OpenClaw VPS Security Checklist: Lock Down Your AI Agent

OpenClaw gives your AI agent direct access to your server — it reads messages, executes shell commands, manages files, and calls external APIs on your behalf. A single misconfiguration can expose your private conversations, API keys, and server infrastructure to the internet. This guide provides a concrete, step-by-step security checklist to lock down your OpenClaw VPS deployment.

Why OpenClaw Security Matters

Traditional chatbots are stateless and sandboxed. OpenClaw is neither. It runs as a persistent daemon with filesystem access, network capabilities, and whatever API credentials you provide. If an attacker gains access to your OpenClaw instance, they can:

• Read all messages across connected platforms (Telegram, Discord, Slack)
• Exfiltrate API keys stored in environment variables or config files
• Execute arbitrary commands on your server via the agent's shell access
• Pivot to other services if the VPS shares a network with production infrastructure

This is not hypothetical. The Hacker News thread "OpenClaw is dangerous" made security the top community concern. The core problem: OpenClaw's gateway listens on port 18789 by default, and if that port is exposed to the public internet, anyone can interact with your agent without authentication. The fix is straightforward — but you have to actually apply it.

The 10-Step Security Checklist

Follow these steps in order. Each one reduces the attack surface of your deployment. Skip none of them.

1. Create a Dedicated Non-Root User

Never run OpenClaw as root or your personal admin account. Create a dedicated user with no sudo privileges. If the agent is compromised, the blast radius is limited to that user's permissions.

# Create dedicated user with no login shell by default
sudo adduser --disabled-password --gecos "" openclaw
# Switch to that user for all OpenClaw operations
sudo su - openclaw

Run all OpenClaw processes, Docker containers, and configuration under this user. Never store personal SSH keys, cloud credentials, or other secrets in this account's home directory.

2. Lock Down the Firewall

Port 18789 is the OpenClaw gateway. It must never be exposed to the public internet. Allow only SSH (port 22) for remote access and block everything else inbound.

# Reset UFW to deny all incoming
sudo ufw default deny incoming
sudo ufw default allow outgoing

# Allow SSH only
sudo ufw allow 22/tcp

# Explicitly deny OpenClaw gateway from public access
sudo ufw deny 18789

# Enable the firewall
sudo ufw enable
sudo ufw status verbose

Verify with sudo ufw status that port 18789 does not appear in the allow list. If you previously opened it, remove the rule with sudo ufw delete allow 18789.

3. SSH Key-Only Authentication

Disable password-based SSH login entirely. Password brute-forcing is one of the most common VPS attacks.

# Edit SSH config
sudo nano /etc/ssh/sshd_config

# Set these values:
PasswordAuthentication no
PubkeyAuthentication yes
PermitRootLogin no

# Restart SSH daemon
sudo systemctl restart sshd

Make sure your SSH public key is in ~/.ssh/authorized_keys before disabling password auth, or you will lock yourself out.

4. Access via SSH Tunnel

The recommended way to reach the OpenClaw gateway is through an SSH tunnel. This means port 18789 is only accessible from localhost on the server, and you tunnel through SSH to reach it from your local machine.

# From your local machine:
ssh -L 18789:localhost:18789 openclaw@your-server-ip

# Now access OpenClaw at http://localhost:18789 in your browser
# The connection is encrypted end-to-end through SSH

This is the simplest secure access method. No extra software, no configuration files, no ports to open. The tunnel closes when you disconnect SSH.

5. Or Use Tailscale Serve for Zero-Config Access

If you want persistent access without maintaining SSH tunnels, Tailscale Serve provides a zero-config alternative. Tailscale creates a private WireGuard mesh network between your devices.

# Install Tailscale on your VPS
curl -fsSL https://tailscale.com/install.sh | sh
sudo tailscale up

# Expose OpenClaw only within your Tailnet
sudo tailscale serve 18789

With Tailscale Serve, port 18789 is reachable only from devices on your private Tailnet — never from the public internet. No firewall rules to manage, no SSH tunnels to keep alive. This is the recommended approach for users who need always-on browser access to their agent.

6. Keep OpenClaw Updated

OpenClaw is under active development. Security patches ship frequently, and running an outdated version means running with known vulnerabilities.

# If installed via npm:
npm update -g openclaw

# If running via Docker:
docker compose pull
docker compose up -d

# Check your current version
openclaw --version

Subscribe to the OpenClaw GitHub repository releases to get notified of security updates. Treat every update as potentially security-relevant until you read the changelog.

7. Run the Built-in Security Check

OpenClaw ships with a diagnostic tool that checks for common misconfigurations including exposed ports, permission issues, and outdated dependencies.

# Run the diagnostic tool
openclaw doctor

Fix every warning openclaw doctor reports. If it flags port 18789 as publicly accessible, stop and fix your firewall before proceeding with anything else.

8. Nginx Reverse Proxy for Web Access

If you need to expose OpenClaw through a web interface (not recommended for most users), put Nginx in front with TLS termination and basic authentication.

# /etc/nginx/sites-available/openclaw
server {
    listen 443 ssl;
    server_name openclaw.yourdomain.com;

    ssl_certificate /etc/letsencrypt/live/openclaw.yourdomain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/openclaw.yourdomain.com/privkey.pem;

    auth_basic "OpenClaw Admin";
    auth_basic_user_file /etc/nginx/.htpasswd;

    location / {
        proxy_pass http://127.0.0.1:18789;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

Generate the .htpasswd file with sudo htpasswd -c /etc/nginx/.htpasswd admin. Use a strong password. Consider adding IP allowlisting with allow/deny directives for an extra layer.

9. Enable fail2ban for SSH Protection

Even with key-only SSH, brute-force attempts consume resources and fill logs. fail2ban automatically bans IPs after repeated failed login attempts.

# Install fail2ban
sudo apt install fail2ban -y

# Create local config
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

# Edit jail.local — set SSH ban parameters:
# [sshd]
# enabled = true
# maxretry = 3
# bantime = 3600

# Start and enable
sudo systemctl enable fail2ban
sudo systemctl start fail2ban

# Check banned IPs
sudo fail2ban-client status sshd

10. Isolate the VPS from Personal Data

The most important architectural decision: your OpenClaw VPS should contain nothing else. No personal SSH keys to other servers. No cloud provider credentials. No database backups. No password files.

• Use a separate VPS dedicated solely to OpenClaw
• Do not store API keys for services beyond what the agent needs
• If the agent needs cloud access, create a scoped IAM role with minimum permissions
• Never reuse SSH keys from your personal workstation on the OpenClaw VPS

The isolation principle is simple: if the AI agent is compromised, the blast radius is limited to that single VPS and the API keys it holds. Nothing else in your infrastructure should be reachable from it.

SSH Tunneling vs Tailscale: Secure Access Methods

Feature	SSH Tunnel	Tailscale Serve
Setup complexity	None — SSH is already installed	Install Tailscale on VPS + client
Persistent access	No — dies when SSH disconnects	Yes — always on via mesh network
Extra software	None	Tailscale client on each device
Mobile access	Difficult (requires SSH client app)	Easy (Tailscale app on iOS/Android)
Multi-user access	Each user needs SSH key + tunnel	Share via Tailnet ACLs
Port exposure	None — localhost only	None — Tailnet only
Best for	Solo developers, quick access	Teams, persistent browser access

Recommendation: Use SSH tunneling if you are a single developer accessing the agent occasionally from a laptop. Use Tailscale Serve if you need persistent access from multiple devices or if other team members need to reach the agent. Both methods keep port 18789 completely off the public internet.

What About Prompt Injection?

Prompt injection is a class of attacks where malicious input tricks the AI agent into performing unintended actions — leaking secrets, executing commands, or ignoring safety instructions. It is a real and currently unsolved problem across the entire AI industry.

As of March 2026, there is no complete technical solution to prompt injection. No framework, including OpenClaw, can guarantee that a sufficiently crafted input will not bypass the agent's instructions. Here is an honest assessment of the current state:

• System prompts help but are not bulletproof. Carefully written system instructions reduce the attack surface but can be overridden with persistent adversarial input.
• Input sanitization catches simple attacks. Stripping obvious injection patterns (e.g., "ignore previous instructions") stops unsophisticated attempts, but determined attackers adapt.
• Least-privilege access is your best defense. If the agent's user account cannot read /etc/shadow, a prompt injection that tries to exfiltrate it will fail at the OS level, not the AI level.
• Monitor agent logs. Regularly review what your agent is doing. Unusual commands, unexpected file access, or API calls to unknown endpoints are red flags.

The practical takeaway: treat prompt injection as an assumed risk. Build your security posture so that even a fully compromised agent cannot damage anything beyond its own isolated VPS. That is why steps 1 (dedicated user), 2 (firewall), and 10 (isolation) are the most critical in this checklist.

VPS Providers with Built-in Security

Some VPS providers offer security features out of the box that align with this checklist, reducing the manual setup required.

DigitalOcean 1-Click App: The DigitalOcean OpenClaw 1-Click deployment handles firewall configuration and creates a non-root user automatically. Port 18789 is blocked from public access by default, and SSH key authentication is enforced during droplet creation. This is the lowest-friction way to get a secure OpenClaw deployment running.

Hetzner Cloud: Offers built-in firewalls configurable from the dashboard. You can block port 18789 before your server even boots. Combined with their competitive pricing (CX23 at $3.49/mo with 4 GB RAM), Hetzner is a strong choice for security-conscious OpenClaw deployments.

Contabo & OVHcloud: Both provide DDoS protection and optional firewall add-ons, though you will need to handle non-root user creation and SSH hardening manually.

Regardless of provider, always verify your security configuration after deployment. Run openclaw doctor and scan your VPS with nmap your-server-ip from an external machine to confirm that only port 22 is visible.

Frequently Asked Questions

Is it safe to run OpenClaw on a VPS?

Yes, if you follow proper security practices. A VPS is actually safer than running OpenClaw on your personal machine because it provides natural isolation. The key is to never expose port 18789 publicly, use a dedicated non-root user, and keep the software updated. Follow the 10-step checklist above and your deployment will be significantly more secure than the default configuration.

What happens if port 18789 is exposed to the internet?

Anyone on the internet can connect to your OpenClaw gateway and interact with your AI agent. This means they could read your messages, trigger the agent to execute commands on your server, or access any API keys stored in the agent's configuration. Always verify port 18789 is blocked with sudo ufw status and access it only via SSH tunnel (ssh -L 18789:localhost:18789 user@server) or Tailscale Serve.

Should I use SSH tunneling or Tailscale?

For solo developers who access the agent from a single laptop, SSH tunneling is the simplest option — zero extra software, zero configuration. For teams, mobile access, or persistent browser-based access, Tailscale Serve is the better choice. Both methods keep port 18789 completely off the public internet. Neither requires opening any additional firewall ports.

Can prompt injection compromise my VPS?

Prompt injection can cause the AI agent to execute unintended actions, but proper OS-level security limits the damage. If your agent runs as a dedicated non-root user with no sudo access, a prompt injection attack cannot escalate privileges, modify system files, or access other users' data. The combination of user isolation, firewall rules, and VPS separation ensures that even a fully compromised agent has a limited blast radius.