How to Deploy OpenClaw on an Ubuntu VPS

OpenClaw just crossed 380,000 GitHub stars as of June 2026.

That makes it the fastest-growing open-source project in history, outpacing React, TensorFlow, and Vue in star velocity within its first quarter.

The reason behind that growth? You get a personal AI agent that runs 24/7, connects to Telegram, WhatsApp, Discord, and 20+ other platforms, and answers to you, not a SaaS company.

But getting started is where most people get stuck.

Which packages do you install first? Does Docker go before Node.js? What about the firewall?

What stops someone from accessing your gateway while it’s running?

I’ll walk you through deploying OpenClaw on Ubuntu, from your first SSH login to a fully secured, always-on AI agent.

Recommended VPS Specs for OpenClaw

Before you spin up a server, know what you need. OpenClaw is a multi-component Docker stack, Node.js runtime, bundled skills, conversation history, and optional browser automation. It is not a lightweight CLI tool.

Notes:

• Use NVMe SSD where possible; standard SSD works, but NVMe handles logs and concurrent I/O much better
• Keep at least 5 GB free for logs and conversation history at all times
• Start from a clean Ubuntu install to avoid package conflicts
• 1 GB machines fail during installation due to out-of-memory errors. The practical minimum for production is 4 GB RAM with 2 vCPU
• Local AI models like Ollama need extra RAM and a GPU, start with cloud APIs (Claude, GPT-4o) to keep costs low and the setup simple

What You Need Before You Start

Get these ready before you open your terminal. It saves time.

• A Truehost Ubuntu VPS has plans pre-sized for OpenClaw
• An API key from Anthropic (Claude), OpenAI, or OpenRouter
• A Telegram account is the easiest first messaging channel, no port forwarding required
• A registered domain name is optional for a basic test setup, required once you add SSL
• An SSH client: PuTTY for Windows, Terminal for Mac or Linux

Step 1: Connect to Your VPS via SSH

Windows: Download PuTTY → enter your server IP → set port to 22 → connection type SSH → click Open → login as root → enter your password.

Mac/Linux: Open Terminal → run ssh root@YOUR_SERVER_IP → enter your password.

You are now in. Everything from here runs inside this terminal session.

Check our guide on the 9 best VPS providers for OpenClaw

Step 2: Create a Non-Root User

Running OpenClaw as root is a serious security risk. If a skill misbehaves or gets compromised, the blast radius is your entire server every file, every credential, everything.

Create a dedicated user instead:

adduser openclaw
usermod -aG sudo openclaw

Copy your SSH key to the new user, then switch to it:

su - openclaw

From this point, run all commands as this user. Do not go back to root unless you have to.

Step 3: Update the Server

apt update
apt upgrade -y

This installs the latest security patches and keeps the system stable before you add any OpenClaw dependencies. Skip this step, and you risk compatibility issues later.

Related: Cheapest VPS Hosting Deals in South Africa

Step 4: Install Node.js 22+

OpenClaw requires Node.js version 22 or higher. Older versions will fail during installation. As of May 2026, the recommended version is Node 24, with Node 22.14+ as the minimum supported fallback.

Install from the NodeSource repository:

curl -fsSL https://deb.nodesource.com/setup_22.x | sudo -E bash -
sudo apt install -y nodejs
node --version  # should print v22.x.x

If the version is lower than 22, the installer will warn you. Fix it before moving on.

Step 5: Install Required Packages

apt install -y curl wget git unzip sudo

These tools handle file downloads, package management, and running installation scripts. OpenClaw’s installer relies on several of them.

Step 6: Install Docker

curl -fsSL https://get.docker.com -o get-docker.sh
sh get-docker.sh
docker --version  # verify: Docker version 26.x.x

Docker provides container isolation. It keeps OpenClaw’s environment clean and separate from the rest of your server. This is important for both stability and security, especially given the CVE-2026-25253 remote code execution vulnerability disclosed earlier this year.

Read also: Can You Host n8n for Free on a VPS?

Step 7: Install Docker Compose

apt install docker-compose-plugin -y
docker compose version  # verify installation

Docker Compose manages the multi-container stack OpenClaw runs on. You will use it to start, stop, and update your agent.

Step 8: Run the OpenClaw Installer

OpenClaw provides a one-line installer that handles the setup automatically:

curl -fsSL https://openclaw.ai/install.sh | bash

Installation takes 10–30 minutes, depending on your VPS speed. An interactive setup wizard launches automatically when it finishes.

Work through the wizard options carefully:

1. Confirm the security disclaimer
2. Select the Manual for onboarding mode
3. Gateway type: Local Gateway on loopback address (127.0.0.1)
4. Workspace directory: press Enter for the default
5. AI provider: Anthropic (Claude) is recommended for reliability
6. Enter your API key
7. Gateway port: press Enter for the default (18789)
8. Gateway bind: Loopback (127.0.0.1), this is a critical security setting; do not skip it
9. Gateway auth: press Enter to auto-generate a token
10. Package manager for skills: npm

The loopback binding in step 8 is the single most important security decision in the entire guide. It keeps your gateway off the public internet.

Step 9: Configure the .env File

nano /opt/openclaw/.env

Inside this file, set the following:

• Your API key (Anthropic, OpenAI, or OpenRouter)
• Your Telegram bot token, get it from @BotFather on Telegram
• GATEWAY_HOST=127.0.0.1 This keeps the gateway on loopback only

After saving, lock down the file permissions:

chmod 600 /opt/openclaw/.env

Two absolute rules for this file:

• Never commit .env to version control
• Never hardcode keys anywhere else in the project

If your keys leak, an attacker can run API calls on your account. Rotate compromised keys immediately.

Step 10: Configure UFW Firewall

sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow 22/tcp
sudo ufw limit 22/tcp
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw enable
sudo ufw status

This firewall setup denies all incoming traffic by default. Only SSH, HTTP, and HTTPS are allowed through.

Do not open port 18789 publicly. That is the OpenClaw gateway port. It must stay on localhost only. If it binds to 0.0.0.0:18789, anyone on the internet can reach your agent directly.

The ufw limit 22/tcp rule rate-limits SSH connections. It slows down brute-force login attempts without locking you out.

Step 11: Install and Configure Nginx as Reverse Proxy

All external traffic routes through Nginx. The gateway stays on localhost. This is the standard, secure architecture for any self-hosted web service.

Install Nginx:

sudo apt install nginx -y

Create a server block at /etc/nginx/sites-available/openclaw. Your configuration should:

• Proxy pass to http://127.0.0.1:18789
• Set the correct WebSocket headers (Upgrade, Connection)
• Set proxy_read_timeout 86400 This prevents Nginx from closing long-running WebSocket connections mid-session

Enable the site and reload Nginx:

sudo ln -s /etc/nginx/sites-available/openclaw /etc/nginx/sites-enabled/
sudo nginx -t
sudo systemctl reload nginx

Step 12: Add SSL with Certbot

Your Nginx config now works over HTTP. Add HTTPS with Let’s Encrypt.

sudo apt install certbot python3-certbot-nginx -y
sudo certbot --nginx -d yourdomain.com

Certbot automatically reconfigures your Nginx server block for HTTPS and sets up auto-renewal. Your gateway is now accessible at https://yourdomain.com with a valid certificate.

Let’s Encrypt certificates expire every 90 days. Certbot handles renewal automatically via a systemd timer; no action needed on your part.

Step 13: Run OpenClaw as a systemd Service

Without systemd, OpenClaw stops the moment you close your SSH session. That defeats the entire point of a VPS deployment.

Create a service file at /etc/systemd/system/openclaw.service. Main settings to include:

• Restart=always Restart on crash automatically
• WantedBy=multi-user.target start on boot
• User=openclaw Run as the dedicated user, never root

Enable and start the service:

sudo systemctl enable openclaw && sudo systemctl start openclaw

Verify it is running:

sudo systemctl status openclaw

You should see active (running) in green. If you see anything else, check the logs with journalctl -u openclaw -f.

Step 14: Test Your Deployment

Open your Telegram bot and send /start.

If the bot responds, the full stack is working. Your message traveled from Telegram → Nginx → OpenClaw Gateway → Claude API → back through the same route.

Now kill the manual process if you still have one running and let systemd take full control.

Verify the Deployment Is Secure

Do not skip this section. A misconfigured gateway is the most common OpenClaw security failure in 2026. Earlier this year, security researchers found 30,000–42,000 publicly exposed OpenClaw instances, 93% with no authentication.

Run these checks before you call the deployment done:

• Check gateway binding: confirm 127.0.0.1:18789 not 0.0.0.0:18789 If it shows 0.0.0.0:18789, run openclaw configure and select Local immediately
• Check firewall status: sudo ufw status Verify port 18789 is not listed
• Monitor logs: docker compose logs -f
• Run security audit: openclaw security audit --deep

Manage Your OpenClaw Instance

Once deployed, you manage OpenClaw through Docker Compose and systemd.

Daily management:

• Restart containers: docker compose restart
• Stop OpenClaw: docker compose down
• Start again: docker compose up -d
• Restart systemd service: sudo systemctl restart openclaw
• Check logs: docker compose logs -f

Updating OpenClaw:

Pull the latest from GitHub, then restart containers. Always check the changelog before updating on a production server. Skill API changes occasionally break existing automations.

Common Errors and Fixes

Skip the Manual Setup with Truehost OpenClaw Hosting

The 14-step process above works. But it takes time, typically 4–8 hours for a first deployment, plus 2–4 hours a month for maintenance, patching, and monitoring.

We at Truehost South Africa offer OpenClaw VPS plans with OpenClaw pre-configured and ready to use. Our data center is local, which means lower latency for South African users compared to European or US-based hosting.

Manual setup vs. Truehost OpenClaw Hosting:

Our plans start at R285/month for OpenClaw KVM1.

If you want control without the setup overhead, this is the fastest path.

OpenClaw on an Ubuntu VPS FAQ