OpenClaw on DigitalOcean: Secure Deployment Guide
A step-by-step reference for securely deploying OpenClaw on a DigitalOcean Droplet with Tailscale, SSH hardening, and firewall configuration.
Companion guide to the YouTube video: [COMING SOON]
1. Deploy the Droplet
Go to the DigitalOcean Marketplace and deploy the OpenClaw 1-Click Droplet.
Recommended plan: 4 GB RAM / 2 vCPU (s-2vcpu-4gb)
Use SSH Key authentication (not password).
The dashboard may show "ready" before SSH is available. Wait about 60 seconds before connecting.
2. SSH In and Configure OpenClaw
Connect to your Droplet:
ssh root@your-droplet-ip
The interactive setup will ask for your LLM provider (Anthropic, OpenAI, or Gradient) and API key. Follow the prompts to pair with the Gateway Dashboard.
Verify OpenClaw is running by launching the Terminal UI:
/opt/openclaw-tui.sh
3. Connect Telegram
In Telegram, message @BotFather and type /newbot to create a bot. Copy the bot token.
On the Droplet, add Telegram as a channel:
/opt/openclaw-cli.sh channels add
Select Telegram and paste your bot token.
Open the deep link BotFather gave you and send a message. Copy your Telegram user ID from the response, then add it to the allow list in the OpenClaw Gateway Dashboard.
4. Install and Configure Tailscale
Install Tailscale on the Droplet:
curl -fsSL https://tailscale.com/install.sh | sh
Bring it up with SSH support:
tailscale up --ssh
Authenticate via the link provided, then verify:
tailscale status
Note your Tailscale IP (e.g. 100.x.x.x). You'll need it for the next steps.
Install Tailscale on your local machine as well and log in with the same account.
5. Harden SSH
Edit the SSH config:
sudo nano /etc/ssh/sshd_config
Add or update these lines:
ListenAddress 100.x.x.x
PasswordAuthentication no
PermitRootLogin no
Replace 100.x.x.x with your actual Tailscale IP.
What each setting does:
- ListenAddress: SSH only accepts connections from the Tailscale interface. Public internet connections are refused.
- PasswordAuthentication no: Forces key-based authentication only.
- PermitRootLogin no: Blocks all root login attempts.
Check for cloud provider override files that can undo these settings:
ls /etc/ssh/sshd_config.d/
If 50-cloud-init.conf exists, edit it:
sudo nano /etc/ssh/sshd_config.d/50-cloud-init.conf
Ensure it contains:
PasswordAuthentication no
6. Create a Non-Root User
Create a new user:
adduser akshay
Grant sudo privileges:
usermod -aG sudo akshay
Verify:
su - akshay
sudo whoami
If the output is root, the user has sudo access but isn't running as root by default.
7. Apply Changes and Test
Restart SSH to apply all changes:
sudo systemctl restart ssh
From this point, SSH only works through Tailscale. Test from your local machine:
ssh akshay@your-tailscale-ip
Access the Terminal UI as the new user:
sudo /opt/openclaw-tui.sh
8. Configure the DigitalOcean Firewall
In the DigitalOcean dashboard, go to Networking, then Firewalls, and create a new firewall.
Add a single inbound rule:
| Field | Value |
|---|---|
| Type | Custom |
| Protocol | UDP |
| Port | 41641 |
| Sources | All IPv4, All IPv6 (::/0) |
This allows only the Tailscale WireGuard tunnel. All other inbound traffic is blocked.
Attach the firewall to your Droplet.
9. Access the Gateway Dashboard
On your local machine, use SSH port forwarding:
ssh -N -L 18789:127.0.0.1:18789 akshay@your-tailscale-ip
Then open http://localhost:18789 in your browser.
This works because the SSH connection runs through the Tailscale tunnel (UDP 41641). Port 18789 is never exposed to the public internet.
10. Set Execution Policies
SSH into your Droplet and run:
sudo /opt/openclaw-cli.sh config set tools.exec.host gateway
sudo /opt/openclaw-cli.sh config set tools.exec.ask off
sudo /opt/openclaw-cli.sh config set tools.exec.security full
Restart the service:
sudo systemctl restart openclaw
What each setting does:
- tools.exec.host gateway: Routes commands through the gateway process. Without this, commands have nowhere to run on a headless VPS.
- tools.exec.ask off: Disables approval prompts. On a headless server, nobody is there to approve, so commands would hang forever.
- tools.exec.security full: Gives OpenClaw the highest execution tier within its sandbox. Required for network calls, shell commands, and skill execution. This does not grant root access.
Verify your settings:
sudo /opt/openclaw-cli.sh config get tools.exec
Security Summary
| Layer | What It Does |
|---|---|
| DigitalOcean Firewall | Blocks all inbound traffic except UDP 41641 (Tailscale) |
| Tailscale | Encrypted WireGuard tunnel. Server is invisible to the public internet |
| SSH ListenAddress | SSH only accepts connections from the Tailscale interface |
| PasswordAuthentication no | Key-based authentication only |
| PermitRootLogin no | Root login disabled |
| Non-root user | Day-to-day operations run without root privileges |
| Docker sandboxing | OpenClaw runs inside containers, isolated from the host filesystem |
| Gateway tokens + DM pairing | Only authorized users can interact with the agent |
Useful Commands
| Task | Command |
|---|---|
| Check OpenClaw status | systemctl status openclaw |
| View live logs | journalctl -u openclaw -f |
| Edit environment | nano /opt/openclaw.env |
| Launch Terminal UI | /opt/openclaw-tui.sh |
| Diagnose issues | openclaw doctor |
| Find gateway token | openclaw dashboard |
| Update OpenClaw | /opt/update-openclaw.sh |