269 lines
6.1 KiB
Markdown
269 lines
6.1 KiB
Markdown
# OpenClaw on DigitalOcean: Secure Deployment Guide
|
|
|
|
A step-by-step reference for securely deploying OpenClaw on a DigitalOcean Droplet with Tailscale, SSH hardening, and firewall configuration.
|
|
|
|
Companion guide to the YouTube video: [COMING SOON]
|
|
|
|
---
|
|
|
|
## 1. Deploy the Droplet
|
|
|
|
Go to the [DigitalOcean Marketplace](https://do.co/4swLlx2) and deploy the OpenClaw 1-Click Droplet.
|
|
|
|
Recommended plan: **4 GB RAM / 2 vCPU** (`s-2vcpu-4gb`)
|
|
|
|
Use **SSH Key** authentication (not password).
|
|
|
|
> The dashboard may show "ready" before SSH is available. Wait about 60 seconds before connecting.
|
|
|
|
---
|
|
|
|
## 2. SSH In and Configure OpenClaw
|
|
|
|
Connect to your Droplet:
|
|
|
|
```bash
|
|
ssh root@your-droplet-ip
|
|
```
|
|
|
|
The interactive setup will ask for your LLM provider (Anthropic, OpenAI, or Gradient) and API key. Follow the prompts to pair with the Gateway Dashboard.
|
|
|
|
Verify OpenClaw is running by launching the Terminal UI:
|
|
|
|
```bash
|
|
/opt/openclaw-tui.sh
|
|
```
|
|
|
|
---
|
|
|
|
## 3. Connect Telegram
|
|
|
|
In Telegram, message **@BotFather** and type `/newbot` to create a bot. Copy the **bot token**.
|
|
|
|
On the Droplet, add Telegram as a channel:
|
|
|
|
```bash
|
|
/opt/openclaw-cli.sh channels add
|
|
```
|
|
|
|
Select Telegram and paste your bot token.
|
|
|
|
Open the deep link BotFather gave you and send a message. Copy your **Telegram user ID** from the response, then add it to the **allow list** in the OpenClaw Gateway Dashboard.
|
|
|
|
---
|
|
|
|
## 4. Install and Configure Tailscale
|
|
|
|
Install Tailscale on the Droplet:
|
|
|
|
```bash
|
|
curl -fsSL https://tailscale.com/install.sh | sh
|
|
```
|
|
|
|
Bring it up with SSH support:
|
|
|
|
```bash
|
|
tailscale up --ssh
|
|
```
|
|
|
|
Authenticate via the link provided, then verify:
|
|
|
|
```bash
|
|
tailscale status
|
|
```
|
|
|
|
Note your Tailscale IP (e.g. `100.x.x.x`). You'll need it for the next steps.
|
|
|
|
Install Tailscale on your local machine as well and log in with the same account.
|
|
|
|
---
|
|
|
|
## 5. Harden SSH
|
|
|
|
Edit the SSH config:
|
|
|
|
```bash
|
|
sudo nano /etc/ssh/sshd_config
|
|
```
|
|
|
|
Add or update these lines:
|
|
|
|
```
|
|
ListenAddress 100.x.x.x
|
|
PasswordAuthentication no
|
|
PermitRootLogin no
|
|
```
|
|
|
|
Replace `100.x.x.x` with your actual Tailscale IP.
|
|
|
|
What each setting does:
|
|
- **ListenAddress**: SSH only accepts connections from the Tailscale interface. Public internet connections are refused.
|
|
- **PasswordAuthentication no**: Forces key-based authentication only.
|
|
- **PermitRootLogin no**: Blocks all root login attempts.
|
|
|
|
Check for cloud provider override files that can undo these settings:
|
|
|
|
```bash
|
|
ls /etc/ssh/sshd_config.d/
|
|
```
|
|
|
|
If `50-cloud-init.conf` exists, edit it:
|
|
|
|
```bash
|
|
sudo nano /etc/ssh/sshd_config.d/50-cloud-init.conf
|
|
```
|
|
|
|
Ensure it contains:
|
|
|
|
```
|
|
PasswordAuthentication no
|
|
```
|
|
|
|
---
|
|
|
|
## 6. Create a Non-Root User
|
|
|
|
Create a new user:
|
|
|
|
```bash
|
|
adduser akshay
|
|
```
|
|
|
|
Grant sudo privileges:
|
|
|
|
```bash
|
|
usermod -aG sudo akshay
|
|
```
|
|
|
|
Verify:
|
|
|
|
```bash
|
|
su - akshay
|
|
sudo whoami
|
|
```
|
|
|
|
If the output is `root`, the user has sudo access but isn't running as root by default.
|
|
|
|
---
|
|
|
|
## 7. Apply Changes and Test
|
|
|
|
Restart SSH to apply all changes:
|
|
|
|
```bash
|
|
sudo systemctl restart ssh
|
|
```
|
|
|
|
From this point, SSH only works through Tailscale. Test from your local machine:
|
|
|
|
```bash
|
|
ssh akshay@your-tailscale-ip
|
|
```
|
|
|
|
Access the Terminal UI as the new user:
|
|
|
|
```bash
|
|
sudo /opt/openclaw-tui.sh
|
|
```
|
|
|
|
---
|
|
|
|
## 8. Configure the DigitalOcean Firewall
|
|
|
|
In the DigitalOcean dashboard, go to **Networking**, then **Firewalls**, and create a new firewall.
|
|
|
|
Add a single inbound rule:
|
|
|
|
| Field | Value |
|
|
|---|---|
|
|
| Type | Custom |
|
|
| Protocol | UDP |
|
|
| Port | 41641 |
|
|
| Sources | All IPv4, All IPv6 (`::/0`) |
|
|
|
|
This allows only the Tailscale WireGuard tunnel. All other inbound traffic is blocked.
|
|
|
|
Attach the firewall to your Droplet.
|
|
|
|
---
|
|
|
|
## 9. Access the Gateway Dashboard
|
|
|
|
On your **local machine**, use SSH port forwarding:
|
|
|
|
```bash
|
|
ssh -N -L 18789:127.0.0.1:18789 akshay@your-tailscale-ip
|
|
```
|
|
|
|
Then open `http://localhost:18789` in your browser.
|
|
|
|
This works because the SSH connection runs through the Tailscale tunnel (UDP 41641). Port 18789 is never exposed to the public internet.
|
|
|
|
---
|
|
|
|
## 10. Set Execution Policies
|
|
|
|
SSH into your Droplet and run:
|
|
|
|
```bash
|
|
sudo /opt/openclaw-cli.sh config set tools.exec.host gateway
|
|
sudo /opt/openclaw-cli.sh config set tools.exec.ask off
|
|
sudo /opt/openclaw-cli.sh config set tools.exec.security full
|
|
```
|
|
|
|
Restart the service:
|
|
|
|
```bash
|
|
sudo systemctl restart openclaw
|
|
```
|
|
|
|
What each setting does:
|
|
- **tools.exec.host gateway**: Routes commands through the gateway process. Without this, commands have nowhere to run on a headless VPS.
|
|
- **tools.exec.ask off**: Disables approval prompts. On a headless server, nobody is there to approve, so commands would hang forever.
|
|
- **tools.exec.security full**: Gives OpenClaw the highest execution tier within its sandbox. Required for network calls, shell commands, and skill execution. This does not grant root access.
|
|
|
|
Verify your settings:
|
|
|
|
```bash
|
|
sudo /opt/openclaw-cli.sh config get tools.exec
|
|
```
|
|
|
|
---
|
|
|
|
## Security Summary
|
|
|
|
| Layer | What It Does |
|
|
|---|---|
|
|
| DigitalOcean Firewall | Blocks all inbound traffic except UDP 41641 (Tailscale) |
|
|
| Tailscale | Encrypted WireGuard tunnel. Server is invisible to the public internet |
|
|
| SSH ListenAddress | SSH only accepts connections from the Tailscale interface |
|
|
| PasswordAuthentication no | Key-based authentication only |
|
|
| PermitRootLogin no | Root login disabled |
|
|
| Non-root user | Day-to-day operations run without root privileges |
|
|
| Docker sandboxing | OpenClaw runs inside containers, isolated from the host filesystem |
|
|
| Gateway tokens + DM pairing | Only authorized users can interact with the agent |
|
|
|
|
---
|
|
|
|
## Useful Commands
|
|
|
|
| Task | Command |
|
|
|---|---|
|
|
| Check OpenClaw status | `systemctl status openclaw` |
|
|
| View live logs | `journalctl -u openclaw -f` |
|
|
| Edit environment | `nano /opt/openclaw.env` |
|
|
| Launch Terminal UI | `/opt/openclaw-tui.sh` |
|
|
| Diagnose issues | `openclaw doctor` |
|
|
| Find gateway token | `openclaw dashboard` |
|
|
| Update OpenClaw | `/opt/update-openclaw.sh` |
|
|
|
|
---
|
|
|
|
## Links
|
|
|
|
- [DigitalOcean Marketplace: OpenClaw](https://do.co/4swLlx2)
|
|
- [OpenClaw Documentation](https://docs.molt.bot/)
|
|
- [OpenClaw GitHub](https://github.com/moltbot/moltbot)
|
|
- [Tailscale](https://tailscale.com/)
|
|
- [DigitalOcean SSH Key Guide](https://do.co/4swLlx2)
|