OpenClaw is an open-source, autonomous AI agent framework designed to function as a highly integrated personal assistant. It serves as a local runtime that connects Large Language Models (LLMs) to a user’s personal data and system environment.
The OpenClaw bot requires root access to the server, which is available on both our VPS and Dedicated Server plans. While both options support this requirement, a VPS is generally the recommended choice for running OpenClaw.
You can find the list of operating systems available for VPS and Dedicated Servers here.
This article provides guidance on how to:-
install the prerequisites
-
install OpenClaw
-
run the onboarding wizard and install the Gateway service
Requirements:-
Node.JS 22.14 version or later
-
An API key from a model provider
First off, log in to your server as root. The login credentials can be retrieved in the Welcome Email delivered to your primary email account when your server was provisioned to you.
Before installing OpenClaw on your server, update the server packages and install Node.js:
Ubuntu / Debian:
apt update && apt upgrade -y
apt install nodejs
Red Hat Enterprise Linux:
dnf update
Then, make sure that the necessary packages required for safe files downloading are installed:
Ubuntu / Debian:
apt install ca-certificates curl
Red Hat Enterprise Linux:
dnf install ca-certificates curl
Alternatively, it all can be achieved by running the following commands:
Ubuntu:
curl -fsSL https://deb.nodesource.com/setup_NN.x | sudo bash -
Red Hat Enterprise Linux:
curl -fsSL https://rpm.nodesource.com/setup_NN.x | sudo bash -
Make sure to replace NN with 22 or 24, depending on the Node.js version you wish to install.
It is strongly recommended, though not strictly required, to create a separate user for OpenClaw on Linux. As a self-hosted AI agent with access to your files, terminal, and API keys, isolating OpenClaw improves security by preventing it from accessing your personal data if it is compromised.
Here is how you can add a new user to your server:
useradd $NEWUSER
Add the new user to the sudo or wheel group to be able to run commands on behalf of the superuser:
usermod -aG sudo $NEWUSER # for Ubuntu/Debian OS
or
usermod -aG wheel $NEWUSER # for RHEL/Linux OS
Lastly, log in as the new user to proceed with the installation of OpenClaw:
su - $NEWUSER
This command will allow you to simulate a fresh login to the server. Make sure to replace the $NEWUSER variable with the actual username of the new user.
Now, OpenClaw can be installed. Run this command to start the installation process:
curl -fsSL https://openclaw.ai/install.sh | bash
It installs the CLI globally via npm and runs onboarding by default. During the installation, you will be able to set up:-
Gateway: we recommend that you bind it to 127.0.0.1 (localhost) instead of 0.0.0.0. This ensures it is not reachable from the public internet.
-
Auth method: OAuth or API keys.
-
Configure gateway token: treat your gateway auth token as a password. Rotate it regularly and use strong, random strings stored in an .env file rather than hardcoding them in configuration files.
-
Model/auth provider: you will be able to choose one from the list of providers or enter the custom one.
etc.
If you wish to install it without unboarding, run the following one-liner:
curl -fsSL https://openclaw.ai/install.sh | bash -s -- --no-onboard
Linux installs use a systemd user service, which stops by default when a user logs out, killing the gateway. Therefore, you have to enable lingering, which keeps OpenClaw’s background service running when the user is logged out:
sudo loginctl enable-linger “$USER”
Securing a remote connection to OpenClaw is critical because it has broad permissions to access your files, emails, and even control your local system. Exposing its gateway port (default 18789) to the public internet is highly risky and has already led to thousands of compromised instances.
OpenClaw should only listen on your local machine. Ensure your configuration (.openclaw/openclaw.json) restricts the gateway to loopback:
"gateway": {
"bind": "loopback",
"port": 18789
}
This ensures that even if your firewall is open, the service itself won't accept connections from outside the machine.
The cleanest way to access the OpenClaw dashboard is to use SSH tunnelling:
ssh -N -L 18789:127.0.0.1:18789 $user@$ip -p $port
Where $user is the dedicated user you created earlier, $ip is the IP address of your server, and $port is the custom port for SSH connection to your server.
Alternatively, run openclaw dashboard as a user created on your server and open https://localhost:18789 on your device.