Independent testing Updated April 2026 387 self-hosting guides 5 VPS providers tested

tutorial

How to Self-Host OpenClaw on a VPS (2026 Production Setup)

A complete step-by-step guide to self-hosting OpenClaw on a VPS in 2026, covering installation, configuration, securing OpenClaw, and the specs you need.

How to Self-Host OpenClaw on a VPS (2026 Production Setup)

OpenClaw went from 9K to 210K GitHub stars in six weeks, which means the documentation has not caught up with the production needs. The demo setup works. The setup you actually want for daily use needs more careful work, especially around the messaging gateways and the tool sandbox.

Here is the production install that I run on a Hetzner CCX23, with the gotchas the official docs do not warn you about.

Pre-Install Checklist

You need:

VPS sizing matters here more than for many tools because OpenClawโ€™s MCP tool registry and gateway daemons add up. The best VPS for OpenClaw guide covers the spec math in detail.

Step 1: Provision and Harden the VPS

Update the system and install prerequisites:

sudo apt update && sudo apt upgrade -y
sudo apt install -y curl git ufw ca-certificates gnupg

Set up the firewall before anything else:

sudo ufw allow ssh
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw enable

Install Docker following the official Docker docs (donโ€™t use the distro package, it lags behind):

curl -fsSL https://get.docker.com | sh
sudo usermod -aG docker $USER
newgrp docker

Verify Docker:

docker run --rm hello-world

Step 2: Clone and Configure OpenClaw

Clone the official repo:

mkdir -p /opt
sudo git clone https://github.com/openclaw/openclaw.git /opt/openclaw
sudo chown -R $USER:$USER /opt/openclaw
cd /opt/openclaw

Copy the example config and edit:

cp .env.example .env
nano .env

The critical settings to change:

POSTGRES_PASSWORD=<generate-a-strong-one>
[email protected]
ADMIN_PASSWORD=<generate-another-strong-one>
PUBLIC_DOMAIN=openclaw.yourdomain.com
MODEL_PROVIDER=openai
OPENAI_API_KEY=sk-...

For the database password, generate a random one with openssl rand -hex 24. Same for the admin password. Do not use defaults, OpenClaw deployments get scanned for leaked credentials within hours of going public.

Step 3: Start the Containers

docker compose pull
docker compose up -d

The first start takes 2 to 5 minutes as it initializes the Postgres database and runs migrations. Watch the logs:

docker compose logs -f openclaw

Look for Server listening on :8080 to confirm it is up.

Step 4: Set Up the Reverse Proxy

OpenClaw runs on port 8080 internally. Put Caddy in front for HTTPS termination. Install Caddy:

sudo apt install -y caddy

Configure /etc/caddy/Caddyfile:

openclaw.yourdomain.com {
  reverse_proxy localhost:8080
}

Make sure your DNS A record points at the VPS, then reload Caddy:

sudo systemctl reload caddy

Caddy handles Letโ€™s Encrypt automatically. Visit https://openclaw.yourdomain.com and you should see the OpenClaw login screen with a valid certificate.

Step 5: First-Time Setup via Web UI

Log in with the admin credentials from the .env file. The setup wizard asks for:

  1. Model provider configuration (auto-detected from the .env if you set it there)
  2. Initial workspace name
  3. Optional MCP tool integrations (start with just the file system and web search)
  4. First user account

Test that the agent works: in a chat with the default workspace, ask โ€œWhat can you do?โ€ The agent should describe its available tools.

If you get an error about the model endpoint, check the logs:

docker compose logs openclaw | grep -i error

Common issues at this stage:

Step 6: Add the Messaging Gateways

This is where OpenClaw earns its star count. For WhatsApp Business:

  1. Get a WhatsApp Business API account (via Meta, Twilio, or 360dialog)
  2. In OpenClaw admin: Integrations โ†’ WhatsApp โ†’ Add
  3. Paste your access token and phone number ID
  4. Configure the webhook URL: https://openclaw.yourdomain.com/webhooks/whatsapp

For Slack:

  1. Create a Slack app at api.slack.com/apps
  2. Enable Socket Mode and Event Subscriptions
  3. Install to your workspace
  4. In OpenClaw: Integrations โ†’ Slack โ†’ Add, paste the bot token and app token

For Telegram:

  1. Create a bot via @BotFather, grab the token
  2. In OpenClaw: Integrations โ†’ Telegram โ†’ Add, paste the token

Each gateway shows up as a new conversation channel inside OpenClaw. The same agent serves all channels, with conversation history kept per user per channel.

Step 7: Tool Registry Hardening

The MCP tool registry is what makes OpenClaw powerful and what introduces real security concerns. The default config allows the agent to install new tools at runtime, which is great for capability and bad for production safety.

Lock it down by editing .env:

TOOL_REGISTRY_MODE=allowlist
TOOL_REGISTRY_ALLOWLIST=filesystem,web-search,github,gmail

Now only the tools on your allowlist can be invoked. Add more as you verify them. Restart:

docker compose restart openclaw

Step 8: Backup Strategy

The two things that absolutely must survive a VPS failure: the Postgres database and the file storage volume.

Add a daily backup cron:

sudo crontab -e

Add:

0 3 * * * cd /opt/openclaw && docker compose exec -T postgres pg_dump -U openclaw openclaw | gzip > /backup/openclaw-$(date +\%Y\%m\%d).sql.gz && find /backup -name "openclaw-*.sql.gz" -mtime +14 -delete

This runs daily at 3 AM, dumps Postgres, and keeps 14 days. Mirror the backups offsite (S3, Backblaze, another VPS) for real disaster recovery.

What Comes Next

With the basic install working, the next priorities are usually:

For VPS sizing as your usage grows, see the best VPS for OpenClaw comparison. For complementary self-hosted tools, the SelfHostVPS guides cover the broader ecosystem.

Frequently asked questions

How long does the OpenClaw install actually take?

About 25 minutes on a fresh Ubuntu 24.04 VPS with the Docker Compose path. The container pulls are the slowest step (10 to 15 minutes depending on your VPS bandwidth). After that, the initial configuration via the web UI takes 5 to 10 minutes for the model endpoint, admin account, and your first messaging gateway.

Do I need Docker or can I install OpenClaw natively?

Docker Compose is the supported and recommended path. Native install is technically possible by following the components in the compose file, but the tool sandbox isolation makes Docker effectively required for production use. Trying to run the MCP tool registry without container isolation creates real security problems. Use Docker.

What ports does OpenClaw need open on the VPS?

Port 443 for HTTPS access to the web UI (via your reverse proxy). Internally, OpenClaw uses 8080 for the API and 5432 for Postgres, but those should not be exposed publicly. The messaging gateways (WhatsApp, Telegram, Slack) use outbound connections only and need no inbound ports. Lock down your firewall to just 22 (SSH) and 443.

How do I update OpenClaw after install without losing my data?

The standard pattern: stop the containers, pull new images, restart. The Postgres volume and the file storage volume persist across container updates. Always snapshot the VPS or backup the Postgres database before updating, especially for major version bumps. The release notes flag any breaking schema changes that need manual migration.