Skip to content

Instantly share code, notes, and snippets.

@adshrc

adshrc/openclaw_standalone.md

Last active February 15, 2026 10:35
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save adshrc/3cd9e8a714098f414635b7fe1ab5e573 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save adshrc/3cd9e8a714098f414635b7fe1ab5e573 to your computer and use it in GitHub Desktop.
Download ZIP
OpenClaw Docker Container without docket_setup.sh - Only using the official Docker Image (ghcr.io/openclaw/openclaw)
Raw
openclaw_standalone.md

OpenClaw Standalone Setup

A minimal, production-ready guide to deploying OpenClaw (standalone) using Docker on a Linux based Server.

Caution

SECURITY WARNING: DO NOT EXPOSE THIS PUBLICLY WITHOUT PROTECTION

The OpenClaw Gateway is designed as an internal communication component. It should NOT be open to the public internet indiscriminately.

You MUST restrict access to your domain using one of the following methods:

  1. Cloudflare Access / Zero Trust: Put the domain behind an authentication layer. SSL is included and free (RECOMMENDED!)
  2. Firewall Rules: Allow inbound traffic on port 80/443 ONLY from your specific IP address. You will need to use allowInsecureAuth on the OpenClaw config, if you want to access it without HTTPS.
  3. VPN: Only allow access while connected to your private VPN. You will need to use allowInsecureAuth on the OpenClaw config, if you want to access it without HTTPS.

1. Prerequisites

Get a Domain and register it on Cloudflare. You need to enable the "SSL Flexible" setting to make it work without any SSL hassle on your Server. Either change it domain-wide (on .../ssl-tls/configuration) or create a specific rule.

⚠️ If you don't want to use Cloudflare, you will need to configure SSL yourself (e.g. with Let's Encrypt) and expose port 443 instead of 80.

Then, add an A-Record pointing your domain to your server's IP address (with Cloudflare proxy enabled).

2. OpenClaw Setup

A. Permissions

OpenClaw runs as the node user (UID 1000). We must pre-create the host volumes and assign the correct ownership, otherwise the container will crash with EACCES errors.

mkdir -p $HOME/openclaw/workspace
chown -R 1000:1000 $HOME/openclaw

B. Gateway Token

Generate a random Gateway Token using this:

export OPENCLAW_GATEWAY_TOKEN=$(tr -dc A-Za-z0-9 < /dev/urandom | head -c 32; echo '')
echo "Your Gateway Token is: $OPENCLAW_GATEWAY_TOKEN"

C. Start Container

docker run -d \
  --name openclaw \
  --restart unless-stopped \
  -p 80:18789 \
  -v $HOME/openclaw:/home/node/.openclaw \
  -v $HOME/openclaw/workspace:/home/node/.openclaw/workspace \
  -e OPENCLAW_GATEWAY_TOKEN=$OPENCLAW_GATEWAY_TOKEN \
  ghcr.io/openclaw/openclaw:latest \
  node openclaw.mjs gateway --allow-unconfigured --bind lan

Optionally check docker logs -f openclaw to see if there are any errors.

3. Device pairing

  1. Open https://your-domain.com/overview
  2. Enter your newly generated Gateway Token and click Connect. You will see disconnected (1008): pairing required.
  3. Run docker exec -it openclaw node openclaw.mjs devices list and you will find a Pending request. Copy the Request UUID.
  4. Run docker exec -it openclaw node openclaw.mjs devices approve <request-uuid>
  5. Reload https://your-domain.com/overview and it should say Connected
  6. Run docker exec -it openclaw node openclaw.mjs onboard to complete the initial setup.
Raw
openclaw_traefik.md

OpenClaw + Traefik Setup

A minimal, production-ready guide to deploying OpenClaw behind a Traefik reverse proxy using Docker.

Caution

SECURITY WARNING: DO NOT EXPOSE THIS PUBLICLY WITHOUT PROTECTION

The OpenClaw Gateway is designed as an internal communication component. It should NOT be open to the public internet indiscriminately.

You MUST restrict access to your domain using one of the following methods:

  1. Cloudflare Access / Zero Trust: Put the domain behind an authentication layer. SSL is included and free (RECOMMENDED!)
  2. Firewall Rules: Allow inbound traffic on port 80/443 ONLY from your specific IP address. You will need to use allowInsecureAuth on the OpenClaw config, if you want to access it without HTTPS.
  3. VPN: Only allow access while connected to your private VPN. You will need to use allowInsecureAuth on the OpenClaw config, if you want to access it without HTTPS.

1. Network & Prerequisites

Get a Domain and register it on Cloudflare. You need to enable the "SSL Flexible" setting to make it work without any SSL hassle on your Server. Either change it domain-wide (on .../ssl-tls/configuration) or create a specific rule.

⚠️ If you don't want to use Cloudflare, you will need to install a SSL Cert (e.g. with Let's Encrypt) and configure it in the traefik config below.

Then, add the A-Records like this:

image

ℹ️ The wildcard domain (*.your-domain.com) is only needed for skills like the Devbox skill, where sandboxed containers need to register new hosts automatically. If you don't use such skills, a single A-Record for your-domain.com is sufficient.

⚠️ If you are using Cloudflare free, sub-sub-domains like *.oc.your-domain.com will not be covered by a free certificate.

Then, create a dedicated network so Traefik can route traffic to containers via internal IP addresses (avoiding exposed ports).

# Create shared network
docker network create traefik

# Create directories
mkdir -p "$HOME/traefik/dynamic"

2. Traefik Configuration

Create the static configuration file. Traefik watches the dynamic/ directory for route configs.

cat > $HOME/traefik/traefik.yml << 'EOF'
entryPoints:
  web:
    address: ":80"

providers:
  file:
    directory: /etc/traefik/dynamic
    watch: true
EOF

Create the dynamic route config for OpenClaw. Replace your-domain.com with your actual domain.

cat > $HOME/traefik/dynamic/openclaw.yml << 'EOF'
http:
  routers:
    openclaw:
      rule: "Host(`your-domain.com`)"
      entryPoints:
        - web
      service: openclaw

  services:
    openclaw:
      loadBalancer:
        servers:
          - url: "http://openclaw:18789"
EOF

3. Start Traefik

docker run -d \
  --name traefik \
  --restart=unless-stopped \
  --network=traefik \
  -p 80:80 \
  -v $HOME/traefik/traefik.yml:/etc/traefik/traefik.yml:ro \
  -v $HOME/traefik/dynamic:/etc/traefik/dynamic:ro \
  traefik:3.6

4. OpenClaw Setup

A. Permissions

OpenClaw runs as the node user (UID 1000). We must pre-create the host volumes and assign the correct ownership, otherwise the container will crash with EACCES errors.

mkdir -p $HOME/openclaw/workspace
chown -R 1000:1000 $HOME/openclaw

B. Gateway Token

Generate a random Gateway Token using this:

export OPENCLAW_GATEWAY_TOKEN=$(tr -dc A-Za-z0-9 < /dev/urandom | head -c 32; echo ''  )
echo "Your Gateway Token is: $OPENCLAW_GATEWAY_TOKEN"

C. Start Container

docker run -d \
  --name openclaw \
  --network traefik \
  --restart unless-stopped \
  -v $HOME/openclaw:/home/node/.openclaw \
  -v $HOME/openclaw/workspace:/home/node/.openclaw/workspace \
  -e OPENCLAW_GATEWAY_TOKEN=$OPENCLAW_GATEWAY_TOKEN \
  ghcr.io/openclaw/openclaw:latest \
  node openclaw.mjs gateway --allow-unconfigured --bind lan

Optionally check docker logs -f openclaw to see if there are any errors.

5. Device pairing

  1. Open https://your-domain.com/overview
  2. Enter your newly generated Gateway Token and click Connect. You will see disconnected (1008): pairing required.
  3. Run docker exec -it openclaw node openclaw.mjs devices list and you will find a Pending request. Copy the Request UUID.
  4. Run docker exec -it openclaw node openclaw.mjs devices approve <request-uuid>
  5. Reload https://your-domain.com/overview and it should say Connected
  6. Run docker exec -it openclaw node openclaw.mjs onboard to complete the initial setup.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment