Do not run OpenClaw on your personal laptop. It has full system access. The Stack: Ubuntu 24.04 LTS, 4GB RAM (Minimum), Docker Compose. The Secret: Use Tailscale to access the Web UI securely instead of opening port 18789 to the public internet.
Analysis by the FussionHost Engineering Team.
1. Stop “Playing” with Localhost
If you are running OpenClaw (formerly Clawdbot/Moltbot) on your MacBook Pro, you are doing it wrong.
OpenClaw is not a chatbot; it is an agent. It has permission to read files, execute shell commands, and potentially wipe directories if it hallucinates a rm -rf command. Running this on the same machine where you store your tax returns and family photos is negligent.
Furthermore, an agent is useless if it sleeps when you close your lid. To get the “Jarvis” experience—where the bot checks your emails at 4 AM and prepares your daily brief—it needs a permanent home.
This guide is not a marketing brochure. This is a technical blueprint for isolating OpenClaw in a Virtual Private Server (VPS), securing it behind a VPN, and ensuring it survives a crash.
Table of Contents:
- The Hardware Truth: Why 2GB RAM isn’t enough.
- The Container Strategy: Why we reject the
curl | bashinstaller. - Step-by-Step Installation: Docker Compose, Permissions, and Volumes.
- The Headless Interface: Connecting Telegram/Discord.
- Security: Locking down the Gateway with Tailscale.
2. The Hardware “Gotcha”
The 2GB Lie
Documentation often lists 2GB RAM as the minimum requirement. This is technically true if you only use the chat interface.
However, OpenClaw’s power lies in its Skills, specifically browser automation (Puppeteer/Playwright). The moment you ask OpenClaw to “go check that website,” it spins up a headless Chromium instance. Chromium is a memory hog. On a 2GB server, this triggers the Linux OOM (Out of Memory) Killer, which will unceremoniously slaughter your Docker process to save the kernel.
Recommended Specs for Stability: | Component | Requirement | Reason | | :— | :— | :— | | CPU | 2 vCPU | Node.js is single-threaded but heavy; background tasks need breathing room. | | RAM | 4GB+ | Headless browser overhead + Docker daemon + System OS. | | Disk | 40GB NVMe | Docker images for agents are large; logs grow fast. | | OS | Ubuntu 24.04 | Standard kernel support for latest Docker engine. |
3. The Deployment (Docker Compose)
Most tutorials tell you to run curl -fsSL https://openclaw.ai/install.sh | .
Do not do this. Piping URLs to Bash is fine for a test environment, but for a 24/7 server, you need reproducibility. We will use Docker Compose. This allows you to define the network, volumes, and restart policies in a single file that can be version-controlled.
Step 3.1: Server Prep
SSH into your VPS. First, purge the default fluff and install Docker.
# Update and install Docker
sudo apt update && sudo apt upgrade -y
sudo apt install -y docker.io docker-compose-v2 git
# Create a non-root user (Security Best Practice)
# We do NOT want OpenClaw running as root.
sudo useradd -m -s /bin/bash clawops
sudo usermod -aG docker clawops
sudo su - clawops
Step 3.2: The Compose File
Create a directory structure. We want our data to persist outside the container.
mkdir -p ~/openclaw/data
cd ~/openclaw
nano docker-compose.yml
Paste the following configuration. Note the restart: always policy—this is what keeps your agent alive 24/7.
version: '3.8'
services:
openclaw-gateway:
image: ghcr.io/openclaw/openclaw:latest
container_name: openclaw
restart: always
network_mode: host # Simplifies local gateway connections
environment:
- NODE_ENV=production
# This token secures your Web UI. Generate a strong one.
- GATEWAY_TOKEN=your_super_secret_token_here_change_this
volumes:
# Persist memory and configuration
- ./data:/root/.openclaw
logging:
driver: "json-file"
options:
max-size: "10m"
max-file: "3"
Step 3.3: Launch
Start the daemon in detached mode.
docker compose up -d
Check the logs to ensure it’s breathing:
docker compose logs -f
4. The “Insider Secret”: Tailscale Security
Here is where most hosts set you up for failure. OpenClaw exposes a Web UI on port 18789. If you open this port in your firewall (UFW) to 0.0.0.0/0, the entire internet can try to brute-force your token.
The Solution: Do not open the port. Use Tailscale.
Tailscale creates a private encrypted mesh network. You can access your VPS IP as if it were on your local WiFi, without exposing ports to the public web.
- Install Tailscale on VPS:
curl -fsSL https://tailscale.com/install.sh | sh sudo tailscale up - Install Tailscale on your Laptop/Phone.
- Access securely: Navigate to
http://100.x.y.z:18789(your VPS’s Tailscale IP).
This adds a zero-trust layer. Even if your token leaks, attackers cannot reach the login page.
5. Headless Pairing (Telegram/Discord)
Since you are running this on a VPS, you won’t be using the Web UI for daily chatting. You need a mobile-friendly interface. OpenClaw excels when paired with Telegram.
- Get a Bot Token:
- Open Telegram and message
@BotFather. - Send
/newbot. - Copy the HTTP API Token provided.
- Open Telegram and message
- Configure via Terminal (TUI): OpenClaw has a Terminal UI for initial setup if you don’t want to use the browser.Bash
# Attach to the running container to run setup commands docker exec -it openclaw openclaw setup- Select Telegram.
- Paste your Bot Token.
- It will give you a “pairing code.”
- Approve the Pairing: Send the pairing code to your new Telegram bot. It should reply instantly. You now have a 24/7 agent in your pocket.
Frequently Asked Questions
Q: Can I run local LLMs (Ollama) with this VPS setup?
A: Theoretically, yes, but not on a standard VPS. Local LLMs (like Llama 3) require massive GPU VRAM. Unless you are paying for a GPU-enabled VPS (expensive), stick to API providers like Anthropic (Claude 3.5 Sonnet) or OpenAI.
Q: How do I update OpenClaw?
A: Since we used Docker Compose, it’s trivial.
docker compose pull
docker compose up -d
This downloads the new image and recreates the container without losing your data volume.
Q: Why does my bot stop replying after 24 hours?
A: Check your docker logs. If you see “Killed,” you ran out of RAM. Upgrade your VPS plan or add a swap file (though swap is slow and will degrade performance).
7. Conclusion
Running OpenClaw locally is a novelty; running it on a VPS is a workflow. By moving to a Linux environment, you gain stability, security, and the ability to automate tasks while you sleep.
Verdict: Don’t skimp on RAM. Use Docker. Lock it down with Tailscale.
Stop stressing over server specs. Let FussionHost handle the heavy lifting. Check our NVMe VPS Plans.
This video is relevant because it walks through the specific steps of setting up OpenClaw (referenced as Clawdbot) on a VPS, visually reinforcing the Docker and security concepts discussed in the guide.
