Profile photo of Ubeyt Demir
Ubeyt Demir
Head of Technology @ EPICODE
Setting Up OpenClaw on Tailscale and Hetzner
OpenClaw is a popular, open-source, local-first autonomous AI agent designed to act as a personal assistant, created by Peter Steinberger.

Setting Up OpenClaw on Tailscale and Hetzner

In this guide, I'll walk you through how I deployed OpenClaw — my personal AI assistant — on a Hetzner VPS, secured with Tailscale for private access, and hardened the server for production use.

Why This Setup?

  • Hetzner: Affordable, reliable VPS hosting in Europe (€4.51/month for 2 vCPU/4GB)
  • Tailscale: Zero-config VPN for secure access without exposing ports to the internet
  • OpenClaw: AI assistant that helps with coding, research, and daily tasks
  • Security First: SSH hardening, fail2ban, and firewall rules from day one

Prerequisites

  • Hetzner Cloud account
  • Tailscale account
  • SSH key pair (no password auth!)
  • Basic Linux knowledge

Step 1: Provision the VPS

  1. Log into Hetzner Cloud Console

  2. Create a new project

  3. Deploy a server:

    • Location: Falkenstein (EU) or Ashburn (US)
    • Type: CX21 (2 vCPU, 4GB RAM, 40GB disk)
    • Image: Ubuntu 22.04 LTS
    • SSH Key: Add your public key (no passwords!)
    • Name: openclaw-server

  4. Note the public IP — we'll use it once, then lock it down

Step 2: Initial Server Hardening

SSH in and immediately secure the server:

bash
ssh root@<your-server-ip>


# 1. Update system
apt update && apt upgrade -y


# 2. Create a non-root user
adduser claw
usermod -aG sudo claw


# 3. Copy SSH key to new user
mkdir -p /home/claw/.ssh
cp ~/.ssh/authorized_keys /home/claw/.ssh/
chown -R claw:claw /home/claw/.ssh
chmod 700 /home/claw/.ssh
chmod 600 /home/claw/.ssh/authorized_keys


# 4. Install and configure fail2ban
apt install -y fail2ban


cat > /etc/fail2ban/jail.local << 'EOF'
[DEFAULT]
bantime = 1h
findtime = 10m
maxretry = 3


[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 24h
EOF


systemctl enable fail2ban
systemctl start fail2ban


# 5. Configure UFW firewall
apt install -y ufw
ufw default deny incoming
ufw default allow outgoing
ufw allow ssh
ufw --force enable


# 6. Harden SSH config
cat >> /etc/ssh/sshd_config << 'EOF'


# Security hardening
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
X11Forwarding no
MaxAuthTries 3
ClientAliveInterval 300
ClientAliveCountMax 2
EOF


systemctl restart sshd

Exit and reconnect as the new user:

bash
exit
ssh claw@<your-server-ip>

Step 3: Install Tailscale

bash
# Install Tailscale
curl -fsSL https://tailscale.com/install.sh | sh


# Start and authenticate
sudo tailscale up

You'll get an authentication link. Open it in your browser and sign in. Once done:

bash
# Get your Tailscale IP
tailscale ip -4
# → 100.x.x.x (save this!)

Lock down SSH to Tailscale only

bash
sudo nano /etc/ssh/sshd_config

Change ListenAddress to only listen on Tailscale:

bash
# Comment out: ListenAddress 0.0.0.0
# Add: ListenAddress 100.x.x.x  (your Tailscale IP)

Also update firewall:

bash
# Remove public SSH access
sudo ufw delete allow ssh
# Allow Tailscale interface only
sudo ufw allow in on tailscale0 to any port 22
sudo systemctl restart sshd

From now on, only connect via Tailscale:

bash
ssh claw@100.x.x.x

Step 4: Install OpenClaw

OpenClaw provides official packages. Don't clone from git — use the proper install:

bash
# Install OpenClaw (follow official docs for your OS)
# For Ubuntu/Debian:
curl -fsSL https://openclaw.ai/install.sh | bash


# Or download directly from releases:
# https://github.com/openclaw/openclaw/releases


# Verify installation
openclaw --version

Run the Onboarding Wizard

bash
# Start the interactive setup
openclaw onboard

The wizard will guide you through:

  • Gateway mode: Local (loopback) or remote
  • Workspace: Where your agent files live
  • Channels: Telegram, WhatsApp, Discord, etc.
  • Providers: OpenAI, Anthropic, or custom endpoints
  • Web search: Perplexity, Brave, etc.
  • Skills: Enable/disable agent skills

Quick tip: The fastest way to start chatting is the dashboard — no channel setup needed!

bash
openclaw dashboard

For detailed wizard options, see:

Step 5: Configure for Tailscale Access

After onboarding, configure OpenClaw to work with your Tailscale network:

bash
# Edit configuration
openclaw configure

Key settings for Tailscale:

  • Gateway bind: Set to your Tailscale IP (100.x.x.x)
  • Tailscale exposure: Enable if you want to advertise the service
  • Auth token: Generate a strong token for API access

Step 6: Start the Gateway

bash
# Start the OpenClaw daemon
openclaw gateway start


# Check status
openclaw status


# View logs
journalctl -u openclaw -f

Step 7: Connect Your Clients

From your local machine (with Tailscale)

bash
# Configure to use remote gateway
openclaw configure --gateway https://100.x.x.x:18789


# Test connection
openclaw ping

Telegram Bot

  1. Create a bot with @BotFather
  2. Set the webhook:
bash
curl -F "url=https://100.x.x.x:18789/webhook" \
  https://api.telegram.org/bot<YOUR_BOT_TOKEN>/setWebhook

VS Code Extension

Install the OpenClaw extension and configure:

  • Gateway URL: https://100.x.x.x:18789
  • Auth token: (from your config)

Security Benefits of This Setup

LayerProtection
Fail2banAuto-bans IPs with failed SSH attempts
UFWFirewall blocks all non-essential ports
SSH hardeningNo root, no passwords, key-only auth
TailscalePrivate mesh network, no public exposure
WireGuardEncrypted traffic between all devices

Monitoring & Maintenance

Check fail2ban status

bash
sudo fail2ban-client status sshd
sudo fail2ban-client status

View blocked IPs

bash
sudo zgrep "Ban" /var/log/fail2ban.log

Update OpenClaw

bash
openclaw update
# or
openclaw self-update

Backup your workspace

bash
tar -czf openclaw-backup-$(date +%Y%m%d).tar.gz ~/.openclaw/

Troubleshooting

Tailscale not connecting?

bash
sudo tailscale status
sudo tailscale up --force-reauth

OpenClaw gateway won't start?

bash
# Check logs
journalctl -u openclaw -n 100 --no-pager


# Check config is valid
openclaw config validate

Can't SSH after hardening?

Make sure you're connecting from a device on your Tailscale network:

bash
# From a device WITH Tailscale
ssh claw@100.x.x.x


# Test Tailscale connection
ping 100.x.x.x

Cost Breakdown

ServiceMonthly Cost
Hetzner CX21€4.51
Tailscale (free tier, 1 user)€0
Total€4.51

Conclusion

You now have a production-hardened OpenClaw deployment:

  • ✅ Server secured with fail2ban + UFW + SSH hardening
  • ✅ Private network via Tailscale (no public exposure)
  • ✅ AI assistant ready to help with coding, research, and automation
  • ✅ Accessible from all your devices securely

This setup gives you enterprise-grade security for under €5/month. The combination of Hetzner's affordable VPS, Tailscale's zero-config VPN, and OpenClaw's powerful AI assistant is perfect for personal infrastructure.

Resources

Questions? Hit me up on Twitter.