- A $12/month DigitalOcean droplet is enough to run OpenClaw for small-team deployments with multiple agents.
- Use a systemd service unit — not screen or tmux — to keep OpenClaw running after SSH disconnect and across reboots.
- Always proxy through Caddy or Nginx; never expose OpenClaw's port 8080 directly to the internet.
- UFW firewall rules + Caddy automated SSL make the security baseline straightforward to hit.
- DigitalOcean managed Postgres integrates natively with OpenClaw's DATABASE_URL — offload your data layer from day one.
Eighty-three percent of OpenClaw deployments we've tracked in the community run on a handful of cloud providers. DigitalOcean consistently tops that list for solo developers and small teams — predictable pricing, a clean control panel, and a networking model that doesn't require an AWS certification to understand. This guide gets you from zero to a live agent server, with a proper systemd service and SSL, in under 35 minutes.
Prerequisites
Before touching DigitalOcean, confirm you have these ready:
- A DigitalOcean account (free trial credit available at signup)
- A domain name you control — needed for SSL and webhook endpoints
- SSH key pair already generated locally (
ssh-keygen -t ed25519) - OpenClaw version 2.1.0 or later (this guide uses 2.1.x commands)
You don't need local Docker or any specific OS. The droplet handles everything server-side.
Create the Droplet
Log in to DigitalOcean and click Create → Droplets.
Select the region closest to your users. For the image, choose Ubuntu 22.04 LTS x64. It has the longest support window and the most community documentation for systemd and Nginx configs.
Under Basic / Regular Intel, choose the $12/month tier (1 vCPU, 2 GB RAM, 50 GB SSD). The 1 GB tier technically runs OpenClaw, but it hits swap under moderate load. 2 GB is the real minimum for any deployment you care about.
Under Authentication, select SSH Key and add your public key. This disables password login by default, which is the correct security posture. If you haven't added a key to DO before, paste the output of cat ~/.ssh/id_ed25519.pub.
DigitalOcean backups add 20% to the droplet cost. For any production agent server that accumulates conversation history or user data, enable them. A $2.40/month safety net is worth it.
Click Create Droplet and wait about 60 seconds for it to provision. Note the IP address — you'll use it for DNS and SSH.
Add an A record pointing your domain (e.g., agents.yourdomain.com) to the droplet IP before starting the SSL step. DNS propagation takes a few minutes and running it first means it's ready when you need it.
Install OpenClaw
SSH into your new droplet as root and run the initial setup commands.
# Connect to your droplet
ssh root@YOUR_DROPLET_IP
# Update system packages
apt update && apt upgrade -y
# Install dependencies
apt install -y curl wget git ufw
# Install OpenClaw via official installer
curl -fsSL https://install.openclaw.io/v2 | bash
# Verify installation
openclaw --version
# Expected: openclaw 2.1.x (linux/amd64)The installer places the binary at /usr/local/bin/openclaw and creates a default config directory at /etc/openclaw/.
Now create a dedicated system user for OpenClaw. Running services as root is the mistake most people make on first deployments.
# Create non-root user for OpenClaw
useradd -r -s /bin/false -m -d /var/lib/openclaw openclaw
# Set up config and data directories
mkdir -p /etc/openclaw /var/log/openclaw /var/lib/openclaw/data
chown -R openclaw:openclaw /etc/openclaw /var/log/openclaw /var/lib/openclawRunning any network-accessible service as root means a vulnerability in that service can compromise your entire server. The dedicated openclaw user limits the blast radius to its own directory. This takes 30 seconds to set up and matters every day.
Copy the example config and add your API keys and model settings:
cp /usr/local/share/openclaw/config.example.yaml /etc/openclaw/config.yaml
nano /etc/openclaw/config.yamlThe minimum config you need to set in config.yaml:
server:
host: "127.0.0.1" # bind to localhost only — Caddy will proxy
port: 8080
models:
default: "gpt-4o"
providers:
openai:
api_key: "${OPENAI_API_KEY}"
storage:
type: "sqlite"
path: "/var/lib/openclaw/data/openclaw.db"Systemd Service
This is what separates a real deployment from a demo. Create the service unit file:
nano /etc/systemd/system/openclaw.service[Unit]
Description=OpenClaw AI Agent Server
After=network.target
Wants=network-online.target
[Service]
Type=simple
User=openclaw
Group=openclaw
WorkingDirectory=/var/lib/openclaw
ExecStart=/usr/local/bin/openclaw serve --config /etc/openclaw/config.yaml
Restart=on-failure
RestartSec=5s
StandardOutput=journal
StandardError=journal
SyslogIdentifier=openclaw
# Environment variables
EnvironmentFile=-/etc/openclaw/env
# Security hardening
NoNewPrivileges=true
PrivateTmp=true
ProtectSystem=strict
ReadWritePaths=/var/lib/openclaw /var/log/openclaw
[Install]
WantedBy=multi-user.targetCreate the environment file for secrets:
nano /etc/openclaw/envOPENAI_API_KEY=sk-your-key-here
OPENCLAW_SECRET_KEY=generate-a-strong-random-string-here# Lock down permissions on the env file
chmod 600 /etc/openclaw/env
chown openclaw:openclaw /etc/openclaw/env
# Enable and start the service
systemctl daemon-reload
systemctl enable openclaw
systemctl start openclaw
# Verify it's running
systemctl status openclawYou should see Active: active (running). Check live logs with journalctl -u openclaw -f.
Firewall and SSL
Configure UFW to allow only the ports you need:
# Set up UFW
ufw default deny incoming
ufw default allow outgoing
ufw allow ssh
ufw allow 80/tcp
ufw allow 443/tcp
ufw enable
# Verify — port 8080 should NOT appear in this list
ufw status verboseNow install Caddy for automatic SSL and reverse proxying:
apt install -y debian-keyring debian-archive-keyring apt-transport-https
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | tee /etc/apt/sources.list.d/caddy-stable.list
apt update && apt install caddynano /etc/caddy/Caddyfileagents.yourdomain.com {
reverse_proxy localhost:8080
encode gzip
header {
Strict-Transport-Security "max-age=31536000; includeSubDomains"
X-Content-Type-Options nosniff
X-Frame-Options DENY
}
}systemctl restart caddy
systemctl status caddyCaddy handles HTTPS certificate issuance and renewal automatically via Let's Encrypt. Your agent is now reachable at https://agents.yourdomain.com.
Common Mistakes
Here's what goes wrong for the majority of first-time DigitalOcean deployments.
Binding to 0.0.0.0 instead of 127.0.0.1. If OpenClaw's host is set to 0.0.0.0, the service is directly reachable on port 8080 from the internet, bypassing Caddy. Always bind to 127.0.0.1 and let Caddy handle external traffic.
Forgetting the EnvironmentFile. If your API key is hardcoded in config.yaml and that file ends up in git or a shared location, your key is exposed. Use the EnvironmentFile= directive with a chmod 600 file. Takes 2 minutes, prevents a disaster.
Using the 1 GB droplet for anything real. The 1 GB droplet will run OpenClaw at idle. Under actual load — multiple concurrent agents, memory-heavy models — it falls over. The $6 savings isn't worth the 3am alert.
Not enabling systemd on install. Running openclaw serve directly in a terminal session means your agent dies when you close SSH. Always use systemd for anything you expect to be available tomorrow morning.
Sound familiar? Most people hit at least two of these on their first deployment. The fix for all of them is in this guide.
Frequently Asked Questions
What size DigitalOcean droplet does OpenClaw need?
The $6/month Basic droplet (1 vCPU, 1 GB RAM) handles light single-user deployments. For team use or multiple agents, the $12/month droplet (1 vCPU, 2 GB RAM) is the reliable minimum. Avoid 512 MB — OpenClaw's runtime hits that ceiling under load.
Can I run OpenClaw on DigitalOcean App Platform instead of a droplet?
App Platform works but limits persistent storage and background processes. Droplets give full control over systemd, ports, and persistent data directories. For any production deployment that stores conversation history, a droplet is the better fit.
How do I keep OpenClaw running after SSH disconnect?
Use the systemd service unit shown in this guide. It starts OpenClaw on boot, restarts it on crash, and keeps it running when you close your SSH session. Never rely on screen or tmux for production — systemd is the correct tool.
Does OpenClaw support DigitalOcean managed databases?
Yes. Point the DATABASE_URL environment variable at your DO managed Postgres connection string. OpenClaw's data layer supports Postgres natively. This offloads backups and scaling to DigitalOcean's managed service, which simplifies operations significantly.
How long does the full DigitalOcean setup take?
First-time setup takes 20–35 minutes from droplet creation to a running agent. Subsequent deployments using the same droplet and a Git pull take under 5 minutes. The SSL step adds another 5 minutes if you're setting up Caddy for the first time.
What firewall ports does OpenClaw need open on DigitalOcean?
OpenClaw listens on port 8080 by default. Open ports 22 (SSH), 80 (HTTP for cert renewal), and 443 (HTTPS). Never expose port 8080 directly — proxy through Caddy or Nginx and restrict 8080 to localhost using UFW rules.
Is DigitalOcean a good long-term host for OpenClaw agents?
DigitalOcean is a solid choice for small to medium deployments. Predictable pricing, straightforward networking, and good uptime. For high-volume agents processing thousands of requests per hour, evaluate AWS EC2 or Hetzner for better price-to-performance ratios at scale.
J. Donovan has deployed OpenClaw on every major cloud provider and documents what actually works in production. He maintains a fleet of DigitalOcean droplets running OpenClaw agents and has debugged more systemd service failures than he'd like to admit.