Run OpenClaw on a VPS

Self-host OpenClaw on a cheap VPS so your agent stays online 24/7: install, daemonize the Gateway, keep it on loopback, and reach the dashboard over Tailscale.

OpenClaw is built to be always-on, and a laptop that sleeps is a bad home for an always-on agent. A small VPS fixes that: your agent answers Telegram at 3am, runs scheduled jobs, and survives your reboots. This guide takes a fresh Linux server to a hardened, persistent OpenClaw.

What you need

  • A small VPS from any provider. OpenClaw itself is lightweight; the model runs in the cloud, so 1 to 2 GB of RAM is a comfortable start.
  • Ubuntu or Debian (anything systemd works).
  • An API key for your model, or an OpenRouter key. Not sure which model? See best models for OpenClaw and what OpenClaw costs to run.

1. Install

SSH in as a regular user (not root) and run the installer:

curl -fsSL https://openclaw.ai/install.sh | bash

It detects the OS, installs Node if needed, installs OpenClaw, and launches onboarding. Walk through provider, API key, and Gateway setup as in our install guide.

2. Make it survive reboots

The onboarding flag you want on a server is the daemon install:

openclaw onboard --install-daemon

On Linux this registers the Gateway as a systemd service, so it starts on boot and restarts on failure. Verify:

openclaw gateway status
openclaw doctor

3. Keep the Gateway private

The Gateway listens on port 18789 and is the control plane for an agent that can run shell commands. On a public VPS this is the step that matters most:

{
  gateway: {
    auth: { mode: "token", token: "your-long-random-token" },
    bind: "loopback"
  }
}

Keep bind: "loopback" always. To reach the dashboard from your laptop, use Tailscale Serve, which keeps the port on loopback while Tailscale handles access:

tailscale serve --bg 18789

A plain SSH tunnel works too: ssh -L 18789:localhost:18789 your-vps, then open the dashboard locally. Do not bind to LAN or public interfaces; the safe-setup checklist explains why and what else to lock down.

4. Connect channels

Telegram is the easiest channel on a headless server because it only needs a token in config: OpenClaw Telegram setup. WhatsApp needs a one-time QR scan, which is clumsier remotely; link it locally first or hand the QR image over directly: OpenClaw WhatsApp setup.

5. Run the audit before you walk away

openclaw security audit --deep

It checks inbound access policies, tool blast radius, filesystem permissions, and network exposure. Re-run it after any config change. A messaging-connected agent on an always-on server is exactly the thing you want audited.

Ongoing care

  • Update with your package manager (npm update -g openclaw for npm installs) and re-run openclaw doctor after.
  • Watch your token spend: an always-on agent burns tokens around the clock, which is why the model choice matters more on a VPS than anywhere else. The scenario table on our cost page prices a 24/7 agent honestly.
  • Keep ~/.openclaw/ at mode 700; it holds session transcripts and channel credentials.

Source: OpenClaw install docs and gateway security docs, checked June 2026.

Share:
Explore OpenClawInstallationGuidesIntegrations