Self-Host OpenClaw on DigitalOcean

DigitalOcean Droplets provide a simple, predictable platform for running OpenClaw Gateway. This guide covers provisioning a Droplet, installing OpenClaw via the official installer script, setting up systemd for process management, and configuring secure remote access.

Quick path

Condensed steps for experienced users:

1. Create an Ubuntu 24.04 LTS Droplet (1 vCPU / 1 GB minimum, 2 GB recommended)
2. SSH in, add 2 GB swap if on the 1 GB plan
3. Install Node.js 24: curl -fsSL https://deb.nodesource.com/setup_24.x | bash - && apt install -y nodejs
4. Run the OpenClaw installer: curl -fsSL https://openclaw.ai/install.sh | bash
5. Complete the onboarding wizard
6. Enable the systemd service: systemctl enable --now openclaw-gateway
7. Access via SSH tunnel: ssh -N -L 18789:127.0.0.1:18789 root@DROPLET_IP
8. Open http://127.0.0.1:18789/

Prerequisites

• A DigitalOcean account
• An SSH key added to your DigitalOcean account
• A terminal with SSH access on your local machine

Step 1 — Create a Droplet

In the DigitalOcean control panel, click Create > Droplets and configure:

• Region: Choose the datacenter closest to you
• Image: Ubuntu 24.04 (LTS)
• Droplet Type: Basic (shared CPU)
• Size: 1 vCPU / 1 GB RAM / 25 GB SSD ($6/mo) or 1 vCPU / 2 GB RAM / 50 GB SSD ($12/mo)
• Authentication: SSH Key (select your key)
• Hostname: openclaw-gateway

Click Create Droplet and wait for provisioning to complete.

Alternatively, using the doctl CLI:

doctl compute droplet create openclaw-gateway \
  --region nyc1 \
  --image ubuntu-24-04-x64 \
  --size s-1vcpu-1gb \
  --ssh-keys YOUR_SSH_KEY_FINGERPRINT \
  --wait

Step 2 — Initial Server Setup

SSH into the Droplet:

ssh root@YOUR_DROPLET_IP

Update system packages:

apt update && apt upgrade -y

Add swap space (required for 1 GB Droplets)

If your Droplet has only 1 GB of RAM, swap is essential to prevent out-of-memory kills:

fallocate -l 2G /swapfile
chmod 600 /swapfile
mkswap /swapfile
swapon /swapfile
echo '/swapfile none swap sw 0 0' >> /etc/fstab

Tune swappiness for a server workload:

echo 'vm.swappiness=10' >> /etc/sysctl.conf
sysctl -p

Verify with free -h.

Step 3 — Install Node.js 24

OpenClaw requires Node.js 24 or later. Install it from the NodeSource repository:

curl -fsSL https://deb.nodesource.com/setup_24.x | bash -
apt install -y nodejs

Verify the installation:

node --version   # Should show v24.x.x
npm --version

Step 4 — Install OpenClaw

Run the official installer script:

curl -fsSL https://openclaw.ai/install.sh | bash

The installer downloads the OpenClaw Gateway binary, places it in your PATH, and creates the default configuration directory at ~/.openclaw.

After installation, verify:

openclaw --version
openclaw doctor

The doctor command checks your environment for common issues — Node.js version, available memory, disk space, and network connectivity.

Step 5 — Complete the Onboarding Wizard

Run the onboarding wizard to configure your gateway:

openclaw setup

The wizard walks you through:

1. Gateway token — A secret token for authenticating to the gateway. The wizard can generate one for you, or you can provide your own.
2. Bind address — Select lan to bind to all local interfaces, or loopback for 127.0.0.1 only.
3. Port — Default is 18789.
4. Workspace directory — Where OpenClaw reads and writes project files. Default is ~/.openclaw/workspace.

The configuration is written to ~/.openclaw/config.toml:

[gateway]
token = "your_generated_token"
bind = "loopback"
port = 18789

[workspace]
path = "/root/.openclaw/workspace"

Step 6 — Set Up the Systemd Service

Create a systemd unit file so OpenClaw starts on boot and restarts on failure:

cat > /etc/systemd/system/openclaw-gateway.service << 'EOF'
[Unit]
Description=OpenClaw Gateway
After=network-online.target
Wants=network-online.target

[Service]
Type=simple
User=root
WorkingDirectory=/root/.openclaw
ExecStart=/usr/local/bin/openclaw gateway start
Restart=on-failure
RestartSec=5
Environment=NODE_ENV=production

# Security hardening
NoNewPrivileges=true
ProtectSystem=strict
ReadWritePaths=/root/.openclaw

[Install]
WantedBy=multi-user.target
EOF

Enable and start the service:

systemctl daemon-reload
systemctl enable --now openclaw-gateway

Check the status:

systemctl status openclaw-gateway
journalctl -u openclaw-gateway -f --no-pager -n 50

Step 7 — Secure Remote Access

You have three options for accessing OpenClaw from your local machine. All three keep the gateway off the public internet.

Option A: SSH Tunnel

The simplest approach. On your local machine:

ssh -N -L 18789:127.0.0.1:18789 root@YOUR_DROPLET_IP

Then open http://127.0.0.1:18789/ in your browser. The tunnel must remain open while you work.

For persistence, add to your ~/.ssh/config:

Host openclaw
    HostName YOUR_DROPLET_IP
    User root
    LocalForward 18789 127.0.0.1:18789
    ServerAliveInterval 60
    ServerAliveCountMax 3

Then simply run ssh -N openclaw.

Option B: Tailscale Serve

Install Tailscale on both your local machine and the Droplet:

# On the Droplet
curl -fsSL https://tailscale.com/install.sh | sh
tailscale up

Then use Tailscale Serve to expose the gateway within your tailnet:

tailscale serve --bg https+insecure://127.0.0.1:18789

Access the gateway at https://YOUR_DROPLET_TAILSCALE_NAME:443/ from any device on your tailnet. No SSH tunnel needed.

Option C: Tailnet Bind

Alternatively, configure OpenClaw to bind directly to the Tailscale interface. Edit ~/.openclaw/config.toml:

[gateway]
bind = "tailnet"

Restart the service:

systemctl restart openclaw-gateway

OpenClaw will listen only on the Tailscale interface, making it accessible to devices on your tailnet at http://YOUR_DROPLET_TAILSCALE_IP:18789/.

Security Best Practices

Firewall configuration

DigitalOcean Cloud Firewalls are free and applied at the network level. Create one that allows only SSH:

• Inbound: TCP port 22 from your IP (or 0.0.0.0/0 if your IP is dynamic)
• Outbound: All traffic

As a secondary layer, configure ufw on the Droplet:

ufw default deny incoming
ufw default allow outgoing
ufw allow 22/tcp
ufw enable

Non-root user (optional)

For better isolation, run OpenClaw under a dedicated user:

adduser --system --home /home/openclaw --shell /bin/bash openclaw
mkdir -p /home/openclaw/.openclaw/workspace
chown -R openclaw:nogroup /home/openclaw

Update the systemd unit's User= and WorkingDirectory= directives accordingly.

Enable automatic security updates

apt install unattended-upgrades -y
dpkg-reconfigure -plow unattended-upgrades

Troubleshooting

Out of memory (OOM) kills

Symptoms: the gateway process dies unexpectedly, dmesg | grep -i oom shows kill entries.

Solutions:

• Add or increase swap (see Step 2)
• Upgrade to a larger Droplet — doctl compute droplet-action resize YOUR_DROPLET_ID --size s-1vcpu-2gb --wait
• Reduce concurrent workload

Port already in use

If you see EADDRINUSE in the logs:

# Find what is using the port
ss -tlnp | grep 18789

# Kill the conflicting process or change OpenClaw's port in config.toml

Service fails to start

journalctl -u openclaw-gateway -e --no-pager

Common causes:

• Node.js not in PATH for the systemd service — use the full path in ExecStart
• Missing config file — run openclaw setup again
• Permission denied — check file ownership matches the User= in the unit file

Cannot reach gateway via SSH tunnel

1. Verify the service is running: systemctl is-active openclaw-gateway
2. Verify the port is listening: ss -tln | grep 18789
3. Verify the tunnel is active: ssh -N -L 18789:127.0.0.1:18789 root@DROPLET_IP -v (verbose mode shows tunnel setup)

Updating OpenClaw

Re-run the installer to update to the latest version:

curl -fsSL https://openclaw.ai/install.sh | bash
systemctl restart openclaw-gateway

Check the new version:

openclaw --version

Next Steps

• Enable DigitalOcean Droplet backups ($1.20/mo) or use snapshots for point-in-time recovery
• Set up monitoring with DigitalOcean's built-in metrics or install a lightweight agent like Netdata
• Explore running multiple OpenClaw workspaces for different projects using separate configuration directories