essentialsecurity30 min read•March 2026

$ cat vps-security.md

export VPSSecurityGuide

/** Lock down your OpenClaw VPS with 5 layers of security - $6/month */

vps-security-header.jpg

⚠️ SECURITY ALERT:The default OpenClaw install has zero security. Ports exposed. No authentication. 900+ instances have already been found wide open on the internet. This guide will help you secure yours.

table-of-contents.ts

const sections = [

]

section_01_problem.md

🚨## The Problem: Exposed AI Instances

When you deploy OpenClaw on a VPS using the default configuration, you're essentially leaving your front door wide open. The Docker container exposes ports directly to the internet, there's no authentication required to access your dashboard, and your API keys are just one port scan away from being compromised.

Security researchers have already discovered over 900 OpenClaw instances running completely unprotected on the public internet. These exposed instances are vulnerable to API key theft, unauthorized usage (running up your AI provider bills), data exfiltration, and being used as pivot points for further attacks.

// Common vulnerabilities in default setup:

• Port 18789 directly exposed to internet

• No authentication on web dashboard

• API keys visible in environment variables

• SSH brute-force attacks possible

• No automatic patching for security updates

section_02_layers.md

## 🛡️ The 5 Layers of Security

This guide implements a defense-in-depth strategy with five distinct security layers. Each layer provides protection against different attack vectors, and together they create a robust security posture that makes your OpenClaw instance essentially invisible to the public internet.

Layer 1: Tailscale

Creates a private encrypted network (WireGuard-based VPN) that only your authorized devices can access. Your OpenClaw instance becomes invisible to the public internet.

Layer 2: UFW Firewall

Blocks the bot's port from public access while allowing traffic through the Tailscale interface. Even if someone knows your VPS IP, they can't reach the OpenClaw port.

Layer 3: Token Authentication

Requires a secure token to access the dashboard. Even if someone gets on your Tailscale network, they still need the token to interact with OpenClaw.

Layer 4: Fail2ban

Automatically bans IP addresses that attempt brute-force attacks on SSH. Protects against automated hacking attempts that try thousands of password combinations.

Layer 5: Auto Updates

Keeps your server patched automatically with the latest security updates. Zero-day vulnerabilities get patched without manual intervention.

section_03_tailscale.sh

## 🔐 Layer 1: Tailscale Private Network

Tailscale creates a secure, private network using WireGuard encryption. It's free for personal use (up to 100 devices) and takes just minutes to set up. Once configured, your VPS will only be accessible from devices on your Tailscale network.

Step 1: Install Tailscale on Your VPS

$ curl -fsSL https://tailscale.com/install.sh | sh

Step 2: Authenticate Tailscale

$ sudo tailscale up

This will output a URL. Open it in your browser to authorize the device with your Tailscale account.

Step 3: Find Your Bot's Port

$ docker ps

Note the port number (typically 18789). You'll need this for the next steps.

Step 4: Configure Tailscale Serve

$ sudo tailscale serve --bg http://localhost:18789

This creates a secure HTTPS endpoint accessible only through your Tailscale network.

section_04_firewall.sh

## 🧱 Layer 2: UFW Firewall Configuration

UFW (Uncomplicated Firewall) provides a simple way to manage iptables rules. We'll configure it to block the OpenClaw port from the public internet while allowing access through the Tailscale interface.

Step 6: Configure Firewall Rules

$ sudo ufw allow OpenSSH

$ sudo ufw allow in on tailscale0

$ sudo ufw deny 18789

$ sudo ufw enable

// ⚠️ IMPORTANT: Always allow SSH before enabling the firewall, or you'll lock yourself out!

Step 7: Verify Port is Hidden

http://YOUR_VPS_PUBLIC_IP:18789

❌ Connection refused (expected!)

https://your-vps.tail12345.ts.net

✓ OpenClaw dashboard loads

section_05_token.sh

## 🔑 Layer 3: Token Authentication

OpenClaw includes a built-in gateway token for authentication. This adds another layer of security - even if someone gains access to your Tailscale network, they still need the token to access the dashboard.

Step 8: Get Your Gateway Token

$ docker inspect $(docker ps -q) | grep -i OPENCLAW_GATEWAY_TOKEN

"OPENCLAW_GATEWAY_TOKEN=abc123xyz789..."

Step 9: Access Secured Dashboard

https://your-vps.tail12345.ts.net?token=abc123xyz789

// 💡 Pro tip: Bookmark this URL with the token for quick access from your authorized devices.

section_06_fail2ban.sh

## 🚫 Layer 4: Fail2ban Brute-Force Protection

Fail2ban monitors log files for failed authentication attempts and automatically bans offending IP addresses. This protects your SSH access from brute-force attacks where hackers try thousands of password combinations.

Step 10: Install and Enable Fail2ban

$ sudo apt install fail2ban -y

$ sudo systemctl enable fail2ban

$ sudo systemctl start fail2ban

section_07_updates.sh

## 🔄 Layer 5: Automatic Security Updates

Keeping your server updated is crucial for security. Unattended-upgrades automatically installs security patches without manual intervention, ensuring zero-day vulnerabilities get patched as soon as fixes are available.

Step 11: Enable Auto Updates

$ sudo apt install unattended-upgrades -y

$ sudo dpkg-reconfigure -plow unattended-upgrades

section_08_telegram.md

## 📱 Bonus: Telegram Control

For ultimate convenience, configure Telegram as a control channel for your OpenClaw instance. This allows you to interact with your AI assistant from anywhere without needing to access the web dashboard.

Step 12: Telegram Bot Setup

1. Create a Telegram Bot

Message @BotFather on Telegram and use the /newbot command. Save the bot token.

2. Get Your User ID

Message @userinfobot to get your Telegram user ID. This is used to restrict bot access to only you.

3. Configure OpenClaw

Add the bot token and your user ID to your OpenClaw configuration to enable Telegram control.

section_09_verify.md

## ✅ Verification Checklist

Use this checklist to verify all security layers are properly configured:

☐Tailscale is running: `tailscale status`

☐Public IP doesn't load OpenClaw dashboard

☐Tailscale URL loads dashboard (with token)

☐UFW is active: `sudo ufw status`

☐Fail2ban is running: `sudo systemctl status fail2ban`

☐Auto-updates enabled: `cat /etc/apt/apt.conf.d/20auto-upgrades`

section_10_cost.md

## 💰 Cost Breakdown

Service	Cost	Notes
VPS (DigitalOcean/Hetzner)	$6/month	1GB RAM, 1 vCPU
Tailscale	Free	Up to 100 devices
UFW Firewall	Free	Built into Ubuntu
Fail2ban	Free	Open source
Total	$6/month	Full security stack

🎉 For just $6/month, your OpenClaw instance is now invisible to the public internet, protected by 5 security layers, and running 24/7 on a dedicated VPS!

video_walkthrough.md

## 🎥 Video Walkthrough

Prefer video? Watch the complete step-by-step walkthrough:

▶Watch on YouTube

next_steps.md

## 🚀 Next Steps

Your OpenClaw instance is now secured! Explore these related tutorials:

export LocalAISetup

// Run local models with Ollama

export MessengerIntegration

// Connect your chat apps