OpenClaw Resource

Security Best Practices for Running OpenClaw on a VPS

Written by

clovecrab

in

If you’re running OpenClaw on a VPS and concerned about its security, especially when exposing its API or web interface to the internet, it’s critical to lock down your system. While OpenClaw itself is designed with security in mind, the environment it runs in often dictates the weakest link. Here, we’ll cover practical steps to harden your OpenClaw deployment on a typical Linux VPS, focusing on firewalls, user management, and secure API access.

Affiliate Disclosure: As an Amazon Associate, we earn from qualifying purchases. This means we may earn a small commission when you click our links and make a purchase on Amazon. This comes at no extra cost to you and helps support our site.

Isolating OpenClaw with a Dedicated User

Running OpenClaw directly as root or your primary user is a common mistake that can have severe implications if a vulnerability is exploited. The principle of least privilege dictates that OpenClaw should run under its own dedicated user account, with minimal permissions. This confines any potential breach to a limited scope.

First, create a new user and home directory for OpenClaw. Let’s call this user openclaw_user:

sudo adduser openclaw_user --home /opt/openclaw --shell /bin/bash

Next, switch to this user and install OpenClaw. This ensures all OpenClaw-related files and configurations are owned by openclaw_user:

sudo su - openclaw_user
git clone https://github.com/openclaw/openclaw.git .
pip install -r requirements.txt
exit

If you’ve already installed OpenClaw, you’ll need to transfer ownership. Let’s assume OpenClaw is currently in /home/youruser/openclaw. You’d move it and then change ownership:

sudo mv /home/youruser/openclaw /opt/
sudo chown -R openclaw_user:openclaw_user /opt/openclaw

Crucially, ensure that the openclaw_user does not have sudo privileges. Verify this by checking the /etc/sudoers file or the /etc/sudoers.d/ directory. If you see an entry for openclaw_user, remove it. This user should only be able to perform actions necessary for OpenClaw’s operation.

Firewalling with UFW

A firewall is your first line of defense. By default, most VPS providers offer a basic firewall, but configuring UFW (Uncomplicated Firewall) directly on the host gives you granular control. We want to allow only essential traffic: SSH for administration and the specific port OpenClaw listens on (default 8000 for its API, or 80/443 if you’re using a reverse proxy).

First, enable UFW and configure basic rules:

sudo ufw allow ssh # Or your custom SSH port, e.g., sudo ufw allow 2222/tcp
sudo ufw allow 8000/tcp # Allow OpenClaw API access
sudo ufw enable

The sudo ufw enable command will prompt you to confirm enabling the firewall. Do so carefully, as misconfiguring UFW can lock you out of your server. Always ensure SSH is allowed *before* enabling it.

If you’re using a reverse proxy like Nginx or Caddy (highly recommended for production deployments, as detailed below), OpenClaw would typically only need to listen on 127.0.0.1:8000, and the reverse proxy would handle public-facing ports 80/443. In this scenario, you would NOT expose port 8000 publicly. Instead, your UFW rules would look like this:

sudo ufw allow ssh
sudo ufw allow http # For port 80
sudo ufw allow https # For port 443
sudo ufw enable

This is a much more secure setup, as OpenClaw’s internal API is not directly exposed to the internet.

Securing API Access and UI

OpenClaw’s API and web UI often require authentication. Even if you’re not exposing the API directly to the internet, you should secure it. The OpenClaw configuration file, typically .openclaw/config.json in the user’s home directory (/opt/openclaw/.openclaw/config.json if following the dedicated user setup), is where you’d manage API keys and potentially UI authentication.

A common mistake is to hardcode API keys directly into environment variables or scripts without proper protection. OpenClaw allows you to specify API keys for different models. Ensure these keys are strong and, ideally, stored in a secrets management system, even if it’s just a file with restricted permissions. For a VPS, consider using environment variables loaded from a file owned by openclaw_user with chmod 600 permissions.

For example, in your .openclaw/config.json, you might reference environment variables:

{
  "api_keys": {
    "openai": "${OPENAI_API_KEY}",
    "anthropic": "${ANTHROPIC_API_KEY}"
  },
  "web_ui": {
    "enabled": true,
    "require_auth": true,
    "username": "admin",
    "password_hash": "pbkdf2:sha256:..."
  }
}

Then, create an environment file, say /opt/openclaw/.env:

OPENAI_API_KEY="sk-YOUR_OPENAI_KEY"
ANTHROPIC_API_KEY="sk-ant-YOUR_ANTHROPIC_KEY"

Make sure this .env file has restricted permissions:

sudo chmod 600 /opt/openclaw/.env
sudo chown openclaw_user:openclaw_user /opt/openclaw/.env

You would then modify your systemd service file (see below) to load these environment variables. The non-obvious insight here is that while OpenClaw’s docs might show direct key entry, using environment variables loaded from a securely permissioned file provides a layer of separation and makes key rotation easier without modifying the core config.

Using a Reverse Proxy with SSL/TLS

Directly exposing OpenClaw’s HTTP server is generally a bad idea for production. A reverse proxy like Nginx or Caddy offers significant benefits:

  • SSL/TLS Encryption: Encrypts all traffic between your users and OpenClaw, preventing eavesdropping. Let’s Encrypt makes this free and easy.
  • Request Filtering: Can block malicious requests before they even reach OpenClaw.
  • Load Balancing: If you ever scale to multiple OpenClaw instances.
  • Centralized Logging: Nginx/Caddy logs provide more detailed access information.

Here’s a basic Nginx configuration snippet for proxying to OpenClaw, assuming it’s running on 127.0.0.1:8000:

server {
    listen 80;
    server_name your.openclaw.domain;

    location / {
        proxy_pass http://127.0.0.1:8000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    # Add SSL configuration after obtaining a certificate (e.g., with Certbot)
}

After setting up this Nginx config (typically in /etc/nginx/sites-available/your.openclaw.domain and symlinked to /etc/nginx/sites-enabled/), restart Nginx and then run Certbot to automatically configure SSL:

sudo systemctl restart nginx
sudo certbot --nginx -d your.openclaw.domain

This will automatically modify your Nginx configuration to use HTTPS. Ensure your UFW rules allow ports 80 and 443.

This setup works well even on VPS with limited resources (e.g., 1GB RAM) as Nginx is very lightweight. The only limitation might be if your OpenClaw instance itself is resource-intensive due to the models you’re running. A Raspberry Pi, for instance, might struggle with the combined load of OpenClaw, a reverse proxy, and a full operating system if you’re running very large language models locally.

Regular Updates and Monitoring

Security is

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

More posts