How to deploy OpenClaw on a VPS or cloud server 2026
OpenClaw is the hot new trend in AI – it lets you easily automate boring everyday tasks but also aids you in managing your business. Deploying OpenClaw on a VPS or a cloud server can give you more space and resources for even more powerful OpenClaw agents – ones that run 24/7 and allow experimentation with reduced risk.
However, deploying OpenClaw on a VPS can be difficult, especially with a VPS provider that doesn’t offer OpenClaw-specific environments and presets. But I’m here to help.
In this article, I walk you through an extensive setup guide for deploying OpenClaw on VPS providers that don’t offer specialized plans or specific guides. Additionally, you’ll find an easy no-code setup guide for those who have a dedicated OpenClaw VPS plan.
Deploy OpenClaw on a VPS in a few clicks – easy guide
Deploying OpenClaw on a VPS doesn’t have to be complicated – Hostinger offers a specific OpenClaw VPS plan with automatic deployment that takes just a few clicks, and no coding knowledge is needed. Here’s how to do it:
- Go to the Hostinger OpenClaw VPS page and purchase a plan. I recommend KVM2 because it has all the necessary requirements, such as 2 vCPU cores, up to 8GB RAM, and 100GB disk space.
- For easier model integration, I also recommend purchasing Nexos credits – you will have access to most AI models from major developers.
- If you also want to integrate web search, consider adding Oxylabs credits to your purchase as well.
- When you complete the purchase, set up the environment by copying and saving the gateway token (automatically generated). You will need it later.
- Enter your AI model API keys, such as from models like Claude or Gemini. If you purchased Nexos, this step is optional.
- Enter your WhatsApp number. If you want to use other channels, such as Telegram, this step is optional.
- Click Deploy.
- You can also deploy OpenClaw on an existing Hostinger VPS. To do this, find and install Docker Manager via the Manage dashboard on your VPS. In Docker Manager, find OpenClaw, configure the environment variables, and click Deploy.
- To access and manage your OpenClaw instance, click on the OpenClaw button in your VPS dashboard Overview. Otherwise, you can also find it in the Docker Manager Projects page.
- Once the OpenClaw interface opens in a new tab, enter your gateway token that you saved in step 4. Click Log in.
How to deploy OpenClaw on a VPS or cloud server – step-by-step
In this step-by-step guide, I walk you through deploying OpenClaw on a Linux VPS. The steps include patching, creating a non-root user, locking SSH to key-only authentication, as well as setting up a firewall and brute force protection. OpenClaw deployment steps include installation and configuration, securing the gateway, restricting bot permissions, and securing file permissions. The guide includes some optional steps, but I recommend following them for the best outcome.
Setting up a VPS server to deploy OpenClaw requires some technical and server security knowledge. Keep in mind that the setup might differ depending on your VPS provider. You should always refer to your provider’s and OpenClaws documentation for the most accurate information.
OpenClaw is not meant for beginner users. Extreme care should be taken both for data protection and security, and the overall tool usage: OpenClaw might have security gaps that can be difficult to control or patch for non-technical users. This guide is for illustration purposes only, and Cybernews is not responsible for the users’ server configuration and server security. Users are responsible for their own data and server security and should always keep API keys, passwords, and gateway tokens a secret, not expose them to the public, and ensure they can’t be leaked. The most up-to-date information about security and setups can be found in official OpenClaw documentation, which we recommend following first.
Step 1: prerequisites
Make sure your VPS has the recommended specifications:
- At least 1–2vCPU, at least 1–2GB RAM, >500MB SSD storage
- Server with Ubuntu or Debian and root SSH access
Ensure you have the authentication credentials for your chosen LLM, such as the ChatGPT API key.
Step 2: connecting to the server
Connect to your server and update:
ssh root@YOUR_SERVER_IP apt update && apt upgrade -y reboot
Wait a minute, then reconnect with ssh root@YOUR_SERVER_IP
Step 3: enabling automatic updates
To automatically apply security patches, enable automatic updates. Select Yes when prompted:
apt install unattended-upgrades -y dpkg-reconfigure -plow unattended-upgrades
Step 4: adding swap (optional)
Swap acts as overflow memory on disk. On servers with low RAM, the OS may kill processes, including OpenClaw, under memory pressure. Adding swap will create a 2GB swap file with a low swappiness value of 10. That way, the kernel will prefer real RAM and only swap to disk when necessary, which helps avoid performance degradation.
fallocate -l 2G /swapfile chmod 600 /swapfile mkswap /swapfile swapon /swapfile echo '/swapfile none swap sw 0 0' | tee -a /etc/fstab echo 'vm.swappiness=10' | tee -a /etc/sysctl.conf sysctl -p
Step 5: creating a dedicated user
adduser openclaw usermod -aG sudo openclaw
Pick a strong password when prompted.
From this point on, you will need to connect as openclaw instead of root:
ssh openclaw@YOUR_SERVER_IP
Step 6: setting up SSH key
On your local machine, generate a key pair and copy it to the server. Note that some hosting providers might have easier methods to add SSH keys to the server.
ssh-keygen -t ed25519 ssh-copy-id openclaw@YOUR_SERVER_IP
Don’t close the current session. In a new terminal, test key login:
ssh openclaw@YOUR_SERVER_IP
Step 7: disabling root login and password authentication
sudo nano /etc/ssh/sshd_config
Find and set these values (some may need uncommenting – deleting # in order for the setting to change):
PermitRootLogin no PasswordAuthentication no PubkeyAuthentication yes
Restart SSH:
sudo systemctl restart ssh
Important: Keep your current session open and test in a new terminal that you can still log in as your new user before closing anything.
Now that SSH key authentication is working, you're locking down the two most exploited SSH attack surfaces: direct root login and password-based authentication. Disabling PermitRootLogin means even if an attacker knows the root password, they cannot log in remotely. Disabling PasswordAuthentication eliminates all brute-force and credential-stuffing attacks entirely – only clients with the correct private key can connect.
Step 8: setting up the firewall
Some providers, such as Hostinger, already offer a built-in firewall, so the setup steps might be different. The steps below are for setting up UFW and only allowing SSH and the ports that are explicitly required.
Install UFW:
sudo apt install ufw
Configure the firewall:
sudo ufw default deny incoming sudo ufw default allow outgoing sudo ufw allow OpenSSH sudo ufw enable
Verify – you should see only SSH (port 22) allowed:
sudo ufw status
Step 9: setting up brute force protection (fail2ban)
sudo apt install fail2ban -y sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local sudo nano /etc/fail2ban/jail.local
Find the [sshd] section and make sure it says:
[sshd] enabled = true port = ssh maxretry = 3 bantime = 3600
Then start fail2ban:
sudo systemctl enable fail2ban sudo systemctl start fail2ban
Step 10: installing and setting up OpenClaw
curl -fsSL https://openclaw.ai/install.sh | bash
Onboarding should start automatically after installation is complete. In case it doesn’t, you can run onboarding and install the daemon with this command:
openclaw onboard --install-daemon
The onboarding wizard will walk you through choosing a model provider, setting an API key, and configuring the gateway.
Don’t forget to copy and save your OpenClaw token, which will be generated automatically, as Control UI will require it later.
Step 11: verifying the installation and fixing potential security issues
The commands below confirm that OpenClaw installed correctly and that the Gateway is actively listening for connections. The openclaw doctor command performs a health check that flags misconfigurations, and openclaw security audit --fix scans for common insecure defaults (such as overly permissive file permissions, missing authentication, or exposed debug endpoints) and automatically remediates them.
Always run the security audit immediately after installation before exposing the service to any traffic.
Verify the installation:
openclaw --version openclaw gateway status # should show listening on port 18789 openclaw doctor # flags config issues
Fix common insecure settings:
openclaw security audit --fix
Step 12: verifying server deployment
Verify:
openclaw status systemctl --user status openclaw-gateway.service journalctl --user -u openclaw-gateway.service -f
Step 13: securing the gateway (optional)
If you are new to OpenClaw, this will harden OpenClaw's own configuration and limit the tool. Use this as a baseline first, then selectively re-enable tools per trusted agent.
1. Open ~/.openclaw/openclaw.json:
nano ~/.openclaw/openclaw.json
2. In the gateway.auth, make sure the mode is "token" and the token is the Control UI token you got while setting up OpenClaw.
// in your openclaw.json
"gateway": {
"auth": {
"mode": "token",
"token": "your-control-ui-token-here"
}
}
3. Find your channel block (e.g., channels.telegram, channels.whatsapp) and add DM pairing to your channel:
"dmPolicy": "pairing"
4. Isolate DMs in session:
session: {
dmScope: "per-channel-peer",
},
5. Edit tools block. This config makes the agent chat-oriented and heavily locked down. It can still do ordinary messaging (message) and inspect session status/history, but it cannot run commands, touch files, schedule automations, spawn sub-agents, or even use sessions_send.
tools: {
profile: "messaging",
deny: ["group:automation", "group:runtime", "group:fs", "sessions_spawn", "sessions_send"],
}
6. Deny control-plane tools. Inside your tools block, add:
"exec": {
"security": "deny",
"ask": "always"
If you need the bot to run code, use "security": "allowlist" instead and pair it with sandboxing (agents.defaults.sandbox.mode: "all").
7. Disable elevated tools inside the tools block:
"elevated": { "enabled": false }
8. Set mDNS discovery to minimal. Add this as a top-level block if it doesn't exist:
"discovery": {
"mdns": { "mode": "minimal" }
}
Step 14: file permissions
The ~/.openclaw/ directory contains your most sensitive assets: API keys, authentication tokens, channel credentials, and session transcripts. Setting directory permissions to 700 means only the owner can enter or list the directory. Setting the config file to 600 means only the owner can read or write it:
chmod 700 ~/.openclaw chmod 600 ~/.openclaw/openclaw.json
Step 15: accessing the Control UI
To access OpenClaw Control UI:
ssh -L 18789:localhost:18789 openclaw@YOUR_SERVER_IP
Then open http://localhost:18789. Copy-paste your OpenClaw token into the slot.
Why would you want to deploy OpenClaw on a VPS?
People use OpenClaw for a variety of tasks and automations already. However, there are several key reasons why deploying OpenClaw on a VPS is worth considering seriously:
- 24/7 availability. A VPS runs continuously without depending on your personal device, like a Mac Mini. OpenClaw agents can execute scheduled tasks, monitor feeds, and send alerts at any hour, which is great for operations that require continuous oversight.
- Accessible from any device or location. Because the VPS has a fixed IP and is always online, you can interact with OpenClaw from your phone, tablet, or any computer worldwide without needing to connect to your home machine via a VPN or other means.
- Better reliability and scalability. VPS providers offer uptime guarantees, redundant infrastructure, and the ability to scale RAM and CPU on demand. If you were to do this on your personal device, expenses can add up much more than if you rent a server from a third-party provider.
- Isolated and secure environment for experimentation. Running OpenClaw on a VPS separates it from your personal network and local files. This reduces risk in case an agent malfunctions, and you can also experiment freely with new automations without risk to your personal device.
Final thoughts
Setting up OpenClaw on a Virtual Private Server (VPS) is better than running it on a local machine. With a VPS, you get 24/7 availability, accessibility from any device or location, better reliability and scalability, and an isolated, secure environment for experimenting with OpenClaw agents.
For those who are just starting out or want the fastest, simplest path, I recommend the easy 1-click setup, like the one from Hostinger. You only need to purchase a plan, enter the API keys, and click Deploy. The extensive step-by-step manual deployment is better for advanced users, those whose provider doesn't offer dedicated OpenClaw plans, or anyone who wants granular control over their server and security.
Keep in mind that OpenClaw is not designed for beginners and carries inherent security risks. I recommend exercising extreme care regarding data protection and security, and always keep sensitive credentials like API keys, passwords, and gateway tokens secret.
