OpenClaw Docker VPS Deploy: Your Own AI Agent Gateway in 30 Minutes
Running AI agents on your laptop is fine for testing. But when you need 24/7 availability, team access, and persistent memory, you need a server. This OpenClaw Docker VPS deploy guide gets your own AI agent gateway running on a VPS—complete with SSL, channels, and sandboxed execution.
What Is OpenClaw?
OpenClaw is an open-source AI agent gateway that connects language models to real-world tools. It runs agents that can browse the web, execute code, manage files, send messages, and interact with APIs—all through natural language commands.
Self-hosting it on a VPS gives you:
- Always-on agents that respond to messages and scheduled tasks
- Team access via Telegram, Discord, WhatsApp, or web chat
- Sandboxed execution for safe code and tool use
- Full data control—no third-party platform holding your conversations
- Multi-model support—switch between OpenAI, Anthropic, local models, and more
If you want a deeper walkthrough, check our related guides on OpenClaw Docker VPS deploy for developers and running your own AI agent gateway in under 30 minutes. There's also a step-by-step developer guide with additional configuration options.
Prerequisites
Before starting this OpenClaw Docker VPS deploy, make sure you have:
Required
- A VPS with Ubuntu 22.04+ (2 vCPU, 4GB RAM minimum, 8GB recommended)
- Docker Engine 24.0+ and Docker Compose v2+ installed
- A domain name pointing to your VPS IP (for HTTPS)
- SSH access with a non-root sudo user
- At least 20GB free disk space
Recommended
- 8GB+ RAM for running multiple agents and sandboxed tasks
- Swap space (4GB+) to prevent OOM kills during builds
- Basic familiarity with Docker, Nginx, and Linux administration
Quick VPS Setup (Ubuntu)
# Update system
sudo apt update && sudo apt upgrade -y
# Install Docker
sudo apt install -y docker.io docker-compose-v2
# Add user to docker group
sudo usermod -aG docker $USER
newgrp docker
# Verify
docker --version
docker compose version
# Add swap (4GB) if you don't have it
sudo fallocate -l 4G /swapfile
sudo chmod 600 /swapfile
sudo mkswap /swapfile
sudo swapon /swapfile
echo '/swapfile none swap sw 0 0' | sudo tee -a /etc/fstab
Step 1: Prepare the Environment
Create a dedicated user and directory structure for OpenClaw. This keeps permissions clean and makes backups straightforward.
# Create user (optional but recommended)
sudo useradd -m -s /bin/bash openclaw
sudo usermod -aG docker openclaw
# Create project directory
sudo mkdir -p /opt/openclaw
sudo chown $USER:$USER /opt/openclaw
cd /opt/openclaw
Generate a secure gateway token and setup password:
# Generate secrets
export GATEWAY_TOKEN=$(openssl rand -hex 32)
export SETUP_PASSWORD=$(openssl rand -hex 16)
echo "Gateway Token: $GATEWAY_TOKEN"
echo "Setup Password: $SETUP_PASSWORD"
# Save these somewhere secure
Step 2: Create the Docker Compose Configuration
Create a production-ready docker-compose.yml:
services:
openclaw-gateway:
image: ghcr.io/openclaw/openclaw:latest
container_name: openclaw-gateway
restart: unless-stopped
user: "1000:1000"
environment:
- NODE_ENV=production
- OPENCLAW_STATE_DIR=/home/node/.openclaw
- OPENCLAW_WORKSPACE_DIR=/home/node/.openclaw/workspace
- OPENCLAW_GATEWAY_BIND=0.0.0.0
- OPENCLAW_GATEWAY_PORT=18789
- OPENCLAW_GATEWAY_TOKEN=${OPENCLAW_GATEWAY_TOKEN}
- SETUP_PASSWORD=${SETUP_PASSWORD}
- OPENCLAW_DISABLE_BONJOUR=1
volumes:
- openclaw-data:/home/node/.openclaw
- openclaw-auth:/home/node/.config/openclaw
ports:
- "127.0.0.1:18789:18789"
healthcheck:
test: ["CMD", "curl", "-fsS", "http://localhost:18789/healthz"]
interval: 30s
timeout: 10s
retries: 3
start_period: 60s
volumes:
openclaw-data:
openclaw-auth:
Create the .env file:
OPENCLAW_GATEWAY_TOKEN=your-gateway-token-here
SETUP_PASSWORD=your-setup-password-here
Important: We bind the gateway to 127.0.0.1:18789 intentionally. Never expose the OpenClaw dashboard directly to the internet. We'll put Nginx with SSL in front of it.
Step 3: Launch the Gateway
Start OpenClaw for the first time:
cd /opt/openclaw
docker compose up -d
Check that it's healthy:
# Watch logs
docker compose logs -f openclaw-gateway
# Check health endpoint
curl -fsS http://127.0.0.1:18789/healthz
# Should return: OK
First startup runs onboarding in the background. Give it 2–3 minutes before accessing the dashboard.
Step 4: Set Up SSL with Nginx
Install Nginx and Certbot:
sudo apt install -y nginx certbot python3-certbot-nginx
# Create Nginx config
sudo nano /etc/nginx/sites-available/openclaw
Paste this configuration:
server {
listen 80;
server_name agents.yourdomain.com;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl http2;
server_name agents.yourdomain.com;
ssl_certificate /etc/letsencrypt/live/agents.yourdomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/agents.yourdomain.com/privkey.pem;
# Security headers
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
location / {
proxy_pass http://127.0.0.1:18789;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 86400;
proxy_buffering off;
}
}
Enable the site and get SSL:
sudo ln -s /etc/nginx/sites-available/openclaw /etc/nginx/sites-enabled/
sudo nginx -t
# Get certificate
sudo certbot --nginx -d agents.yourdomain.com
# Reload Nginx
sudo systemctl reload nginx
Your OpenClaw dashboard is now available at https://agents.yourdomain.com with valid SSL.
Step 5: Configure Your First Agent
Open your browser and navigate to https://agents.yourdomain.com. Enter your gateway token when prompted.
Essential First Setup
- Add an AI provider: Go to Settings → Providers and add your API key (OpenAI, Anthropic, or a local endpoint)
- Set a default model: Pick the model your agents will use by default
- Configure channels: Connect Telegram, Discord, or WhatsApp so agents can receive messages
Connect Telegram (Example)
# From your VPS, run:
docker compose exec openclaw-gateway node dist/index.js channels add \
--channel telegram \
--token "YOUR_BOT_TOKEN"
# Or use the CLI container:
docker compose run --rm openclaw-cli channels add \
--channel telegram \
--token "YOUR_BOT_TOKEN"
Get a bot token from @BotFather on Telegram.
Step 6: Enable Sandboxing (Optional but Recommended)
Sandboxing lets agents execute code and use tools safely. The Docker backend is the most secure option for VPS deployments.
Add to your docker-compose.yml environment:
environment:
- OPENCLAW_SANDBOX=1
- OPENCLAW_DOCKER_SOCKET=/var/run/docker.sock
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
Warning: Mounting the Docker socket gives the container significant host access. Only enable sandboxing if you trust the agents running on this gateway. For untrusted workloads, use a dedicated sandbox host.
Tips and Troubleshooting
"exit 137" or OOM during startup
OpenClaw needs at least 2GB RAM for the initial build. If you see OOM kills:
- Add more swap (see prerequisites)
- Use a pre-built image instead of building locally:
image: ghcr.io/openclaw/openclaw:latest - Upgrade your VPS to 4GB+ RAM
Gateway shows "unhealthy" in Docker
# Check detailed logs
docker compose logs --tail 100 openclaw-gateway
# Check if port is bound correctly
sudo ss -tlnp | grep 18789
# Restart if needed
docker compose restart openclaw-gateway
Cannot access dashboard after SSL setup
- Verify DNS points to your VPS:
dig agents.yourdomain.com - Check Nginx error logs:
sudo tail -f /var/log/nginx/error.log - Make sure Certbot succeeded:
sudo certbot certificates - Confirm firewall allows 443:
sudo ufw status
Updating OpenClaw
cd /opt/openclaw
docker compose down
docker compose pull
docker compose up -d
# Verify new version
docker compose exec openclaw-gateway node dist/index.js --version
Backup your data
# Backup volumes
docker run --rm -v openclaw_openclaw-data:/data -v $(pwd):/backup alpine \
tar czf /backup/openclaw-backup-$(date +%Y%m%d).tar.gz -C /data .
# Also backup auth volume
docker run --rm -v openclaw_openclaw-auth:/data -v $(pwd):/backup alpine \
tar czf /backup/openclaw-auth-$(date +%Y%m%d).tar.gz -C /data .
Connecting to local providers (Ollama, LM Studio)
If you run Ollama or LM Studio on the same VPS, use host.docker.internal or the container network. For separate hosts, use the public IP or Tailscale.
Firewall hardening
# Only expose HTTPS to the world
sudo ufw default deny incoming
sudo ufw allow 22/tcp # SSH
sudo ufw allow 80/tcp # HTTP (for Certbot)
sudo ufw allow 443/tcp # HTTPS
sudo ufw deny 18789/tcp # Block direct gateway access
sudo ufw enable
What's Next?
Your OpenClaw gateway is live. Here's what to explore:
- Create specialized agents for different tasks—coding, research, content, DevOps
- Set up cron jobs for scheduled agent tasks and monitoring
- Connect more channels—Discord, WhatsApp, Slack, or webhooks
- Enable observability with OpenTelemetry export for production monitoring
- Configure multiple models and let agents pick the best one per task
OpenClaw is actively developed with frequent releases. Watch the GitHub repository for updates and new features.
Need Help With Production Deployment?
This OpenClaw Docker VPS deploy guide gets you running, but production setups need more: SSO integration, multi-agent orchestration, custom tool development, security audits, and high-availability configuration.
If you're deploying AI agents for your organization and need it done right, get in touch with our team. We specialize in self-hosted AI infrastructure that keeps your data under your control.