How to Self-Host OpenClaw on a VPS (2026 Production Setup)
OpenClaw went from 9K to 210K GitHub stars in six weeks, which means the documentation has not caught up with the production needs. The demo setup works. The setup you actually want for daily use needs more careful work, especially around the messaging gateways and the tool sandbox.
Here is the production install that I run on a Hetzner CCX23, with the gotchas the official docs do not warn you about.
Pre-Install Checklist
You need:
- VPS with Ubuntu 24.04 or Debian 12
- 16 GB RAM minimum for production (8 GB only for demo or solo use)
- 160 GB NVMe disk
- A domain name pointed at your VPS for HTTPS
- API keys for your model provider (OpenAI, Anthropic, or local Ollama)
- API tokens for the messaging gateways you plan to use
VPS sizing matters here more than for many tools because OpenClawโs MCP tool registry and gateway daemons add up. The best VPS for OpenClaw guide covers the spec math in detail.
Step 1: Provision and Harden the VPS
Update the system and install prerequisites:
sudo apt update && sudo apt upgrade -y
sudo apt install -y curl git ufw ca-certificates gnupg
Set up the firewall before anything else:
sudo ufw allow ssh
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw enable
Install Docker following the official Docker docs (donโt use the distro package, it lags behind):
curl -fsSL https://get.docker.com | sh
sudo usermod -aG docker $USER
newgrp docker
Verify Docker:
docker run --rm hello-world
Step 2: Clone and Configure OpenClaw
Clone the official repo:
mkdir -p /opt
sudo git clone https://github.com/openclaw/openclaw.git /opt/openclaw
sudo chown -R $USER:$USER /opt/openclaw
cd /opt/openclaw
Copy the example config and edit:
cp .env.example .env
nano .env
The critical settings to change:
POSTGRES_PASSWORD=<generate-a-strong-one>
[email protected]
ADMIN_PASSWORD=<generate-another-strong-one>
PUBLIC_DOMAIN=openclaw.yourdomain.com
MODEL_PROVIDER=openai
OPENAI_API_KEY=sk-...
For the database password, generate a random one with openssl rand -hex 24. Same for the admin password. Do not use defaults, OpenClaw deployments get scanned for leaked credentials within hours of going public.
Step 3: Start the Containers
docker compose pull
docker compose up -d
The first start takes 2 to 5 minutes as it initializes the Postgres database and runs migrations. Watch the logs:
docker compose logs -f openclaw
Look for Server listening on :8080 to confirm it is up.
Step 4: Set Up the Reverse Proxy
OpenClaw runs on port 8080 internally. Put Caddy in front for HTTPS termination. Install Caddy:
sudo apt install -y caddy
Configure /etc/caddy/Caddyfile:
openclaw.yourdomain.com {
reverse_proxy localhost:8080
}
Make sure your DNS A record points at the VPS, then reload Caddy:
sudo systemctl reload caddy
Caddy handles Letโs Encrypt automatically. Visit https://openclaw.yourdomain.com and you should see the OpenClaw login screen with a valid certificate.
Step 5: First-Time Setup via Web UI
Log in with the admin credentials from the .env file. The setup wizard asks for:
- Model provider configuration (auto-detected from the
.envif you set it there) - Initial workspace name
- Optional MCP tool integrations (start with just the file system and web search)
- First user account
Test that the agent works: in a chat with the default workspace, ask โWhat can you do?โ The agent should describe its available tools.
If you get an error about the model endpoint, check the logs:
docker compose logs openclaw | grep -i error
Common issues at this stage:
- Wrong OpenAI key format (must start with
sk-) - Model name typo (use
gpt-4o-miniorclaude-3-5-sonnet-20241022, not arbitrary names) - Rate limit on your API account, especially with free-tier OpenAI keys
Step 6: Add the Messaging Gateways
This is where OpenClaw earns its star count. For WhatsApp Business:
- Get a WhatsApp Business API account (via Meta, Twilio, or 360dialog)
- In OpenClaw admin: Integrations โ WhatsApp โ Add
- Paste your access token and phone number ID
- Configure the webhook URL:
https://openclaw.yourdomain.com/webhooks/whatsapp
For Slack:
- Create a Slack app at api.slack.com/apps
- Enable Socket Mode and Event Subscriptions
- Install to your workspace
- In OpenClaw: Integrations โ Slack โ Add, paste the bot token and app token
For Telegram:
- Create a bot via @BotFather, grab the token
- In OpenClaw: Integrations โ Telegram โ Add, paste the token
Each gateway shows up as a new conversation channel inside OpenClaw. The same agent serves all channels, with conversation history kept per user per channel.
Step 7: Tool Registry Hardening
The MCP tool registry is what makes OpenClaw powerful and what introduces real security concerns. The default config allows the agent to install new tools at runtime, which is great for capability and bad for production safety.
Lock it down by editing .env:
TOOL_REGISTRY_MODE=allowlist
TOOL_REGISTRY_ALLOWLIST=filesystem,web-search,github,gmail
Now only the tools on your allowlist can be invoked. Add more as you verify them. Restart:
docker compose restart openclaw
Step 8: Backup Strategy
The two things that absolutely must survive a VPS failure: the Postgres database and the file storage volume.
Add a daily backup cron:
sudo crontab -e
Add:
0 3 * * * cd /opt/openclaw && docker compose exec -T postgres pg_dump -U openclaw openclaw | gzip > /backup/openclaw-$(date +\%Y\%m\%d).sql.gz && find /backup -name "openclaw-*.sql.gz" -mtime +14 -delete
This runs daily at 3 AM, dumps Postgres, and keeps 14 days. Mirror the backups offsite (S3, Backblaze, another VPS) for real disaster recovery.
What Comes Next
With the basic install working, the next priorities are usually:
- Adding more MCP tools as you verify them safe
- Configuring user accounts and permissions for your team
- Setting up monitoring (Uptime Kuma works well alongside OpenClaw)
- Tuning the model selection per workspace based on cost and quality needs
For VPS sizing as your usage grows, see the best VPS for OpenClaw comparison. For complementary self-hosted tools, the SelfHostVPS guides cover the broader ecosystem.
Frequently asked questions
How long does the OpenClaw install actually take?
About 25 minutes on a fresh Ubuntu 24.04 VPS with the Docker Compose path. The container pulls are the slowest step (10 to 15 minutes depending on your VPS bandwidth). After that, the initial configuration via the web UI takes 5 to 10 minutes for the model endpoint, admin account, and your first messaging gateway.
Do I need Docker or can I install OpenClaw natively?
Docker Compose is the supported and recommended path. Native install is technically possible by following the components in the compose file, but the tool sandbox isolation makes Docker effectively required for production use. Trying to run the MCP tool registry without container isolation creates real security problems. Use Docker.
What ports does OpenClaw need open on the VPS?
Port 443 for HTTPS access to the web UI (via your reverse proxy). Internally, OpenClaw uses 8080 for the API and 5432 for Postgres, but those should not be exposed publicly. The messaging gateways (WhatsApp, Telegram, Slack) use outbound connections only and need no inbound ports. Lock down your firewall to just 22 (SSH) and 443.
How do I update OpenClaw after install without losing my data?
The standard pattern: stop the containers, pull new images, restart. The Postgres volume and the file storage volume persist across container updates. Always snapshot the VPS or backup the Postgres database before updating, especially for major version bumps. The release notes flag any breaking schema changes that need manual migration.