Of these, the second one is ruled out if you want OpenClaw to truly be a personal assistant. A personal assistant works best when it has access to your environment (your home network and devices and services in it). Of course, you want to control this access and be careful in how it is granted, but putting it on a VPS defeats the purpose here IMO.<\/p>\n\n\n\n
Deploying in a VM or LXC is definitely a good option. However, it does complicate communication and access control. Specifically, you will need to setup some way of allowing access to services to and from the VM to the rest of your machine\/networks. It also increases the friction for interacting with the OpenClaw deployment from your native environment as you deploy and tinker with it (which is pretty much going to be constant IME). However, this is a more secure deployment approach than running OpenClaw on the machine natively.<\/p>\n\n\n\n
The easiest and relatively secure option is the following:<\/p>\n\n\n\n
- \n
- Create a dedicated, unprivileged user for running the OpenClaw gateway.<\/li>\n\n\n\n
- Setup the OpenClaw as a user level service (systemd unit) that runs under this user account.<\/li>\n<\/ul>\n\n\n\n
This approach restricts the access that OpenClaw gateway has and reduces the friction in setting up access to services that you want to host. Additionally, the services you host for OpenClaw (including MCP servers) can just bind to localhost without needing to worry about the potentially increased network exposure from them.<\/p>\n\n\n\n
Here’s a simplified system diagram of the deployment and how it interacts with different services:<\/p>\n\n\n\n
![\"\"](\"https:\/\/nramkumar.org\/tech\/wp-content\/uploads\/2026\/03\/image-1-1024x682.png\")
<\/figure>\n\n\n\nSetting up an unprivileged user account<\/h2>\n\n\n\n
sudo adduser openclaw\nsudo usermod -s \/sbin\/nologin openclaw <\/code><\/pre>\n\n\n\nThis will setup an unprivileged user for running openclaw and disable login for that user. In order to act as that user, you will need to run
sudo -u openclaw \/bin\/bash<\/code> which will open an interactive shell as that user.<\/p>\n\n\n\nAfter opening the shell, follow the instructions for installing OpenClaw (and any node dependencies + node\/nvm). Run openclaw from the shell to setup the initial configuration and confirm everything works. After this we are ready to set this up as user service that runs under the
openclaw<\/code> user account.<\/p>\n\n\n\nVerify OpenClaw is working<\/h2>\n\n\n\n
Open http:\/\/localhost:18789 in a browser – you should see the OpenClaw gateway interface. If you don’t see it, double check the port number. Finally, send a message from a configured channel (WhatsApp, Discord, etc.) and confirm that OpenClaw receives it and responds. If the gateway is up but you’re not getting replies, the issue is usually the channel configuration rather than the service itself.<\/p>\n\n\n\n
Setting up a user service for OpenClaw<\/h2>\n\n\n\n
Create
\/home\/openclaw\/.config\/systemd\/user\/openclaw-gateway.service<\/code> (adjust path and other values to match your install\/needs). The PATH environment variable is just AI spew – so just trim it to what is useful for your environment. The security & sandboxing section is useful – this prevents OpenClaw from gaining new privileges and restricts some of its access (unfortunately AF_NETLINK is needed because OpenClaw at startup always tries to figure out the local IP address):<\/p>\n\n\n\n[Unit]\nDescription=OpenClaw Gateway\nAfter=network-online.target\nWants=network-online.target\n\n[Service]\nExecStart=\/home\/openclaw\/.nvm\/versions\/node\/v24.13.1\/bin\/node \/home\/openclaw\/.nvm\/versions\/node\/v24.13.1\/lib\/node_modules\/openclaw\/dist\/index.js gateway --bind loopback --port 18789\nRestart=always\nRestartSec=5\nKillMode=process\n\n# --- Security & Sandboxing (Safe for User Services) ---\nNoNewPrivileges=yes\nRestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK\nRestrictRealtime=yes\n# ------------------------------------------------------\n\nEnvironment=HOME=\/home\/openclaw\nEnvironment=TMPDIR=\/tmp\nEnvironment=PATH=\/home\/openclaw\/.nvm\/current\/bin:\/home\/openclaw\/.local\/bin:\/home\/openclaw\/.npm-global\/bin:\/home\/openclaw\/bin:\/home\/openclaw\/.volta\/bin:\/home\/openclaw\/.asdf\/shims:\/home\/openclaw\/.bun\/bin:\/home\/openclaw\/.fnm\/current\/bin:\/home\/openclaw\/.local\/share\/pnpm:\/usr\/local\/bin:\/usr\/bin:\/bin\nEnvironment=OPENCLAW_GATEWAY_PORT=18789\nEnvironment=OPENCLAW_SYSTEMD_UNIT=openclaw-gateway.service\nEnvironment=OPENCLAW_SERVICE_MARKER=openclaw\nEnvironment=OPENCLAW_SERVICE_KIND=gateway\nEnvironment=MCPORTER_CONFIG=%h\/config\/mcporter.json\n\n[Install]\nWantedBy=default.target\n<\/code><\/pre>\n\n\n\nThis sets up the systemd user service unit for OpenClaw. In order to make sure that this service will run automatically, you will need to enable it and also enable linger for the user so it starts automatically on reboot. Without linger, the user service does not run when the user is not logged in:<\/p>\n\n\n\n
systemctl --user daemon-reload\nsystemctl --user enable --now openclaw-gateway.service\nsudo loginctl enable-linger openclaw<\/code><\/pre>\n\n\n\nChecking and Debugging the service<\/h2>\n\n\n\n
You can check if the service is running via:
systemctl --user status openclaw-gateway.service<\/code><\/p>\n\n\n\nYou can look at the logs for the service in the system journal via:
journalctl -r _SYSTEMD_USER_UNIT=openclaw-gateway.service<\/code><\/p>\n\n\n\nIn future posts we will cover setting up model providers, including local model support via Ollama.<\/p>\n","protected":false},"excerpt":{"rendered":"
This post will cover setting up OpenClaw in a Home or Home Lab Linux environment. This is a continuation in the series of setting up OpenClaw as a personal assistant. There are different ways in which you can deploy OpenClaw for this use case: Of these, the second one is ruled out if you want…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-665","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/nramkumar.org\/tech\/wp-json\/wp\/v2\/posts\/665","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nramkumar.org\/tech\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nramkumar.org\/tech\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nramkumar.org\/tech\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/nramkumar.org\/tech\/wp-json\/wp\/v2\/comments?post=665"}],"version-history":[{"count":3,"href":"https:\/\/nramkumar.org\/tech\/wp-json\/wp\/v2\/posts\/665\/revisions"}],"predecessor-version":[{"id":672,"href":"https:\/\/nramkumar.org\/tech\/wp-json\/wp\/v2\/posts\/665\/revisions\/672"}],"wp:attachment":[{"href":"https:\/\/nramkumar.org\/tech\/wp-json\/wp\/v2\/media?parent=665"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nramkumar.org\/tech\/wp-json\/wp\/v2\/categories?post=665"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nramkumar.org\/tech\/wp-json\/wp\/v2\/tags?post=665"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}