Skip to content

openclaw-secure-deployment

Directory actions

More options

Directory actions

More options

Latest commit

 

History

History

openclaw-secure-deployment

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
README.md
README.md
 
 

README.md

OpenClaw on DigitalOcean: Secure Deployment Guide

A step-by-step reference for securely deploying OpenClaw on a DigitalOcean Droplet with Tailscale, SSH hardening, and firewall configuration.

Companion guide to the YouTube video: [COMING SOON]

1. Deploy the Droplet

Go to the DigitalOcean Marketplace and deploy the OpenClaw 1-Click Droplet.

Recommended plan: 4 GB RAM / 2 vCPU (s-2vcpu-4gb)

Use SSH Key authentication (not password).

The dashboard may show "ready" before SSH is available. Wait about 60 seconds before connecting.

2. SSH In and Configure OpenClaw

Connect to your Droplet:

ssh root@your-droplet-ip

The interactive setup will ask for your LLM provider (Anthropic, OpenAI, or Gradient) and API key. Follow the prompts to pair with the Gateway Dashboard.

Verify OpenClaw is running by launching the Terminal UI:

/opt/openclaw-tui.sh

3. Connect Telegram

In Telegram, message @BotFather and type /newbot to create a bot. Copy the bot token.

On the Droplet, add Telegram as a channel:

/opt/openclaw-cli.sh channels add

Select Telegram and paste your bot token.

Open the deep link BotFather gave you and send a message. Copy your Telegram user ID from the response, then add it to the allow list in the OpenClaw Gateway Dashboard.

4. Install and Configure Tailscale

Install Tailscale on the Droplet:

curl -fsSL https://tailscale.com/install.sh | sh

Bring it up with SSH support:

tailscale up --ssh

Authenticate via the link provided, then verify:

tailscale status

Note your Tailscale IP (e.g. 100.x.x.x). You'll need it for the next steps.

Install Tailscale on your local machine as well and log in with the same account.

5. Harden SSH

Edit the SSH config:

sudo nano /etc/ssh/sshd_config

Add or update these lines:

ListenAddress 100.x.x.x PasswordAuthentication no PermitRootLogin no

Replace 100.x.x.x with your actual Tailscale IP.

What each setting does:

  • ListenAddress: SSH only accepts connections from the Tailscale interface. Public internet connections are refused.
  • PasswordAuthentication no: Forces key-based authentication only.
  • PermitRootLogin no: Blocks all root login attempts.

Check for cloud provider override files that can undo these settings:

ls /etc/ssh/sshd_config.d/

If 50-cloud-init.conf exists, edit it:

sudo nano /etc/ssh/sshd_config.d/50-cloud-init.conf

Ensure it contains:

PasswordAuthentication no

6. Create a Non-Root User

Create a new user:

adduser akshay

Grant sudo privileges:

usermod -aG sudo akshay

Verify:

su - akshay sudo whoami

If the output is root, the user has sudo access but isn't running as root by default.

7. Apply Changes and Test

Restart SSH to apply all changes:

sudo systemctl restart ssh

From this point, SSH only works through Tailscale. Test from your local machine:

ssh akshay@your-tailscale-ip

Access the Terminal UI as the new user:

sudo /opt/openclaw-tui.sh

8. Configure the DigitalOcean Firewall

In the DigitalOcean dashboard, go to Networking, then Firewalls, and create a new firewall.

Add a single inbound rule:

Field Value
Type Custom
Protocol UDP
Port 41641
Sources All IPv4, All IPv6 (::/0)

This allows only the Tailscale WireGuard tunnel. All other inbound traffic is blocked.

Attach the firewall to your Droplet.

9. Access the Gateway Dashboard

On your local machine, use SSH port forwarding:

ssh -N -L 18789:127.0.0.1:18789 akshay@your-tailscale-ip

Then open http://localhost:18789 in your browser.

This works because the SSH connection runs through the Tailscale tunnel (UDP 41641). Port 18789 is never exposed to the public internet.

10. Set Execution Policies

SSH into your Droplet and run:

sudo /opt/openclaw-cli.sh config set tools.exec.host gateway sudo /opt/openclaw-cli.sh config set tools.exec.ask off sudo /opt/openclaw-cli.sh config set tools.exec.security full

Restart the service:

sudo systemctl restart openclaw

What each setting does:

  • tools.exec.host gateway: Routes commands through the gateway process. Without this, commands have nowhere to run on a headless VPS.
  • tools.exec.ask off: Disables approval prompts. On a headless server, nobody is there to approve, so commands would hang forever.
  • tools.exec.security full: Gives OpenClaw the highest execution tier within its sandbox. Required for network calls, shell commands, and skill execution. This does not grant root access.

Verify your settings:

sudo /opt/openclaw-cli.sh config get tools.exec

Security Summary

Layer What It Does
DigitalOcean Firewall Blocks all inbound traffic except UDP 41641 (Tailscale)
Tailscale Encrypted WireGuard tunnel. Server is invisible to the public internet
SSH ListenAddress SSH only accepts connections from the Tailscale interface
PasswordAuthentication no Key-based authentication only
PermitRootLogin no Root login disabled
Non-root user Day-to-day operations run without root privileges
Docker sandboxing OpenClaw runs inside containers, isolated from the host filesystem
Gateway tokens + DM pairing Only authorized users can interact with the agent

Useful Commands

Task Command
Check OpenClaw status systemctl status openclaw
View live logs journalctl -u openclaw -f
Edit environment nano /opt/openclaw.env
Launch Terminal UI /opt/openclaw-tui.sh
Diagnose issues openclaw doctor
Find gateway token openclaw dashboard
Update OpenClaw /opt/update-openclaw.sh

Links