Back to Intelligence Hub

OpenClaw VPS Implementation

Refined Deployment Strategy (2026)

A step-by-step technical guide for deploying OpenClaw on a Virtual Private Server. Optimized for Gemini 2.5 Flash.

Discernment & Audit
What Works
  • Non-root user security architecture
  • Persistent volumes for browser cache
  • Git/Telegram ENV integration
  • Official docker-setup.sh onboarding
Fixed Issues
  • Port exposure (now bound to localhost)
  • Invalid Playwright commands corrected
  • Missing Telegram pairing approval added
  • Updated 2026 Model naming conventions
Implementation Steps

01. Prerequisites

A fresh Ubuntu VPS (2GB+ RAM), Gemini API Key, and Telegram Bot Token are required.

# Generate your gateway token locally
openssl rand -hex 32

02. Host Environment Setup

SSH as root to install Docker and create a secure service user.

apt-get update && apt-get install -y ca-certificates curl git
curl -fsSL https://get.docker.com -o get-docker.sh && sh get-docker.sh

adduser clawuser
usermod -aG sudo docker clawuser
su - clawuser

sudo ufw allow 22/tcp && sudo ufw enable

03. Repo & Permissions

mkdir -p ~/openclaw; cd ~/openclaw
git clone https://github.com/openclaw/openclaw.git repo
cd repo

mkdir -p ~/.openclaw ~/.openclaw/workspace ~/openclaw/browser_cache
sudo chown -R 1000:1000 ~/.openclaw ~/openclaw/browser_cache

04. Configuration (.env)

Create the .env file in ~/openclaw/repo. Use Gemini 2.5 Flash for cost efficiency.

OPENCLAW_GATEWAY_TOKEN=your_token_here
OPENCLAW_CONFIG_DIR=/home/clawuser/.openclaw
OPENCLAW_WORKSPACE_DIR=/home/clawuser/.openclaw/workspace
GEMINI_API_KEY=your_key
GEMINI_MODEL=gemini-2.5-flash
TELEGRAM_BOT_TOKEN=your_bot_token
ALLOWED_TELEGRAM_IDS=your_user_id

05. Port & Security Hardening

Edit docker-compose.yml to bind the port to localhost only.

ports:
  - "127.0.0.1:18789:18789"
command: ["node", "dist/index.js", "gateway", "--bind", "lan", "--port", "18789"]

06. Initialization

./docker-setup.sh
docker compose logs -f openclaw-gateway

07. Browser Dependency Install

docker compose exec -u root -e PLAYWRIGHT_BROWSERS_PATH=/home/node/.cache/ms-playwright openclaw-gateway node node_modules/playwright-core/cli.js install --with-deps chromium
sudo chown -R 1000:1000 ~/openclaw/browser_cache
docker compose restart openclaw-gateway

08. Telegram Pairing

Message your bot /start, get the code, and approve it via CLI.

docker compose run --rm openclaw-cli channels add --channel telegram --token "${TELEGRAM_BOT_TOKEN}"
# Replace CODE with the one from your bot
docker compose run --rm openclaw-cli pairing approve telegram CODE
docker compose restart openclaw-gateway

09. Testing & Maintenance

Access the dashboard via SSH tunnel and run weekly updates.

# SSH Tunnel for Dashboard
ssh -N -L 18789:127.0.0.1:18789 clawuser@your-vps-ip

# Weekly Update
git pull && ./docker-setup.sh && docker compose restart openclaw-gateway