How to deploy OpenClaw on a Starlight Virtual Machine

This article provides step-by-step instructions to deploy OpenClaw (formerly known as Clawdbot or Moltbot) on a Spaceship Starlight Virtual Machine (VM). OpenClaw is deployed as a long-running Gateway service on the VM and administered via the CLI and Control UIWe’ll talk you through the following: 

  • Provisioning a Starlight VM

  • Accessing the VM

  • Installing prerequisites (Node.js 22+)

  • Installing OpenClaw (installer recommended)

  • Running the onboarding wizard and installing the Gateway service

  • Secure remote access to the Control UI via SSH port-forwarding                       

Getting started

Before you start deploying OpenClaw, make sure you’ve set up the following: 

  • A Spaceship account - you can do this at spaceship.com

  • A provisioned Starlight Virtual Machine

  • Latest versions of LTS Ubuntu or Debian operating systems

  • Node.js version 22 or newer

  • OAuth or API keys as LLM credentials - make sure they’re wizard-supported for smoother setup

  • Channel credentials - login details for messaging channels like Slack, Telegram, Discord etc. 

Step 1: Purchase and configure a Starlight VM

If you haven’t already, you can purchase a VM from our website. Setup is relatively quick, including just a few steps:

  1. Select a plan - for reliable performance, we recommend the Standard 2 plan or higher.

  2. Select an OS - the latest versions of LTS Ubuntu or Debian are officially supported by OpenClaw and are recommended for their stable and predictable environments.

  3. Set a strong root password

  4. Add an SSH key (optional)

  5. Name your VMFor further guidance, read our guide to purchasing and accessing Starlight VMs. 

Once purchased and the configuration is complete, you’ll be able to access Starlight Manager, where you can manage and modify your VM, as well as deploy OpenClaw 

Get a 7-day free trial with prepaid Starlight VMs.

Step 2: Access the VM SSH

Now open a secure remote command-line session to your Starlight VM. This will help you install and configure OpenClaw directly on the server. Connect via SSH on port 22022 via SSH client of choice (e.g., Terminal, PuTTY).

Step 3: Prepare the OS and install Node.js 22+

3.1 Update system packages

Use the following command to check for and install any software updates:

OpenClaw requires Node.js version 22 or higher. However, Ubuntu/Debian doesn't include Node.js by default. You’ll need to add NodeSource first. Here’s a step-by-step breakdown:

  1. Use the command below to install the tools needed to safely download files from the internet:

  2. Add NodeSource to your system’s list of trusted sources:

  3. Install Node.js and npm by running the following command:

  4. Check that Node.js and npm were installed correctly:

Step 4: Create a dedicated user for OpenClaw

It’s important to keep OpenClaw’s configs, auth field, and workspaces separate from the root. You can do this by adding OpenClaw as a dedicated user. This will help reduce the blast radius if OpenClaw has a bug, is misconfigured, or gets tricked by malicious input. To create a dedicated user, use the following command:

Then add that user to the sudo group:

usermod -aG sudo {UserName}

Finally, switch to that user:

We recommend treating your OpenClaw workspace like a git repo: keep it disposable and recoverable so you can roll back if the agent learns incorrect or poisoned context, e.g., through prompt injection. Where possible, avoid storing any highly sensitive credentials on the machine. 

Step 5: Install OpenClaw

Note: The commands shown in this guide are provided as-is and match the state of the project at the time of writing. Due to recent naming updates and ongoing development, command names and options may change. For the most up-to-date and authoritative list of commands, please refer to the source.

Now that we’ve prepared the ground, it’s time to install OpenClaw. OpenClaw’s documentation recommends using the installer unless you have a specific reason not to. The installer installs the CLI globally via npm and runs onboarding by default.To run the installation script and automatically install OpenClaw, use the following command:  

curl -fsSL https://openclaw.bot/install.sh | bash

Step 6: Run onboarding and install the Gateway service

6.1 Start onboarding

OpenClaw recommends using the onboarding wizard for setup. Among other items, it configures model/auth, gateway settings, channels, pairing defaults, workspace bootstrap, and a background service (optional). Onboarding should run automatically after installation. If this doesn’t happen, or if you skipped it, rerun it with: 

openclaw onboard --install-daemon

During onboarding, you will choose:

  • Local vs Remote gateway - choose Local for Starlight VM deployment

  • Auth method - OAuth or API keys

  • Channel credentials - WhatsApp QR login, Telegram/Discord tokens, etc. We recommend using a burner number for WhatsApp to increase safety.

  • Daemon/service installation - launchd/systemd depending on platform 

Node is recommended and required for reliable WhatsApp/Telegram operation; Bun is not recommended for the Gateway in these cases. During onboarding, keep in mind these safety best practices: 

  • Only grant OpenClaw access to resources you would be comfortable giving a new contractor on day one.

  • Do not grant OpenClaw access to high-value personal accounts like primary email, banking, or brokerage accounts.

  • Use a dedicated email address for any mail that OpenClaw can access, rather than your primary inbox. 

6.2 Enable systemd user service persistence

Linux installs use a systemd user service, which stops by default when a user logs out, killing the gateway.  Therefore, you have to enable lingering, which keeps OpenClaw’s background service running when the user is logged out.  Onboarding attempts to enable lingering for you, and may prompt for sudo. However, if this doesn’t happen, you can enable lingering by running:

sudo loginctl enable-linger “$USER

Step 7: Secure remote access to the Control UI 

By default, OpenClaw’s Gateway is configured to bind to the loopback interface and be accessed remotely via an SSH tunnel or tailnet/VPN, rather than exposing a public port.

7.1 Identify your VM’s IP

In Starlight Manager, open the Virtual Machine tab and click Manage to view VPS/network details, including IP address. 

7.2 Create an SSH tunnel from your workstation

Avoid exposing Control UI to the internet by using SSH tunnelling to reduce the attack surface. From your laptop/workstation (not the VM), run:

ssh -N -L 18789:127.0.0.1:18789 <username>@<vm-ip> -p 22022

Where <vm-ip> is your VM public IP, <username> is the dedicated user you created on step 4.

7.3 Open the Control UI locally

To access OpenClaw’s private Control UI, run the following command on your VM:

This will generate a login URL (e.g., http://localhost:18789/?token=1234789) that you can enter in your browser to access the Control UI and complete onboarding. 

Once finished, you can start interacting with OpenClaw in the messaging channel.

Step 8 — End-to-end message test

The final step is to ensure that OpenClaw works end-to-end. To send a test message, run: 

openclaw message send --target +15555550123 --message "Hello from OpenClaw"

If issues occur, run and review any warnings before proceeding. Before enabling any destructive actions (e.g., deleting or overwriting files, changing user permissions), review the bot's behaviour and outputs to ensure it behaves as expected.

A valid email is required