh/sshd_config
Set these values:
PasswordAuthentication no
PermitRootLogin no
Restart SSH (keep your current session open in case something goes wrong):
sudo systemctl restart ssh
Update the system before doing anything else:
sudo apt update && sudo apt dist-upgrade -y
Step 2 — Configure the Firewall
Lock down ingress traffic with UFW. Allow only SSH, HTTP, and HTTPS:
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow 22/tcp
sudo ufw limit 22/tcp # rate-limit to slow brute-force attempts
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw enable
Verify the rules are active:
sudo ufw status verbose
Do not open port 18789 (OpenClaw's gateway port) to the public internet. We'll put Nginx in front of it.
Step 3 — Install Node.js 22
OpenClaw requires Node.js ≥22. Install it from the NodeSource repository:
curl -fsSL https://deb.nodesource.com/setup_22.x | sudo -E bash -
sudo apt install -y nodejs
node --version # should print v22.x.x
Step 4 — Install OpenClaw
Run the official installer. It will walk you through an interactive setup wizard:
curl -fsSL https://openclaw.ai/install.sh | bash
During the wizard:
- Accept the risk acknowledgment
- Choose QuickStart mode
- Enter your AI provider API key (Anthropic, OpenAI, or Gemini)
- Select your messaging channel — Telegram is recommended for VPS setups since it doesn't require port forwarding
- Enable bash completion
Once installed, verify the gateway started correctly:
openclaw gateway status
You should see the gateway bound to 127.0.0.1:18789. If it shows 0.0.0.0:18789, fix that immediately — the gateway would be publicly accessible without authentication.
Step 5 — Bind the Gateway to Localhost
If the gateway is listening on all interfaces, rebind it:
openclaw configure
When prompted for the gateway binding, select Local (this machine). This ensures the gateway only accepts connections from 127.0.0.1, and all external access goes through Nginx.
Step 6 — Set Up Nginx as a Reverse Proxy
Install Nginx and Certbot:
sudo apt install -y nginx certbot python3-certbot-nginx
Create a new server block for OpenClaw:
sudo nano /etc/nginx/sites-available/openclaw
Paste the following, replacing openclaw.example.com with your actual domain:
server {
listen 80;
server_name openclaw.example.com;
location / {
proxy_pass http://127.0.0.1:18789;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 86400;
}
}
The proxy_read_timeout 86400 (24 hours) prevents Nginx from closing long-running WebSocket connections that OpenClaw uses for real-time messaging.
Enable the site and test the config:
sudo ln -s /etc/nginx/sites-available/openclaw /etc/nginx/sites-enabled/
sudo nginx -t
sudo systemctl reload nginx
Obtain a free TLS certificate from Let's Encrypt:
sudo certbot --nginx -d openclaw.example.com
Certbot automatically reconfigures Nginx for HTTPS and sets up auto-renewal. Your gateway is now accessible at https://openclaw.example.com with a valid certificate.
Step 7 — Run OpenClaw as a Systemd Service
Right now OpenClaw stops when you close your SSH session. Fix that by creating a systemd unit:
sudo nano /etc/systemd/system/openclaw.service
[Unit]
Description=OpenClaw Gateway
After=network.target
[Service]
Type=simple
User=openclawops
WorkingDirectory=/home/openclawops
ExecStart=/usr/bin/openclaw gateway start
Restart=on-failure
RestartSec=5
StandardOutput=journal
StandardError=journal
[Install]
WantedBy=multi-user.target
Enable and start the service:
sudo systemctl daemon-reload
sudo systemctl enable openclaw
sudo systemctl start openclaw
sudo systemctl status openclaw
OpenClaw now starts automatically on boot and restarts if it crashes.
Step 8 — Connect Your Messaging Channel
With the gateway running, add a Telegram bot:
- Open Telegram and message @BotFather
- Run
/newbotand follow the prompts — you'll receive a bot token - On your server, run:
openclaw channels add telegram
Enter the bot token when prompted. Send your bot a message on Telegram — OpenClaw should respond immediately via whichever AI provider you configured.
Step 9 — Automate Configuration Updates with DeployHQ
As you customise OpenClaw — adding Skills (plugins for Gmail, GitHub, Notion, Home Assistant, and 100+ others), tweaking system prompts, or updating webhook configs — you'll want those changes deployed to your VPS automatically rather than manually SSH-ing in.
The pattern is straightforward: store your OpenClaw configuration and custom skills in a Git repository, then use DeployHQ to deploy changes to your VPS whenever you push.
Set up your config repository:
mkdir ~/openclaw-config && cd ~/openclaw-config
git init
# Copy any custom skills or config overrides into this directory
cp ~/.openclaw/config.json ./config.json
cp -r ~/.openclaw/skills ./skills
Create a deployment script (deploy.sh) that your VPS runs on every push:
#!/bin/bash
set -e
# Copy config updates into place
cp config.json ~/.openclaw/config.json
rsync -av skills/ ~/.openclaw/skills/
# Restart the gateway to pick up changes
sudo systemctl restart openclaw
echo "OpenClaw updated and restarted"
Push this to your Git host (GitHub, GitLab, Bitbucket, or Codebase):
git add .
git commit -m "Initial OpenClaw config"
git remote add origin <your-repo-url>
git push -u origin main
Connect DeployHQ:
- Log in to DeployHQ and create a new project
- Connect it to your repository
- Add your VPS as a server (SSH key authentication)
- Set the deployment path to
/home/openclawops/openclaw-config - Add a post-deployment command:
bash deploy.sh
Now every time you push a config change or add a new skill, DeployHQ runs the deployment automatically. No more SSH sessions for routine updates — and you get a full deployment history with rollback if something breaks.
This same workflow applies to any Node.js application you're running on your VPS. DeployHQ supports deploying Node.js apps alongside OpenClaw, so you can manage multiple services on the same server from a single dashboard. You can also use DeployHQ to deploy Python-based tools — for instance, scraping applications with ScraperAPI and DeployHQ for automated data collection alongside your AI assistant.
Keeping OpenClaw Updated
OpenClaw releases frequently. To upgrade the CLI itself:
npm update -g openclaw
sudo systemctl restart openclaw
Check the OpenClaw GitHub releases for breaking changes before upgrading on production.
Troubleshooting
Gateway won't start: Check logs with journalctl -u openclaw -n 50. Most failures are missing environment variables (API key not set) or port conflicts.
Nginx 502 Bad Gateway: The OpenClaw gateway isn't running. Run openclaw gateway status and check systemd logs.
Telegram bot not responding: Verify the bot token is correct with openclaw channels list. Also check that your VPS can reach api.telegram.org — some providers block outbound traffic by default.
Certificate renewal failing: Run sudo certbot renew --dry-run to debug. Certbot needs ports 80 and 443 open and Nginx running.
Frequently Asked Questions
Do I need a domain name?
No — you can skip Steps 6 entirely and access the Control UI via an SSH tunnel instead:
ssh -N -L 18789:127.0.0.1:18789 openclawops@<your-vps-ip>
Then open http://localhost:18789 in your browser. The downside is you need the tunnel running whenever you want to use the web UI. If you're using Telegram or another messaging channel, those work fine without any web access.
Which AI provider should I use?
Anthropic's Claude is the most capable for complex tasks and follows instructions precisely. OpenAI's GPT-4o is a solid all-rounder and has slightly broader third-party skill compatibility. Google Gemini Flash is the cheapest option for high-volume use. You can configure multiple providers and switch between them per conversation — useful if you want cheaper models for quick queries and stronger ones for coding tasks.
Can multiple people share one OpenClaw instance?
Yes. OpenClaw supports multiple channels and workspace isolation, so you can connect separate Telegram bots or Slack workspaces and route them to different agent configurations. Each workspace gets its own memory, system prompt, and tool access. This is useful for teams where each member wants their own assistant context without running separate VPS instances.
How much will API costs actually run?
For typical personal use — a few dozen queries per day — expect $5–$15/month in API costs on top of your VPS bill. Heavy use with Claude Opus or GPT-4 can push that higher. Switching to Claude Haiku or Gemini Flash for routine tasks and reserving the stronger models for complex ones is the most effective way to keep costs in check. OpenClaw logs every API call with token counts, so you can monitor usage from the Control UI.
Is my data private if I use a cloud AI provider?
Your messages are sent to whichever AI provider's API you configure. OpenClaw itself keeps all session history and memory on your VPS — nothing is stored by third parties beyond what the AI API processes to generate a response. If you need full end-to-end privacy, you can run a local model (via Ollama) and point OpenClaw at it — your data then never leaves the VPS.
Can I run other services on the same VPS?
Yes. OpenClaw runs as a single Node.js process and is relatively lightweight — a 4 GB RAM server comfortably runs OpenClaw alongside a small web app, database, or other services. Use separate Nginx server blocks for each service and manage them all through DeployHQ.
How do I back up my OpenClaw configuration?
The configuration the DeployHQ workflow covers is the primary backup strategy — your config.json and custom skills live in Git, which is your source of truth. For session memory and conversation history stored by OpenClaw locally, back up the ~/.openclaw/data directory periodically. A simple cron job to rsync it to an S3-compatible bucket is sufficient for most setups.
What happens when OpenClaw releases a breaking update?
Check the CHANGELOG before running npm update -g openclaw. Breaking changes are rare but do happen — usually around skill API changes. Test on a staging VPS first if you have critical automations running, then update production. The Restart=on-failure in your systemd unit means even a bad update that crashes the process won't leave you without a running service — it'll keep retrying until you fix the config.
OpenClaw gives you a genuinely useful AI assistant that runs on infrastructure you control — no subscription lock-in, no data leaving your servers unless you choose it. A $5-$10/month VPS handles typical personal use comfortably, and your only ongoing cost is API usage.
For teams managing multiple VPS instances, DeployHQ simplifies keeping configurations consistent across servers — deploy once to all your nodes from a single push. Sign up free and connect your first server in minutes.
Have questions or hit an issue? Reach out at support@deployhq.com or find us on Twitter at @deployhq.