OpenClaw Oracle Cloud: Free Tier Agents That Actually Run

Most "free cloud hosting" guides bury the catch in footnote three. Oracle's Always Free tier is genuinely different. Four ARM cores, 24 gigabytes of RAM, and 200 GB of block storage — no 12-month trial, no credit freeze, no surprise bill. I've run OpenClaw deployments on this tier for months without a single issue. Here's the exact process that gets you from zero to a running agent in under an hour.

Why Oracle Cloud Free Tier Works for OpenClaw

AWS Free Tier gives you a t2.micro with 1 GB RAM for 12 months. Google Cloud gives you an f1-micro with 614 MB. Neither can run OpenClaw's gateway plus a single agent without thrashing swap. Oracle's free allocation is categorically different: the Ampere A1 instance gives you resources that would cost $25–40/month on competing clouds.

The compute is ARM-based — Oracle uses Ampere Altra processors. That matters because OpenClaw publishes multi-platform Docker images. The linux/arm64 image runs natively on the A1 instance. No emulation, no performance penalty.

Provisioning the Free VM

Log into the Oracle Cloud console and navigate to Compute → Instances → Create Instance. Change the default shape immediately — it defaults to a paid AMD shape. Click "Change Shape," select Ampere, and pick VM.Standard.A1.Flex. Set OCPUs to 4 and RAM to 24 GB. Both are covered by the Always Free allocation.

For the image, select Oracle Linux 8 or Ubuntu 22.04. Ubuntu is easier if you're more comfortable with apt over yum. Under networking, ensure the instance is placed in a public subnet so it receives a public IP. Generate or upload an SSH key pair — save the private key, you'll need it to connect.

Click Create. The instance takes 2–3 minutes to provision. Once it shows "Running," note the public IP address from the instance details page.

# Connect to your new Oracle Cloud VM
ssh -i ~/your-private-key.pem ubuntu@YOUR_PUBLIC_IP

# Confirm you're on ARM
uname -m
# Expected output: aarch64

Installing Docker on the Oracle VM

Oracle Linux and Ubuntu both support Docker through the standard installation path. On Ubuntu 22.04:

# Update package index
sudo apt-get update

# Install Docker dependencies
sudo apt-get install -y ca-certificates curl gnupg

# Add Docker's GPG key
sudo install -m 0755 -d /etc/apt/keyrings
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | \
  sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg

# Add Docker repository
echo "deb [arch=$(dpkg --print-architecture) \
  signed-by=/etc/apt/keyrings/docker.gpg] \
  https://download.docker.com/linux/ubuntu \
  $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \
  sudo tee /etc/apt/sources.list.d/docker.list

# Install Docker Engine
sudo apt-get update
sudo apt-get install -y docker-ce docker-ce-cli containerd.io docker-compose-plugin

# Add your user to the docker group
sudo usermod -aG docker $USER
newgrp docker

Verify the installation with docker run hello-world. If it pulls and runs successfully, Docker is ready. The multi-platform hello-world image will confirm your ARM environment is working correctly.

Running OpenClaw on the Free VM

Create a working directory and set up your OpenClaw compose file. The ARM image pulls automatically when Docker detects the host architecture.

mkdir ~/openclaw && cd ~/openclaw

cat > docker-compose.yml << 'EOF'
version: "3.9"
services:
  gateway:
    image: openclaw/gateway:latest
    platform: linux/arm64
    restart: unless-stopped
    ports:
      - "8080:8080"
    volumes:
      - ./config:/app/config
      - ./data:/app/data
    environment:
      - OPENCLAW_TOKEN=${OPENCLAW_TOKEN}
      - OPENCLAW_CONFIG=/app/config/gateway.yaml
EOF

# Create your gateway config
mkdir -p config data
cat > config/gateway.yaml << 'EOF'
gateway:
  port: 8080
  token: "${OPENCLAW_TOKEN}"
  log_level: info
agents: []
EOF

# Set your token
echo "OPENCLAW_TOKEN=your-secure-token-here" > .env

# Start the gateway
docker compose up -d

Check that the gateway is running with docker compose logs -f gateway. You should see the gateway start message and the port it's listening on. The ARM image cold-starts in about 8 seconds on the A1 instance.

Firewall Configuration and HTTPS

This is where most Oracle Cloud setups fail. There are two separate firewalls and both block external traffic by default.

Layer 1 — VCN Security List. In the Oracle console, go to Networking → Virtual Cloud Networks → your VCN → Security Lists → Default Security List. Add an ingress rule: Source 0.0.0.0/0, IP Protocol TCP, Destination Port 443. Add another for port 80 if you want HTTP to redirect to HTTPS.

Layer 2 — OS iptables. Oracle Linux and Ubuntu images ship with iptables rules that block all incoming traffic except SSH.

# Open ports in iptables
sudo iptables -I INPUT 6 -m state --state NEW -p tcp --dport 80 -j ACCEPT
sudo iptables -I INPUT 6 -m state --state NEW -p tcp --dport 443 -j ACCEPT

# Persist rules across reboots (Ubuntu)
sudo netfilter-persistent save

# Verify rules were added
sudo iptables -L INPUT --line-numbers

Now install Nginx as a reverse proxy and Certbot for TLS. Point your domain's A record to the VM's public IP before running Certbot — the DNS must resolve for certificate issuance to succeed.

sudo apt-get install -y nginx certbot python3-certbot-nginx

# Get a certificate (replace with your domain)
sudo certbot --nginx -d your-domain.com

# Certbot auto-configures Nginx with TLS
# Verify the auto-renewal timer is active
sudo systemctl status certbot.timer

Edit the Nginx server block to proxy to your OpenClaw gateway on port 8080. Certbot will have created the HTTPS block already — add the proxy_pass directive inside the location block.

Common Mistakes on Oracle Cloud

• Forgetting to open OS iptables after the VCN Security List — opening only the VCN layer leaves iptables blocking the traffic. Both layers must be configured. This causes nine out of ten "gateway unreachable" reports.
• Choosing a wrong VM shape — the default Create Instance flow selects a paid AMD shape. Always switch to Ampere A1.Flex manually. A paid shape will charge you the moment it starts.
• Leaving the instance idle during low-activity periods — Oracle's idle reclamation policy is real. A simple health-check cron prevents it without any cost.
• Running without a swap file — even with 24 GB RAM, large models or many concurrent agents can push memory usage high. Add a 4 GB swap file as a safety buffer.
• Not using a persistent block volume for data — the boot volume works, but it's tied to the instance. Attach a separate block volume for your OpenClaw data directory so data survives instance recreation.

Frequently Asked Questions

Is Oracle Cloud's Always Free tier actually free for running OpenClaw?

Yes — the Always Free tier includes 4 Ampere cores and 24 GB RAM with no time limit. That's enough for OpenClaw, multiple agents, and a reverse proxy at zero cost. The catch is availability: free VMs sell out in busy regions, so pick a less popular region at signup.

Which Oracle Cloud VM shape works best for OpenClaw?

Use VM.Standard.A1.Flex with 4 OCPUs and 24 GB RAM — fully covered by Always Free. OpenClaw's gateway and agent containers run well on ARM. Docker's multi-platform images handle Oracle's Ampere architecture without additional configuration.

How do I open ports on Oracle Cloud to access the OpenClaw gateway?

Oracle has two firewall layers: VCN Security Lists and OS-level iptables. Open port 443 in both. In the VCN Security List, add an ingress rule for TCP 443. Then run sudo iptables -I INPUT 6 -p tcp --dport 443 -j ACCEPT and persist it with netfilter-persistent.

Can OpenClaw run on Oracle Cloud's ARM architecture?

Yes. OpenClaw publishes linux/arm64 Docker images that run natively on Oracle's Ampere processors. No custom compilation or architecture-specific flags are required as of early 2025. Docker pulls the correct image automatically based on host architecture.

What is the main risk of using Oracle Cloud Always Free for OpenClaw?

Oracle can reclaim idle Always Free VMs if CPU utilization stays very low for 7 consecutive days. Running OpenClaw keeps activity above this threshold. If you pause the stack, add a lightweight cron job that pings the health endpoint to prevent reclamation.

How do I set up a domain and HTTPS for OpenClaw on Oracle Cloud?

Point your domain's A record to the VM's public IP. Install Nginx as a reverse proxy and run Certbot with the Let's Encrypt plugin to get a free TLS certificate. Certbot auto-configures Nginx and sets up automatic renewal via a systemd timer.