OpenClaw Security Lockdown: Safe Internet Exposure Guide

Do not expose OpenClaw directly to the public internet

You are absolutely right: running OpenClaw wide open is a bad idea. The safest pattern is private-first access with strict network controls and authenticated entry points.

Recommended VPS Specifications

• CPU: 2 vCPU minimum
• RAM: 4GB minimum
• Storage: 40GB+ SSD
• OS: Ubuntu 22.04/24.04 LTS
• Security baseline: UFW + Fail2Ban + HTTPS reverse proxy

Security lockdown architecture (recommended)

• OpenClaw Gateway bound to localhost/private interface only
• Nginx reverse proxy with HTTPS in front
• IP allowlist and/or authentication at proxy layer
• Firewall allow only 22/80/443 publicly
• No direct public access to internal gateway ports

Step 1: Confirm gateway is not publicly exposed

>sudo ss -tulpn | grep -E '18789|openclaw|node'

If the gateway is bound to >0.0.0.0, tighten it to localhost/private network only in config.

Step 2: Lock down firewall

>sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow OpenSSH
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw enable
sudo ufw status verbose

Do not open gateway/internal ports unless strictly required.

Step 3: Put Nginx + TLS in front

>sudo apt update && sudo apt install -y nginx certbot python3-certbot-nginx

>server {
  listen 80;
  server_name claw.example.com;

  location / {
    proxy_pass http://127.0.0.1:18789;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
  }
}

>sudo certbot --nginx -d claw.example.com

Step 4: Add access controls (strongly recommended)

• Option A: IP allowlist at Nginx/cloud firewall
• Option B: VPN/Tailscale/Zero Trust tunnel for admin access
• Option C: HTTP auth or SSO at the reverse proxy

Step 5: Brute-force and abuse protection

>sudo apt install -y fail2ban
sudo systemctl enable --now fail2ban
sudo fail2ban-client status

Step 6: Ongoing operations

• Patch OS and dependencies regularly
• Rotate API keys and revoke unused keys
• Back up OpenClaw configs and important state
• Review logs for unusual API/chat activity

Related guides

• VPS Security Hardening in 30 Minutes
• How to Install OpenClaw on a VPS

If you need to run OpenClaw in production, start with a hardened Cloud VPS and keep the gateway private by default.