Audience: non‑technical PC users. Goal: buy a cheap VPS, secure it, install OpenClaw, and connect it to Telegram and Claude (subscription).
This guide is written for Contabo VPS 10 (8 GB RAM) on Ubuntu 24.04.
- A private server (VPS) running Ubuntu 24.04.
- Secure access using Tailscale (no public admin ports).
- OpenClaw installed and running as a background service.
- Telegram bot connected.
- Claude connected via your subscription.
- Browser automation working on the VPS.
Complete these steps before buying the VPS. This way you can paste tokens directly during setup without switching context.
- Open Telegram and find
@BotFather. - Send
/newbot. - Choose a name and a username.
- BotFather will give you a Bot Token (looks like
123456:ABC...).
Save the Bot Token somewhere safe.
Linux/macOS: Run in terminal:
curl -fsSL https://tailscale.com/install.sh | shWindows: Go to tailscale.com and download the app.
Then sign in and confirm Tailscale is running (you'll see its icon in your system tray/menu bar).
You need an active Claude subscription at claude.ai.
-
Go to Contabo and choose VPS 10 (8 GB RAM).
-
Choose:
- Operating system: Ubuntu 24.04 LTS
- Server location: pick the closest region
-
Set the root password option.
-
Finish checkout.
-
After the VPS is ready, find Server IP address (looks like
123.45.67.89) in your email.
Write it down.
-
Open Terminal (macOS/Linux) or Windows Terminal (Windows).
-
Type this command, replacing YOUR_SERVER_IP with your actual IP:
ssh root@YOUR_SERVER_IP-
Type
yeswhen asked about unknown host. -
Paste the root password and press Enter.
If you see a prompt like root@..., you're connected.
Copy and paste each block. Wait for each to finish before running the next.
Update system and create user "remote":
apt update && apt upgrade -y
adduser remote
usermod -aG sudo remoteIt will ask you to create a password. Save it. Then allow this user to login:
mkdir -p /home/remote/.ssh && cp -r /root/.ssh/* /home/remote/.ssh/ 2>/dev/null || true && chown -R remote:remote /home/remote/.ssh && chmod 700 /home/remote/.ssh && chmod 600 /home/remote/.ssh/authorized_keys 2>/dev/null || trueNow disconnect and reconnect as the new user:
exitThen:
ssh remote@YOUR_SERVER_IPTailscale creates a private network between your PC and the server.
curl -fsSL https://tailscale.com/install.sh | sh
sudo tailscale upAfter running, it shows a login link. Copy it, open in your browser, and approve the server. Then get your server's Tailscale IP:
tailscale ip -4It returns something like 100.x.y.z. Write this down as TS_IP.
After this step, you'll only access the server through Tailscale (more secure).
First, test that Tailscale works. On your PC, open a new terminal and run:
ssh remote@TS_IP(Replace TS_IP with the 100.x.y.z address from Step 4.)
If this works, continue. If not, check that Tailscale is running on both your PC and server.
Enable the firewall:
sudo apt install -y ufw && sudo ufw default deny incoming && sudo ufw default allow outgoing && sudo ufw allow from 100.64.0.0/10 to any port 22 proto tcp && sudo ufw enableType y when asked.
Disable root login:
sudo sed -i 's/^#*PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config && sudo systemctl restart sshFrom now on, always connect using ssh remote@TS_IP.
curl -fsSL https://claude.ai/install.sh | bash
echo 'export PATH="$HOME/.local/bin:$PATH"' >> ~/.bashrc && source ~/.bashrc
claude setup-tokenIt shows a URL. Copy it and open it in your PC's browser. Log in to Claude and approve. You'll get a short code.
Go back to the server terminal and paste the code. Press Enter.
You'll see a token like sk-ant-xxxxxxxx. This is saved automatically.
Install Node.js 22 and pnpm:
curl -fsSL https://deb.nodesource.com/setup_22.x | sudo -E bash -
sudo apt install -y nodejs
curl -fsSL https://get.pnpm.io/install.sh | sh - && source ~/.bashrcInstall Homebrew (interactive, follow the prompts):
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"Configure shell and install OpenClaw:
echo 'eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)"' >> ~/.bashrc && eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)"
pnpm i -g openclaw
pnpm approve-builds -gPress a (select all), then Enter, then y to confirm.
Run the interactive setup wizard:
openclaw onboard --install-daemonThe wizard guides you through configuration. Follow each screen:
| Screen | What to select |
|---|---|
| Security confirmation | Yes |
| Gateway configuration | Local (unless you need remote access) |
| Model / auth provider | Anthropic |
| Authentication | Paste your sk-ant-... token from Step 6 |
| Channel selection | Telegram → paste your Telegram bot token |
| Daemon installation | Yes (runs as background service) |
| Security defaults | Enable pairing approvals |
After onboarding, OpenClaw starts running automatically as a background service.
This lets the bot browse websites.
sudo apt update && sudo apt install -y chromium xvfb fonts-liberation libnss3 libatk-bridge2.0-0t64 libgtk-3-0t64 libxkbcommon0 libgbm1 libasound2t64Restart OpenClaw:
systemctl --user restart openclaw-gateway.service- Open your bot in Telegram.
- Send
/start. - The bot replies with a pairing code.
- On the server, run (replace CODE with your actual code):
openclaw pairing approve telegram CODENote: Pairing codes expire after 1 hour. If the code doesn't work, send /start again to get a new one.
The dashboard lets you manage OpenClaw from your browser.
On your PC, open Terminal/Windows Terminal and run:
ssh -L 18789:127.0.0.1:18789 remote@TS_IPKeep this window open.
On the server, run:
openclaw dashboard --no-openIt prints a link like http://127.0.0.1:18789/?token=...
Copy the full link and open it in your PC's browser.
- Open your bot in Telegram.
- Send
hi. - You should get a response.
Verify everything is healthy:
openclaw statusThis shows if all services are running correctly.
Done! Your OpenClaw is running.
Check if OpenClaw is running:
systemctl --user status openclaw-gateway.serviceView logs:
journalctl --user -u openclaw-gateway.service -n 100 --no-pagerRestart it:
systemctl --user restart openclaw-gateway.serviceMake sure the SSH tunnel command is still running on your PC.
Run the browser install command from Step 9 again, then restart OpenClaw.
- Keep your tokens in a password manager.
- Always use Tailscale to connect to your server.
- Don't share your dashboard link.
- Keep secrets out of the bot's reachable filesystem.
Run security audits regularly:
openclaw security audit --deep
openclaw security audit --fixRead more: https://docs.openclaw.ai/gateway/security
In the Dashboard:
- Go to Channels
- Add WhatsApp
- Scan the QR code with your phone (WhatsApp → Settings → Linked Devices)
After the bot works, you can add extra features:
openclaw configureSome skills need a Gemini API key. Get one at https://aistudio.google.com/app/api-keys, then:
echo 'export GEMINI_API_KEY="YOUR_KEY"' >> ~/.bashrc && source ~/.bashrc# Check if OpenClaw is running
systemctl --user status openclaw-gateway.service
# Restart OpenClaw
systemctl --user restart openclaw-gateway.service
# View logs
journalctl --user -u openclaw-gateway.service -n 100 --no-pager
# Check Tailscale
tailscale status
# Reconfigure OpenClaw
openclaw configure