Secure OpenClaw
VPS Setup Prompt

A free Claude Code prompt that walks you through setting up OpenClaw on your own server with proper security. 10 phases. Fully interactive. Paste it and follow along.

What's inside

  • Choose your VPS provider (DigitalOcean, Hostinger, or other) and SSH in
  • Lock down access with Tailscale VPN so only your devices can reach the server
  • Install OpenClaw, connect Telegram, and configure the gateway securely
  • Set up firewall rules, dashboard access, and optional multi-model support

Get the OpenClaw Setup

Drop your name and email to unlock the full setup prompt.

    We won't send you spam. Unsubscribe at any time.

    Secure OpenClaw
    VPS Setup Prompt

    Last updated March 30, 2026

    This is a single prompt you paste into Claude Code. It walks you through setting up OpenClaw on a fresh Ubuntu VPS from scratch, with every security step built in. It's interactive. It asks you for every value it needs (IPs, usernames, tokens). Nothing is hardcoded. Nothing is assumed. By the end, you'll have a fully locked-down OpenClaw instance running 24/7 on your own server.

    Prerequisites

    What you need before starting

    • A VPS from DigitalOcean, Hostinger, or any provider running Ubuntu
    • A Tailscale account (free tier is fine)
    • A Telegram account
    • Claude Code installed on your local machine
    • An API key for your preferred LLM provider (Anthropic, OpenAI, etc.)

    Important

    A note on security

    This setup locks down your server at the infrastructure level. SSH is VPN-only, root is disabled, the gateway never touches the public internet. That's a strong foundation.

    But there's one layer this can't fully protect against: prompt injection. If your OpenClaw agent interacts with external data (web searches, emails, downloaded files, API responses), that data could contain instructions designed to manipulate the agent's behavior. This is a known risk with all AI agents, not just OpenClaw.

    Best practices to reduce this risk:

    • Be selective about which skills you enable. Every skill is a new surface area.
    • Don't connect the agent to accounts that hold sensitive data.
    • Use separate, bot-only accounts for any service you connect.
    • Review what the agent is doing periodically, especially early on.

    No setup is bulletproof. This one is designed to be as tight as possible while still being practical.

    Copy and paste this into Claude Code

    The prompt

    # Secure OpenClaw VPS Setup You are helping me set up OpenClaw on a fresh Ubuntu VPS with proper security. Guide me through each phase interactively. After completing each phase, confirm success before moving on. Ask me for any values you need (IPs, usernames, passwords, tokens) -- don't assume them. ## Setup sequence ### Phase 1 -- Choose provider and SSH into VPS Ask me which VPS provider I'm using (DigitalOcean, Hostinger, or other). Remember my choice for later phases where steps differ by provider. Then help me SSH into the VPS as root. I'll give you the IP. Remind me the password field won't show characters. ### Phase 2 -- Install Tailscale VPN curl -fsSL https://tailscale.com/install.sh | sh tailscale up --ssh - I'll authenticate via the URL it provides - Tell me to install Tailscale on my local machine and connect with the same account - Verify with tailscale status - Have me grab the server's Tailscale IP (100.x.x.x) from the admin console ### Phase 3 -- Create non-root user Ask me for a username. Then: adduser <USERNAME> usermod -aG sudo <USERNAME> Verify with su - <USERNAME> then sudo whoami (should return root), then logout back to root. ### Phase 4 -- Lock down SSH Edit /etc/ssh/sshd_config: - Set ListenAddress to the Tailscale IP - Set PasswordAuthentication no - Set PermitRootLogin no Then: !! IMPORTANT: Keep this root SSH session open. Open a second terminal and test SSH access as your non-root user via the Tailscale IP before closing this session. If something is misconfigured, you can fix it from this root session. Only proceed once the second terminal connects successfully. !! systemctl restart ssh After I confirm the second terminal connects: logout Have me verify: ssh root@<VPS_IP> should fail. ssh <USERNAME>@<TAILSCALE_IP> should work. Disconnecting Tailscale should block access. ### Phase 5 -- Install OpenClaw SSH in as the non-root user via Tailscale, then run the OpenClaw install one-liner from their site. Interactive setup choices: - Security prompt → Yes - Configuration → Manual - Gateway → Local - Workspace → Default - Model → Ask me which provider (OpenAI Codex, Anthropic token, or API key) - Gateway port → Default (18789) - Gateway bind → Loopback - Token auth → Yes - Tailscale exposure → Off - Gateway token → Auto-generate (leave blank) ### Phase 6 -- Connect Telegram 1. Message @BotFather in Telegram → /newbot → set name and username (must end in bot) 2. Paste bot token into OpenClaw setup 3. Finish channels → DM policies: Yes → Pairing → Skills: No for now 4. Gateway service: Yes → Node 5. Hatch bot in terminal UI 6. In Telegram, press Start on the bot, then run the pairing command it gives 7. Remind me to clear the BotFather chat so the token isn't exposed ### Phase 7 -- VPS provider firewall Based on the provider I chose in Phase 1, walk me through setting up the firewall in their specific dashboard. The rules are the same regardless of provider: - Accept / UDP / Port 41641 / Source: Anywhere (Tailscale port) - Do NOT open TCP 22 - Only open TCP 80 + 443 if serving a public website later For DigitalOcean: Networking → Firewalls → Create Firewall → apply to the droplet. For Hostinger: Dashboard → Security → Firewall → Create. For other providers: Guide me through finding the firewall settings and applying these rules. ### Phase 8 -- Access the dashboard Port-forward from a separate terminal: ssh -N -L 18789:127.0.0.1:18789 <USERNAME>@<TAILSCALE_IP> Open http://localhost:18789?token=<GATEWAY_TOKEN> in browser. If I don't have the token, tell me to ask the bot in Telegram. ### Phase 9 -- Optional: Add second LLM provider openclaw configure → Model → Anthropic → Token. Get the token by running claude setup token from a machine with Claude Code installed. ### Phase 10 -- Enable skills openclaw configure → Skills. Warn me to evaluate each skill's data inputs/outputs before enabling. ## Security rules to enforce throughout - Never connect primary accounts (Gmail, Drive, etc.) -- always use separate accounts created for the bot - If connecting email, only forward from verified senders to the bot's email - Set API spending limits and email alerts if using API keys - The bot intentionally doesn't know the sudo password -- don't change this - Any service the bot exposes on another port needs its own SSH port-forward: ssh -N -L <PORT>:127.0.0.1:<PORT> <USERNAME>@<TAILSCALE_IP> - Other devices need Tailscale installed + same account to access the server

    That's the whole setup.

    Paste the prompt into Claude Code, follow the phases, and you'll have a secure OpenClaw instance running on your own server. If you get stuck on any step, Claude will help you debug it in real time.

    For more guides, tutorials, and practical AI tips: