This article provides step-by-step instructions to deploy OpenClaw (formerly known as Clawdbot or Moltbot) on a Spaceship Starlight Virtual Machine (VM). OpenClaw is deployed as a long-running Gateway service on the VM and administered via the CLI and Control UIWe’ll talk you through the following:
Provisioning a Starlight VM
Accessing the VM
Installing prerequisites (Node.js 22+)
Installing OpenClaw (installer recommended)
Running the onboarding wizard and installing the Gateway service
Secure remote access to the Control UI via SSH port-forwarding
Before you start deploying OpenClaw, make sure you’ve set up the following:
A Spaceship account - you can do this at spaceship.com
A provisioned Starlight Virtual Machine
Latest versions of LTS Ubuntu or Debian operating systems
Node.js version 22 or newer
OAuth or API keys as LLM credentials - make sure they’re wizard-supported for smoother setup
Channel credentials - login details for messaging channels like Slack, Telegram, Discord etc.
If you haven’t already, you can purchase a VM from our website. Setup is relatively quick, including just a few steps:
Select a plan - for reliable performance, we recommend the Standard 2 plan or higher.
Select an OS - the latest versions of LTS Ubuntu or Debian are officially supported by OpenClaw and are recommended for their stable and predictable environments.
Set a strong root password
Add an SSH key (optional)
Name your VMFor further guidance, read our guide to purchasing and accessing Starlight VMs.
Once purchased and the configuration is complete, you’ll be able to access Starlight Manager, where you can manage and modify your VM, as well as deploy OpenClaw
Get a 7-day free trial with prepaid Starlight VMs.
Now open a secure remote command-line session to your Starlight VM. This will help you install and configure OpenClaw directly on the server. Connect via SSH on port 22022 via SSH client of choice (e.g., Terminal, PuTTY).
Use the following command to check for and install any software updates:
OpenClaw requires Node.js version 22 or higher. However, Ubuntu/Debian doesn't include Node.js by default. You’ll need to add NodeSource first. Here’s a step-by-step breakdown:
Use the command below to install the tools needed to safely download files from the internet:
Add NodeSource to your system’s list of trusted sources:
Install Node.js and npm by running the following command:
Check that Node.js and npm were installed correctly:
It’s important to keep OpenClaw’s configs, auth field, and workspaces separate from the root. You can do this by adding OpenClaw as a dedicated user. This will help reduce the blast radius if OpenClaw has a bug, is misconfigured, or gets tricked by malicious input. To create a dedicated user, use the following command:
Then add that user to the sudo group:
usermod -aG sudo {UserName}
Finally, switch to that user:
We recommend treating your OpenClaw workspace like a git repo: keep it disposable and recoverable so you can roll back if the agent learns incorrect or poisoned context, e.g., through prompt injection. Where possible, avoid storing any highly sensitive credentials on the machine.
Note: The commands shown in this guide are provided as-is and match the state of the project at the time of writing. Due to recent naming updates and ongoing development, command names and options may change. For the most up-to-date and authoritative list of commands, please refer to the source.
Now that we’ve prepared the ground, it’s time to install OpenClaw. OpenClaw’s documentation recommends using the installer unless you have a specific reason not to. The installer installs the CLI globally via npm and runs onboarding by default.To run the installation script and automatically install OpenClaw, use the following command:
curl -fsSL https://openclaw.bot/install.sh | bash
OpenClaw recommends using the onboarding wizard for setup. Among other items, it configures model/auth, gateway settings, channels, pairing defaults, workspace bootstrap, and a background service (optional). Onboarding should run automatically after installation. If this doesn’t happen, or if you skipped it, rerun it with:
openclaw onboard --install-daemon
During onboarding, you will choose:
Local vs Remote gateway - choose Local for Starlight VM deployment
Auth method - OAuth or API keys
Channel credentials - WhatsApp QR login, Telegram/Discord tokens, etc. We recommend using a burner number for WhatsApp to increase safety.
Daemon/service installation - launchd/systemd depending on platform
Node is recommended and required for reliable WhatsApp/Telegram operation; Bun is not recommended for the Gateway in these cases. During onboarding, keep in mind these safety best practices:
Only grant OpenClaw access to resources you would be comfortable giving a new contractor on day one.
Do not grant OpenClaw access to high-value personal accounts like primary email, banking, or brokerage accounts.
Use a dedicated email address for any mail that OpenClaw can access, rather than your primary inbox.
Linux installs use a systemd user service, which stops by default when a user logs out, killing the gateway. Therefore, you have to enable lingering, which keeps OpenClaw’s background service running when the user is logged out. Onboarding attempts to enable lingering for you, and may prompt for sudo. However, if this doesn’t happen, you can enable lingering by running:
sudo loginctl enable-linger “$USER”
By default, OpenClaw’s Gateway is configured to bind to the loopback interface and be accessed remotely via an SSH tunnel or tailnet/VPN, rather than exposing a public port.
In Starlight Manager, open the Virtual Machine tab and click Manage to view VPS/network details, including IP address.
Avoid exposing Control UI to the internet by using SSH tunnelling to reduce the attack surface. From your laptop/workstation (not the VM), run:
ssh -N -L 18789:127.0.0.1:18789 <username>@<vm-ip> -p 22022
Where <vm-ip> is your VM public IP, <username> is the dedicated user you created on step 4.
To access OpenClaw’s private Control UI, run the following command on your VM:
This will generate a login URL (e.g., http://localhost:18789/?token=1234789) that you can enter in your browser to access the Control UI and complete onboarding.
Once finished, you can start interacting with OpenClaw in the messaging channel.
The final step is to ensure that OpenClaw works end-to-end. To send a test message, run:
openclaw message send --target +15555550123 --message "Hello from OpenClaw"
If issues occur, run and review any warnings before proceeding. Before enabling any destructive actions (e.g., deleting or overwriting files, changing user permissions), review the bot's behaviour and outputs to ensure it behaves as expected.