What is OpenClaw and why install it on your own VPS?

OpenClaw is an open-source agent platform you can self-host. Running it on your own VPS gives you full control over data, models, and configuration without depending on a third-party cloud. Combined with Tailscale, it stays accessible to you alone, never exposed to the public internet.

Why use Tailscale to secure a VPS instead of opening public ports?

A typical VPS exposes services directly to the internet, which means port-scanning, brute-force attempts, and constant attack surface. Tailscale puts your VPS on a private mesh VPN (WireGuard under the hood) so only your devices can reach it. You don't need to open public ports for SSH or your app, dramatically reducing risk.

What VPS specs do I need to run OpenClaw with Tailscale?

A modest VPS is enough to start: 2 vCPU, 8 GB RAM, 100 GB NVMe SSD, and a few TB of bandwidth. Hostinger KVM 2, Hetzner CX22, DigitalOcean Basic, or Contabo VPS S all work. Tailscale itself uses negligible CPU and RAM.

How do I disable password-only SSH and enforce key-based login?

After copying your public key to the server with ssh-copy-id, edit /etc/ssh/sshd_config.d/50-cloud-init.conf, set PasswordAuthentication no, save, and run service ssh restart. Always test the new key in a second terminal before closing your existing root session, so you don't lock yourself out.

What firewall rule does Tailscale need to work?

Tailscale needs UDP port 41641 open outbound on the VPS so its WireGuard tunnels can establish. You do not need to open it publicly inbound. With Tailscale connected, you can reach SSH and your app over the Tailscale IP address (100.x.y.z) without exposing port 22 to the public internet.

How do I fix OpenClaw 'pairing required (1008)' disconnect errors?

First, confirm the gateway is using the current auth token (openclaw config get gateway.auth.mode and openclaw config get gateway.auth.token). Then list pending devices (openclaw devices list) and approve the latest with openclaw devices approve --latest. If you still see the error on localhost, back up and reset the device pairing state under $OPENCLAW_STATE_DIR (default ~/.openclaw/devices) and restart the gateway with openclaw gateway restart.

How to Install OpenClaw on a VPS Securely Using Tailscale (Step-by-Step)

Learn how to run OpenClaw on your own server without exposing it to the public internet. This setup is one of the easiest and safest ways to do it.

In this guide, you'll install OpenClaw on a VPS and secure it using Tailscale. No complicated DevOps. Just a clean, working setup.

Watch the Full Tutorial

Full video walkthrough on YouTube: https://youtu.be/LA3SSwyXw1M

Why Use Tailscale?

Most VPS setups expose your app directly to the internet. That's risky.

With Tailscale, you:

Create a private network (a WireGuard mesh)
Access your server securely with no public-facing ports
Avoid opening unnecessary ports to the internet

Bottom line: Your app stays private, but still accessible to you from any device on your Tailnet.

What You Need

VPS hosting (I use Hostinger)
SSH keys (no password logins)
A free Tailscale account
A firewall (UFW or your provider's) to keep unused ports closed

Step 1 - Set Up Your VPS

Start with a clean VPS. Connect via SSH using the IP your provider assigned:

ssh root@VPSIPHERE

Now your server is ready for the next steps.

Step 2 - Create a New User

Don't run things as root. Create a regular user and add them to the sudo group:

adduser --gecos "" username
adduser username sudo

Step 3 - Create an SSH Key

On your local machine, generate a modern Ed25519 key. Give it a name and a strong passphrase when prompted:

ssh-keygen -t ed25519

Copy the public key to your VPS:

ssh-copy-id -i keyname.pub username@VPSIPHERE

Then disable password authentication. Open the SSH config:

nano /etc/ssh/sshd_config.d/50-cloud-init.conf

Set PasswordAuthentication no. Press Ctrl+X, then Y, then Enter to save and exit. Restart SSH:

service ssh restart

Always keep your existing SSH session open while testing the new key in a second terminal. If anything is wrong, you still have a way back in.

Connect with the new SSH key:

ssh -i ./keyname 'username@VPSIPHERE'

Step 4 - Set Up Tailscale

Download Tailscale to your local computer first: tailscale.com/download

Then install Tailscale on the VPS:

curl -fsSL https://tailscale.com/install.sh | sh
sudo tailscale up
tailscale status
sudo tailscale set --operator=username

Firewall rule: Make sure UDP 41641 is allowed outbound on your VPS so Tailscale can establish its WireGuard tunnels. You do not need to expose it publicly.

Once Tailscale is up, connect to your VPS over the private Tailscale IP instead of the public one:

ssh -i ./keyname 'username@TAILSCALEIPHERE'

Step 5 - Install OpenClaw

Follow the official setup at openclaw.ai and run the install script:

curl -fsSL https://openclaw.ai/install.sh | bash

Useful related tools:

Privacy-focused model: venice.ai
Privacy-focused chat (Matrix): matrix-client.matrix.org
Element web client: app.element.io

Useful OpenClaw Commands

Make sure the OpenClaw CLI is on your path:

export PATH="$(npm prefix -g)/bin:$PATH"

Confirm the desktop app / Control UI is using the current gateway token:

openclaw config get gateway.auth.mode
openclaw config get gateway.auth.token
openclaw dashboard --no-open

If you see disconnected (1008): pairing required, approve the pending device:

openclaw devices list
openclaw devices approve --latest

Still seeing pairing-required even on localhost? Reset the pairing state (back up first) and restart the gateway:

openclaw gateway restart

Run a deep security audit and let OpenClaw fix what it can:

openclaw security audit --deep
openclaw security audit --fix
openclaw doctor
openclaw doctor --fix
openclaw gateway restart
openclaw gateway status

Step 6 - Checklist for Your Server

For extra security, take a final pass over the server.

VPS hardening checklist:

Disable any unused ports in your firewall (UFW or provider firewall)
Use SSH keys only - no password logins
Disable root SSH and use a non-root sudo user
Keep your OS patched (enable unattended-upgrades on Debian/Ubuntu)
Only expose services over the Tailscale IP, not the public IP
Back up your OpenClaw state directory and Tailscale auth keys off-server

Now you're running a proper, locked-down setup.

Final Thoughts

This setup gives you full control over your apps and data, secure access via Tailscale with no public-facing services, and no platform lock-in - you own the box. Once you try it, it's hard to go back.

Want to go deeper into AI tools, automation, and building real systems? Visit prolevelaiacademy.com and become a Pro Level AI Builder in 28 days.