Containers
Ansible
Deploy OpenClaw to production servers with openclaw-ansible, an automated installer with a security-first architecture.
Prerequisites
| Requirement | Details |
|---|---|
| OS | Debian 11+ or Ubuntu 20.04+ |
| Access | Root or sudo privileges |
| Network | Internet connection for package installation |
| Ansible | 2.14+ (installed automatically by the quick-start script) |
What you get
- Firewall-first security: UFW + Docker isolation (only SSH + Tailscale reachable)
- Tailscale VPN for remote access without exposing services publicly
- Docker for isolated sandbox containers with localhost-only bindings
- Systemd integration with hardening, auto-starting on boot
- One-command setup
Quick start
curl -fsSL https://raw.githubusercontent.com/openclaw/openclaw-ansible/main/install.sh | bashWhat gets installed
- Tailscale (mesh VPN for secure remote access)
- UFW firewall (SSH + Tailscale ports only)
- Docker CE + Compose V2 (default agent sandbox backend)
- Node.js and pnpm (OpenClaw requires Node 22.22.3+, 24.15+, or 25.9+; Node 24 is recommended)
- OpenClaw, installed host-based, not containerized
- A systemd service with security hardening
Post-install setup
Switch to the openclaw user
sudo -i -u openclawRun the onboarding wizard
The post-install script guides you through configuring OpenClaw.
Connect messaging channels
Log in to WhatsApp, Telegram, Discord, or Signal:
openclaw channels login --channel <name>Verify the installation
sudo systemctl status openclawsudo journalctl -u openclaw -fConnect to Tailscale
Join your VPN mesh for secure remote access.
Quick commands
# Check service statussudo systemctl status openclaw # View live logssudo journalctl -u openclaw -f # Restart gatewaysudo systemctl restart openclaw # Channel login (run as openclaw user)sudo -i -u openclawopenclaw channels login --channel <name>Security architecture
Four-layer defense model:
- Firewall (UFW): only SSH (22) and Tailscale (41641/udp) exposed publicly
- VPN (Tailscale): gateway reachable only via the VPN mesh
- Docker isolation:
DOCKER-USERiptables chain prevents external port exposure - Systemd hardening:
NoNewPrivileges,PrivateTmp, unprivileged user
Verify your external attack surface:
nmap -p- YOUR_SERVER_IPOnly port 22 (SSH) should be open. Gateway and Docker stay locked down.
Docker is installed for agent sandboxes (isolated tool execution), not for running the gateway. See Multi-Agent Sandbox and Tools for sandbox configuration.
Manual installation
Install prerequisites
sudo apt update && sudo apt install -y ansible gitClone the repository
git clone https://github.com/openclaw/openclaw-ansible.gitcd openclaw-ansibleInstall Ansible collections
ansible-galaxy collection install -r requirements.ymlRun the playbook
./run-playbook.shOr run the playbook directly and then run the setup script manually:
ansible-playbook playbook.yml --ask-become-pass# Then run: /tmp/openclaw-setup.shUpdating
The Ansible installer sets up OpenClaw for manual updates; see Updating for the standard flow.
To re-run the playbook (for example, after configuration changes):
cd openclaw-ansible./run-playbook.shThis is idempotent and safe to run multiple times.
Troubleshooting
Firewall blocks my connection
- Connect via Tailscale VPN first; the gateway is only reachable that way by design.
- SSH (port 22) is always allowed.
Service will not start
# Check logssudo journalctl -u openclaw -n 100 # Verify permissionssudo ls -la /opt/openclaw # Test manual startsudo -i -u openclawcd ~/openclawopenclaw gateway runDocker sandbox issues
# Verify Docker is runningsudo systemctl status docker # Check sandbox imagesudo docker images | grep openclaw-sandbox # Build the sandbox image if missing (requires a source checkout)cd /opt/openclaw/openclawsudo -u openclaw ./scripts/sandbox-setup.sh# For npm installs without a source checkout, see# https://docs.openclaw.ai/gateway/sandboxing#images-and-setupChannel login fails
Make sure you are running as the openclaw user:
sudo -i -u openclawopenclaw channels login --channel <name>Advanced configuration
For detailed security architecture and troubleshooting, see the openclaw-ansible repo:
Related
- openclaw-ansible: full deployment guide
- Docker: containerized gateway setup
- Sandboxing: agent sandbox configuration
- Multi-Agent Sandbox and Tools: per-agent isolation