How to Install OpenClaw on a Self-Managed VPS via SSH
OpenClaw is an open-source, modular gateway designed to deploy secure runtime sandboxes for autonomous AI agents. By executing OpenClaw on your Self-Managed VPS, you secure direct container orchestration boundaries and protect sensitive corporate data paths from third-party leakage.
This tutorial will guide you through connecting to your remote server infrastructure via SSH, configuring the underlying Docker engine ecosystem, creating configuration templates, and bringing your OpenClaw orchestration cluster live using native Docker Compose protocols.
OpenClaw is an AI capable of running computer code and controlling server files. Because it is so powerful, running it on an unsecured server is like leaving your front door unlocked. Hackers can use automated tools to find your server and take control of it within minutes.
For your own safety, you must secure your server first before downloading or installing OpenClaw. Please refer to the How to Harden an OpenClaw Server article.
System Requirements
Because OpenClaw builds microservice orchestration containers and compiles secure guest sandbox environments directly on your machine, your VPS partition must conform to these hardware minimums:
| Resource | Minimum Specification | Recommended Specification |
|---|---|---|
| Processor (CPU) | 1 vCPU (64-bit architecture) | 2 vCPUs or higher |
| Memory (RAM) | 1 GB available space | 2 GB to 4 GB RAM |
| Disk Space | 10 GB available SSD Storage | 25 GB or higher SSD Storage |
| Operating System | Ubuntu 22.04 LTS (amd64) | Ubuntu 24.04 LTS (amd64) |
Prerequisites
Before beginning your deployment workflow, ensure you have the following resources available:
- A Self-Managed VPS running a clean installation of Ubuntu (22.04 LTS or 24.04 LTS recommended).
- Administrative SSH Access: The server IP address along with root or sudo user security keys.
- An Operational LLM Endpoint: A valid Anthropic or OpenAI API token string.
Step 1: Connect to Your VPS Infrastructure via SSH
- Open your local terminal (macOS/Linux) or Command Prompt/PowerShell (Windows).
- Run the following SSH command (replace
your_server_ipwith your actual Bluehost VPS IP address): - Enter your root password when prompted to access the server console.
ssh root@your_server_ip
Example Output:
$ ssh [email protected]
The authenticity of host '192.0.2.44 (192.0.2.44)' can't be established.
ECDSA key fingerprint is SHA256:DdkoWy/LnXyD4wq86zKE8Yh4cPyGz/Q5y4rwl2DElV0.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.0.2.44' (ECDSA) to the list of known hosts.
[email protected]'s password:
Welcome to Ubuntu 24.04 LTS (GNU/Linux 6.5.0-27-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://help.bluehost.com
* Support: https://www.bluehost.com/contact
Last login: Fri Mar 15 10:25:00 2024 from 198.51.100.23
root@vps-123456:~#
Step 2: Initialize Core Dependencies and Container Runtimes
Once logged into your server node, sync your platform repositories and provision the fundamental system dependencies required to handle application imaging layers.
Update and patch active server packaging arrays:
sudo apt update && sudo apt upgrade -y
Example Output:
Hit:1 http://archive.ubuntu.com/ubuntu noble InRelease
Get:2 http://archive.ubuntu.com/ubuntu noble-updates InRelease [126 kB]
Fetched 126 kB in 1s (145 kB/s)
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
All packages are up to date.
Verify foundational network and data ingestion utilities are active:
sudo apt install git curl ca-certificates -y
Example Output:
Reading package lists... Done
Building dependency tree... Done
git is already the newest version (1:2.43.0-1ubuntu7.1).
curl is already the newest version (8.5.0-2ubuntu10.1).
ca-certificates is already the newest version (20240203).
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Set Up the Official Docker Repository
OpenClaw relies on modern Docker Engine instances to securely isolate code execution layers. Follow these steps to introduce the tracking sources:
Install keys to handle container layer handshakes:
sudo install -m 0755 -d /etc/apt/keyrings
sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc
sudo chmod a+r /etc/apt/keyrings/docker.asc
Map the package index tracking route to your sources list:
echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
Update repository mapping tables to sync Docker resources:
sudo apt update
Example Output:
Hit:1 http://archive.ubuntu.com/ubuntu noble InRelease
Get:2 https://download.docker.com/linux/ubuntu noble InRelease [48.9 kB]
Get:3 https://download.docker.com/linux/ubuntu noble/stable amd64 Packages [12.2 kB]
Fetched 61.1 kB in 1s (78.4 kB/s)
Reading package lists... Done
Install the standardized core Docker environment and Compose engine plugins:
sudo apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin -y
Example Output:
Reading package lists... Done
Building dependency tree... Done
Selecting previously unselected package docker-ce.
Preparing to unpack .../docker-ce_26.1.4-1ubuntu.24.04~noble_amd64.deb ...
Unpacking docker-ce (26.1.4-1ubuntu.24.04~noble) ...
Setting up docker-ce (26.1.4-1ubuntu.24.04~noble) ...
Processing triggers for systemd (255.4-1ubuntu8.2) ...
Step 3: Wake and Enable the Docker Daemon System
On many unmanaged hosting partitions, container subsystems do not trigger an active boot execution loop directly following a cold install. You must manually force initialization.
- Start the daemon engine and append it to system boot routines:
sudo systemctl start docker
sudo systemctl enable docker
Example Output:
Synchronizing state of docker.service with SysV service script with /usr/lib/systemd/systemd-sysv-install.
Executing: /usr/lib/systemd/systemd-sysv-install enable docker
- Audit the container ecosystem to confirm operational compliance:
sudo systemctl status docker
Example Output:
● docker.service - Docker Application Container Engine
Loaded: loaded (/usr/lib/systemd/system; enabled; preset: enabled)
Active: active (running) since Sat 2026-06-13 10:18:24 UTC; 12s ago
TriggeredBy: ● docker.socket
Docs: https://docs.docker.com
Main PID: 4821 (dockerd)
Tasks: 8
Memory: 28.4M
- Isolate the Network Interface:
Provision an isolated software bridge layout to safely lock down internal data handshakes between the agent application and your primary server:
docker network create openclaw-net
Example Output:
4f971b3846e10b65288b8e8fbc8a23d9bf3cceb6d511ea5408ab2e340a6b7d2f
Step 4: Clone the Source Tree and Configure Environment Credentials
Download the official OpenClaw application distribution package to your working root directory structure:
git clone https://github.com/openclaw/openclaw.git
Example Output:
Cloning into 'openclaw'...
remote: Enumerating objects: 342, done.
remote: Counting objects: 100% (122/122), done.
remote: Compressing objects: 100% (84/84), done.
remote: Total 342 (delta 54), reused 91 (delta 32), pack-reused 220
Receiving objects: 100% (342/342), 124.50 KiB | 2.15 MiB/s, done.
Resolving deltas: 100% (162/162), done.
cd openclaw
OpenClaw extracts API tokens and dashboard master credentials directly from an isolated environment file. Construct your configuration mirror using the developer baseline template:
cp .env.example .env
Many minimal server distributions do not include a default text editor layer. If trying to open files yields a bash: nano: command not found error, execute the following command to add Nano to your system:
sudo apt install nano -y
Example Output:
Reading package lists... Done
Building dependency tree... Done
The following NEW packages will be installed:
nano
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Setting up nano (7.2-2) ...
Open your environment configuration file using the text editor utility:
nano .env
Define your primary integration access strings and root configuration attributes within the file layout, ensuring your individual provider keys are mapped correctly:
# Operational Endpoint Access
OPENAI_API_KEY=sk-proj-4Wv9Xb7yZ2M1N5K4J3H2G1F0D9S8A7P6O5I4U3Y2T1R0E
ANTHROPIC_API_KEY=sk-ant-api03-L9k8J7h6G5f4D3s2A1q0WeRtYuIoPlKjHgFfDsSaA-1a2b3c4
# Administrative UI Security Elements
OPENCLAW_SECRET=7f8a9b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7r8s9t0u1v2w3x4y5z6a7b8c9d0e
PORT_BINDING=8080
SYSTEM_USER=claw_admin
SYSTEM_PASS=Mypassword_2026_Secure!
Step 5: Verify the Multi-Container Compose Framework
Unlike edge projects that utilize custom shell configurations, OpenClaw runs completely via standard Docker Compose templates. Review the root file components to make sure your folder is properly set up:
ls -la
Example Output:
total 48
drwxr-xr-x 4 root root 4096 Jun 13 10:14 .
drwx------ 5 root root 4096 Jun 13 10:12 ..
-rw-r--r-- 1 root root 412 Jun 13 10:14 .env
-rw-r--r-- 1 root root 412 Jun 13 10:14 .env.example
-rw-r--r-- 1 root root 1245 Jun 13 10:14 docker-compose.yml
-rw-r--r-- 1 root root 1064 Jun 13 10:14 LICENSE
-rw-r--r-- 1 root root 4102 Jun 13 10:14 README.md
drwxr-xr-x 2 root root 4096 Jun 13 10:14 app
drwxr-xr-x 2 root root 4096 Jun 13 10:14 config
Step 6: Build the Images and Execute the Deployment Cluster
Because OpenClaw evaluates core workspace environments locally, you must compile your application image stacks directly inside your server environment before initial launch.
1. Compile and build the OpenClaw localized framework containers:
docker compose build
Example Output:
[+] Building 14.2s (12/12) FINISHED
=> [core-gateway internal] load build definition from Dockerfile 0.1s
=> [core-gateway internal] load .dockerignore 0.1s
=> [core-gateway stage-0 1/5] FROM docker.io/library/node:20-alpine 2.3s
=> [core-gateway stage-0 5/5] RUN npm run build 5.8s
=> [core-gateway] exporting to image 0.4s
=> => naming to docker.io/library/openclaw:local 0.0s
2. Bring the application suite online in detached mode:
docker compose up -d
Example Output:
[-] Running 3/3
✔ Network openclaw-net Created
✔ Container openclaw-sandbox-runner Started
✔ Container openclaw-core-gateway Started
Step 7: Confirm Service Access and Run Diagnostics
Your open-source AI agent system is now operational on your self-managed server node. To verify that internal routing mechanics are responding accurately, test the cluster locally inside your active console shell sessions:
curl http://localhost:8080/api/health
Example Output:
{"status":"healthy","version":"1.0.0","sandbox":"connected"}
Step 8: Interface Access
Launch a local web browser application on your computer workstation and route to your destination VPS address using your designated configuration port:
http://your_server_ip:8080
Authenticate inside the secure splash view panels by providing the SYSTEM_USER and SYSTEM_PASS entries from your .env file to begin configuring your individual execution workers, managing automation pipelines, and building private sandboxed spaces!
Production Deployment Security Note
Running multi-container system sandboxes while authenticated directly under a native server root account can generate file ownership discrepancies. For long-term production deployments, configure an unprivileged Linux system user profile (e.g., clawadmin), integrate that identity with the primary docker hardware groups, and run your docker compose tasks strictly inside that isolated account context.
Summary
This step-by-step walkthrough empowers you to deploy OpenClaw—a secure microservice AI sandbox gateway—on a Bluehost Self-Managed VPS. You’ll build the stack from base Ubuntu, set up Docker Engine, configure your orchestration environment, and validate both agent and admin portal access. Carefully following these instructions ensures your AI workloads are container-isolated and operational, while upholding best practices for both compatibility and long-term runtime security.