Hosting & Deployment Self-Hosted

OpenClaw Self-Hosted: Privacy-First Deployment on Your Own Server

Deploy OpenClaw on your own server for full data privacy — step-by-step guide covering requirements, installation, reverse proxy setup, and keeping your agent secure.

RN
R. Nakamura
Infrastructure Engineer
2025-02-01 18 min 8.4k views
Updated Mar 2025
Key Takeaways
Self-hosting OpenClaw keeps all your data and API calls within your own infrastructure.
Minimum specs: 2 vCPU, 2GB RAM, 20GB storage — any Ubuntu 22.04 or Debian 12 VPS works.
A domain with Let's Encrypt SSL is required for most third-party webhook integrations.
Use nginx as a reverse proxy with rate limiting and authentication for admin endpoints.
Run OpenClaw as a systemd service for automatic restarts and boot startup.

Every API call your cloud-hosted agent makes passes through someone else's infrastructure. Self-hosting OpenClaw eliminates that dependency — your data stays on your hardware, your logs stay private, and you control every update. Here's the complete deployment setup.

Why Self-Host OpenClaw

Three reasons drive most self-hosted deployments: privacy, cost, and control.

  • Privacy — conversation logs, API keys, and agent outputs never leave your server
  • Cost — a $6/month Hetzner VPS handles a single-agent deployment indefinitely
  • Control — choose your Python version, install custom dependencies, and update on your schedule

Here's what we've seen consistently: teams that start on cloud platforms migrate to self-hosted after their first security audit. The audit questions about data residency are hard to answer when your agent lives on someone else's server.

💡
Start with Ubuntu 22.04 LTS
Ubuntu 22.04 LTS is the most tested platform for OpenClaw self-hosted deployments as of early 2025. It has the best package availability, longest support timeline, and most community documentation. Debian 12 is a solid second choice.

Server Requirements

Minimum production specs:

  • CPU: 2 vCPU (x86_64 or ARM64)
  • RAM: 2GB (4GB recommended for multi-skill workloads)
  • Storage: 20GB SSD (for OS, OpenClaw, logs, and a buffer)
  • OS: Ubuntu 22.04 LTS or Debian 12
  • Network: Static IP or dynamic DNS for webhook endpoints

Installation Steps

# Update system
sudo apt update && sudo apt upgrade -y

# Install Python 3.11 and pip
sudo apt install python3.11 python3.11-venv python3-pip -y

# Create a dedicated user for OpenClaw
sudo useradd -m -s /bin/bash openclaw

# Switch to openclaw user
sudo su - openclaw

# Create a virtual environment
python3.11 -m venv /home/openclaw/venv
source /home/openclaw/venv/bin/activate

# Install OpenClaw
pip install openclaw

# Initialize config
openclaw init --dir /home/openclaw/agent

Create a systemd service so OpenClaw starts automatically on boot and restarts on failure:

# /etc/systemd/system/openclaw.service
[Unit]
Description=OpenClaw AI Agent
After=network.target

[Service]
Type=simple
User=openclaw
WorkingDirectory=/home/openclaw/agent
ExecStart=/home/openclaw/venv/bin/python -m openclaw start
Restart=always
RestartSec=10
EnvironmentFile=/home/openclaw/agent/.env

[Install]
WantedBy=multi-user.target
sudo systemctl enable openclaw
sudo systemctl start openclaw
sudo systemctl status openclaw
Never run OpenClaw as root
Running services as root means a compromised process has full system access. The dedicated 'openclaw' user limits the blast radius of any vulnerability. This is non-negotiable for internet-facing deployments.

Reverse Proxy Setup

Use nginx as a reverse proxy to handle SSL termination and expose OpenClaw's webhook endpoint:

# Install nginx and certbot
sudo apt install nginx certbot python3-certbot-nginx -y

# Get Let's Encrypt certificate
sudo certbot --nginx -d your-domain.com

# nginx config: /etc/nginx/sites-available/openclaw
server {
    listen 443 ssl;
    server_name your-domain.com;

    location /webhook/ {
        proxy_pass http://127.0.0.1:8080/webhook/;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        limit_req zone=webhook burst=20 nodelay;
    }

    # Block admin endpoints from public access
    location /admin/ {
        deny all;
    }
}

Hardening & Security

Five non-negotiable security steps for any internet-facing OpenClaw deployment:

  1. Firewall — allow only ports 22, 80, 443. Block everything else with ufw.
  2. SSH hardening — disable password auth, use key-based auth only.
  3. Fail2ban — install and configure to block SSH brute force attempts.
  4. Env file permissions — set chmod 600 /home/openclaw/agent/.env so only the openclaw user can read API keys.
  5. Log rotation — configure logrotate for OpenClaw logs to prevent disk fill.

Common Mistakes

Skipping the dedicated service user and running as root or your personal account is the most dangerous mistake. If the agent is ever compromised, the attacker has access to your entire server.

  • Not configuring SSL — Slack, Telegram, and most third-party services require HTTPS for webhook URLs. Get the Let's Encrypt cert before configuring any channel.
  • Forgetting to open firewall ports — UFW blocks incoming connections by default. Run ufw allow 443 after enabling the firewall.
  • No monitoring setup — add basic uptime monitoring (UptimeRobot free tier) so you know when the agent goes down. Silent downtime is worse than visible errors.
  • Not testing auto-restart — verify the systemd service actually restarts after a crash by manually killing the process and confirming it comes back up.

Frequently Asked Questions

What are the minimum server specs?
2 vCPU, 2GB RAM, 20GB storage handles OpenClaw with standard skills. For heavy workloads, 4 vCPU and 4GB RAM is recommended.

Can I self-host on a VPS?
Yes. Any Linux VPS with Ubuntu 22.04 or Debian 12 works. Popular choices: Hetzner, DigitalOcean, Linode, Vultr. You need root access.

Does self-hosted OpenClaw require a domain name?
A domain with SSL is required for most third-party integrations. Without one, use the server IP — but Slack and Telegram enforce HTTPS for webhook callbacks.

How do I secure the admin panel?
Restrict admin access to localhost only and use SSH tunneling to access it remotely. Alternatively, put it behind an authenticated reverse proxy with IP allowlisting.

Can I run OpenClaw on a Raspberry Pi?
Yes. OpenClaw runs on ARM64. See the dedicated Raspberry Pi guide for configuration adjustments for low-RAM environments.

How do I update on a self-hosted server?
Stop the service, run 'pip install --upgrade openclaw', restart. For Docker deployments, pull the new image and recreate the container. Always backup your config first.

RN
R. Nakamura
Infrastructure Engineer · aiagentsguides.com

R. Nakamura specializes in self-hosted infrastructure and privacy-first AI deployments. He runs OpenClaw on bare metal and covers every step at aiagentsguides.com.

Related Guides

Hosting & Deployment · Self-Hosted

Deploy OpenClaw on Replit: One-Click Cloud Setup

Jan 202512 min
Hosting & Deployment · Self-Hosted

OpenClaw Proxmox Deployment: VM and LXC Container Guide

Feb 202516 min
Hosting & Deployment · Self-Hosted

OpenClaw Raspberry Pi: Deploy on Home Hardware

Mar 202516 min
Get the OpenClaw Weekly

New guides, tips, and updates every week. Free forever.