- “SSH tunnel OpenClaw”
- “self-hosted AI assistant”
For OpenClaw v2026.2 | This article is for users who need 24/7 availability or multi-user access.
TL;DR: Simplest option: Tailscale ("tailscale": {"mode": "serve"}). Cloud server: Docker Compose deployment, recommend 2GB RAM, 1 CPU core. Self-hosted: Raspberry Pi 5 or old laptop. Security: bind to loopback, enable password authentication. SSH tunnel suits temporary access.
Why Remote Deployment?
| Scenario | Local Deployment | Remote Deployment |
|---|---|---|
| 24/7 Availability | Computer must stay on | ✅ Always available |
| Mobile Access | Same network required | ✅ Any network |
| Team Sharing | ❌ Not supported | ✅ Multi-user |
| Home Automation | Computer must be online | ✅ Server runs continuously |
| Cost | Zero | $5–20/month |
Deployment Options Comparison
| Option | Difficulty | Cost | Security | Use Case |
|---|---|---|---|---|
| Tailscale | ⭐ | Free | ⭐⭐⭐⭐⭐ | Personal, home |
| SSH Tunnel | ⭐⭐ | Free | ⭐⭐⭐⭐ | Temporary access |
| Cloud Server | ⭐⭐⭐ | $5–20/month | ⭐⭐⭐ | Team, production |
| Self-Hosted Server | ⭐⭐⭐⭐ | Power + maintenance | ⭐⭐⭐⭐ | Enthusiasts, privacy |
Option 1: Tailscale Private Network
What is Tailscale?
Tailscale is a WireGuard-based private network service that lets you securely access remote devices without exposing ports to the public internet.
Install Tailscale
# macOS
brew install tailscale
# Ubuntu/Debian
curl -fsSL https://tailscale.com/install.sh | sh
# CentOS/RHEL
sudo dnf install tailscale
Configure Tailscale
# Log in to Tailscale
sudo tailscale up
# Check status
tailscale status
# Example output:
# 100.64.0.1 your-machine your-email@ linux -
# Get Tailnet name
tailscale debug whois
OpenClaw Tailscale Configuration
{
"gateway": {
"port": 18789,
"bind": "loopback",
"tailscale": {
"mode": "serve",
"resetOnExit": true
}
}
}
| Mode | Description |
|---|---|
serve |
Accessible only within Tailnet |
funnel |
Public access (requires password authentication) |
Access Gateway
# Start Gateway
openclaw gateway
# Access via Tailscale
# https://your-machine.tailnet-name.ts.net
Option 2: SSH Tunnel
Create SSH Tunnel
# Local forwarding (run locally)
ssh -L 18789:localhost:18789 user@remote-server
# Then access
# http://localhost:18789
Reverse Tunnel
# Run on remote server
ssh -R 18789:localhost:18789 user@local-machine
# Then access locally
# http://localhost:18789
Persistent SSH Tunnel
Using autossh:
# Install autossh
brew install autossh # macOS
sudo apt install autossh # Ubuntu
# Create persistent tunnel
autossh -M 0 -f -N -L 18789:localhost:18789 user@remote-server
Option 3: Cloud Server Deployment
Choosing a Cloud Server
| Provider | Entry Config | Price | Notes |
|---|---|---|---|
| DigitalOcean | 2GB RAM | $12/month | Simple and easy |
| Linode | 2GB RAM | $10/month | Good value |
| Vultr | 2GB RAM | $10/month | Global nodes |
| AWS Lightsail | 2GB RAM | $10/month | AWS ecosystem |
| Hetzner | 4GB RAM | €5/month | Lowest price |
Recommended Configuration
| Item | Minimum | Recommended |
|---|---|---|
| CPU | 1 core | 2 cores |
| Memory | 2GB | 4GB |
| Storage | 20GB | 40GB SSD |
| Bandwidth | 1TB/month | 2TB/month |
| OS | Ubuntu 22.04 | Ubuntu 24.04 |
Docker Deployment
# docker-compose.yml
version: '3.8'
services:
openclaw:
image: openclaw/openclaw:latest
container_name: openclaw
restart: unless-stopped
ports:
- "127.0.0.1:18789:18789"
volumes:
- ./openclaw-data:/root/.openclaw
environment:
- ANTHROPIC_API_KEY=${ANTHROPIC_API_KEY}
- TZ=Asia/Shanghai
healthcheck:
test: ["CMD", "openclaw", "health"]
interval: 30s
timeout: 10s
retries: 3
start_period: 40s
# Start
docker-compose up -d
# View logs
docker-compose logs -f
# Update
docker-compose pull && docker-compose up -d
System Service Deployment
# Create systemd service
sudo nano /etc/systemd/system/openclaw.service
[Unit]
Description=OpenClaw Gateway
After=network.target
[Service]
Type=simple
User=openclaw
WorkingDirectory=/home/openclaw
ExecStart=/usr/local/bin/openclaw gateway --port 18789
Restart=on-failure
RestartSec=10
[Install]
WantedBy=multi-user.target
# Enable service
sudo systemctl daemon-reload
sudo systemctl enable openclaw
sudo systemctl start openclaw
# Check status
sudo systemctl status openclaw
Reverse Proxy Configuration
Nginx:
server {
listen 80;
server_name your-domain.com;
location / {
proxy_pass http://127.0.0.1:18789;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
}
Caddy:
your-domain.com {
reverse_proxy localhost:18789
}
Option 4: Self-Hosted Server
Hardware Recommendations
| Device | Price | Power | Use Case |
|---|---|---|---|
| Raspberry Pi 5 | $80–120 | 5–10W | Light usage |
| Intel NUC | $200–400 | 15–30W | Medium load |
| Old Laptop | Free | 20–40W | Budget limited |
| Mini PC | $150–300 | 10–25W | Best balance |
Home Network Configuration
# Port forwarding (router config)
# External port 18789 -> Internal IP:18789
# Dynamic DNS
curl -u "user:password" "https://api.dynu.com/nic/update?hostname=your-domain.dynu.com"
Security Configuration
Basic Security
# Firewall configuration
sudo ufw allow ssh
sudo ufw allow 18789/tcp
sudo ufw enable
# Disable password login
sudo nano /etc/ssh/sshd_config
# PasswordAuthentication no
Authentication Configuration
{
"gateway": {
"auth": {
"mode": "password",
"password": "your-secure-password-here",
"sessionTimeout": 3600000
}
}
}
Monitoring and Maintenance
Health Check
# HTTP health check
curl http://localhost:18789/health
# Auto restart
# Add to crontab
*/5 * * * * curl -f http://localhost:18789/health || systemctl restart openclaw
Log Management
# Log rotation
sudo nano /etc/logrotate.d/openclaw
/var/log/openclaw/*.log {
daily
rotate 7
compress
missingok
notifempty
}
Summary
Remote deployment makes OpenClaw truly 24/7 available:
- Tailscale: Simplest secure access option
- SSH Tunnel: Quick option for temporary access
- Cloud Server: First choice for teams and production
- Self-Hosted Server: Best balance of privacy and cost
Changelog:
- 2026-02-26: Initial release
Series Navigation:
- ← Previous: Security Configuration Best Practices
- → Next: Mobile Access: iOS and Android