How to install OpenClaw on a VPS

Objective

OpenClaw (successor to Moltbot and Clawdbot) is the new evolved version of the autonomous AI assistant. This guide uses Docker to protect your host system and ensure your assistant stays online 24/7.

Unlike a local installation via SSH tunnel, this method provides:

Secure public access via HTTPS (Let's Encrypt)
A scalable architecture behind Traefik (reverse proxy)
The ability to add future services behind the same proxy (Nextcloud, n8n, Stoat, etc.)

The target architecture:

Internet
   ↓
Traefik (automatic HTTPS)
   ↓
OpenClaw Gateway
   ↓
OVHcloud AI Endpoints

This guide explains how to deploy OpenClaw in production with Docker, Traefik and OVHcloud AI Endpoints on a VPS.

Requirements

An OVHcloud VPS (Debian 11/12 or Ubuntu 22.04+). Refer to our guide "Getting started with a VPS".
SSH access to your VPS
A domain name pointing to your VPS. Refer to our guide "Adding a DNS A record" if needed.
An OVHcloud AI Endpoints API key. Refer to our guide "AI Endpoints - Getting started" to generate one.

Instructions

Step 1 - Installing Docker

Check that Docker is installed on your machine:

docker --version
docker compose version

If you get output similar to:

Docker version 29.2.1, build a5c7197
Docker Compose version v5.0.2

This means Docker is already installed on your machine. Otherwise, follow the Docker installation guide.

Configuring Docker permissions (important)

By default, Docker commands require sudo. However, the docker-setup.sh script must be run without sudo to avoid permission issues on generated files (.env, .openclaw, volumes, etc.).

Add your user to the docker group:

sudo usermod -aG docker $USER

Then reload your session:

newgrp docker

You can verify that Docker works without sudo:

docker ps

If no permission error appears, continue with the installation.

Step 2 - Creating the proxy network

Traefik and OpenClaw must share a common Docker network:

docker network create proxy

Step 3 - Installing Traefik

Creating the directory

mkdir -p ~/docker/traefik && cd ~/docker/traefik
nano docker-compose.yml

Configuring the docker-compose.yml file

Copy the following configuration into the docker-compose.yml file:

services:
   traefik:
    image: traefik:v2.11
    container_name: traefik
    restart: unless-stopped
    command:
      - "--api.dashboard=true"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.websecure.address=:443"
      - "--certificatesresolvers.myresolver.acme.httpchallenge=true"
      - "--certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web"
      - "--certificatesresolvers.myresolver.acme.email=YOUR_EMAIL"
      - "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      - "./letsencrypt:/letsencrypt"
    networks:
      - proxy

networks:
  proxy:
    external: true

Remember to update the file by replacing YOUR_EMAIL with your email address.

Initialising Let's Encrypt storage

Create the directory and certificate storage file with the appropriate permissions:

mkdir letsencrypt
touch letsencrypt/acme.json
chmod 600 letsencrypt/acme.json

Starting Traefik

Start the Traefik container in the background:

docker compose up -d

Step 4 - Installing OpenClaw

cd ~
git clone https://github.com/openclaw/openclaw.git
cd openclaw

Prepare the directories:

mkdir -p ~/.openclaw/workspace
#grant permissions so the setup script can configure the files
sudo chown -R ubuntu:ubuntu ~/openclaw

Run the setup wizard:

./docker-setup.sh

At the end of the installation, make a note of the token provided to you, as you will need it to connect to OpenClaw. You can retrieve this value at any time from the .env file in your OpenClaw directory:

cat .env
#Or alternatively via the command:
grep OPENCLAW_GATEWAY_TOKEN .env

Step 5 - Configuring for Traefik

Replace the contents of the generated docker-compose.yml with:

services:
  openclaw-gateway:
    container_name: openclaw
    image: ${OPENCLAW_IMAGE:-openclaw:local}
    environment:
      HOME: /home/node
      TERM: xterm-256color
      OPENCLAW_GATEWAY_TOKEN: ${OPENCLAW_GATEWAY_TOKEN}
      CLAUDE_AI_SESSION_KEY: ${CLAUDE_AI_SESSION_KEY}
      CLAUDE_WEB_SESSION_KEY: ${CLAUDE_WEB_SESSION_KEY}
      CLAUDE_WEB_COOKIE: ${CLAUDE_WEB_COOKIE}
    volumes:
      - ${OPENCLAW_CONFIG_DIR}:/home/node/.openclaw
      - ${OPENCLAW_WORKSPACE_DIR}:/home/node/.openclaw/workspace
    init: true
    restart: unless-stopped
    command:
      [
        "node",
        "dist/index.js",
        "gateway",
        "--bind",
        "${OPENCLAW_GATEWAY_BIND:-lan}",
        "--port",
        "18789",
      ]
    networks:
      - proxy
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.openclaw.rule=Host(`YOUR_DOMAIN_NAME`)"
      - "traefik.http.routers.openclaw.entrypoints=websecure"
      - "traefik.http.routers.openclaw.tls.certresolver=myresolver"
      - "traefik.http.services.openclaw.loadbalancer.server.port=18789"
networks:
  proxy:
    external: true

Remember to update the file by replacing YOUR_DOMAIN_NAME with your domain name.

Step 6 - Configuring OVHcloud AI Endpoints

Before modifying the configuration file, create a backup then open it in a text editor:

mv ~/.openclaw/openclaw.json ~/.openclaw/openclaw.json.bak
nano ~/.openclaw/openclaw.json

Copy the following configuration into the openclaw.json file. This configuration defines the connection settings, the gateway and the OVHcloud AI Endpoints provider:

{
  "messages": {
    "ackReactionScope": "group-mentions"
  },
  "commands": {
    "native": "auto",
    "nativeSkills": "auto"
  },
  "gateway": {
    "port": 18789,
    "mode": "local",
    "bind": "lan",
    "controlUi": {
      "allowedOrigins": [
        "https://YOUR_DOMAIN_NAME"
      ]
    },
    "auth": {
      "mode": "token",
      "token": "YOUR_OPENCLAW_TOKEN"
    }
  },
  "models": {
    "mode": "merge",
    "providers": {
      "ovhcloud": {
        "baseUrl": "https://oai.endpoints.kepler.ai.cloud.ovh.net/v1",
        "apiKey": "YOUR_OVH_ENDPOINT_API_KEY",
        "api": "openai-completions",
        "models": [
          {
            "id": "gpt-oss-120b",
            "name": "gpt-oss-120b",
            "compat": {
              "supportsStore": false
            }
          }
        ]
      }
    }
  },
  "agents": {
    "defaults": {
      "model": {
        "primary": "ovhcloud/gpt-oss-120b"
      },
      "models": {
        "ovhcloud/gpt-oss-120b": {}
      }
    }
  }
}

Remember to update the file by replacing the following values:

YOUR_DOMAIN_NAME with your domain name.
YOUR_OPENCLAW_TOKEN with the token OpenClaw provided at the end of the installation.
YOUR_OVH_ENDPOINT_API_KEY with your API key.

Step 7 - Final startup

Once the configuration is complete, restart the OpenClaw containers to apply the changes:

cd ~/openclaw/
docker compose down
docker compose up -d

Check that the gateway is active by viewing the container logs:

docker logs openclaw

If the startup was successful, you should see the following message (in cyan blue):

Gateway listening on 0.0.0.0:18789

Step 8 - Device pairing

Access the OpenClaw web interface from your browser by opening the URL of your domain:

https://your-domain.com

In the Overview section, enter your Gateway Token to authenticate.

When connecting for the first time from a new device, the interface displays the following message:

pairing required

To authorise the device, list the pending devices then approve the desired one by replacing <ID> with the displayed identifier:

docker exec -it openclaw node dist/index.js devices list
docker exec -it openclaw node dist/index.js devices approve <ID>

Go further

Secure an OVHcloud VPS

Official OpenClaw documentation

Join our community of users.

Assistente IA

Bases de conhecimento

Categoria