How to Secure Your VPS Before Running OpenClaw

You just spun up a VPS and you’re ready to run OpenClaw. Before you do anything else — stop.

A fresh VPS is open to the entire internet by default. That means bots are already scanning your SSH port right now. This guide walks you through locking down your server so that only you can reach it, then setting up OpenClaw safely on top of that.

You do not need prior VPS experience. Just follow the steps in order.

Table of contents

What We’re Building

The strategy is simple: close all public ports, and route all access through Tailscale. Tailscale is a free VPN built on WireGuard. Once set up, your VPS becomes invisible to anyone not on your private Tailscale network — no open SSH port, no exposed services, nothing to scan.

Here’s what the final setup looks like:

Internet ──✗──> VPS (nothing public)
You ──────> Tailscale network ──> VPS ✓

Prerequisites

• VPS running Ubuntu 22.04 or 24.04
• SSH access to the server (you’ll have this from your VPS console)
• A Tailscale account — sign up free at tailscale.com
• Keep your VPS console tab open — this is your recovery option if you get locked out

Step 1: Install Tailscale on the VPS

SSH into your server using the credentials your VPS provider gave you.

ssh root@YOUR_VPS_IP

Install Tailscale with the official one-liner.

curl -fsSL https://tailscale.com/install.sh | sh

Start Tailscale and authenticate.

tailscale up

This prints a URL. Open it in your browser and log in to your Tailscale account. Once authenticated, the terminal will confirm the connection.

Get your Tailscale IP — you’ll need this later.

tailscale ip -4

It will look something like 100.x.x.x. Save this somewhere.

Step 2: Configure UFW (the Firewall)

UFW is Ubuntu’s built-in firewall. We’ll use it to block all incoming traffic except what comes through Tailscale.

Set the defaults.

sudo ufw default deny incoming
sudo ufw default allow outgoing

Add rules to allow Tailscale traffic.

# Allow traffic that's already inside the Tailscale tunnel
sudo ufw allow in on tailscale0

# Allow Tailscale to establish the tunnel in the first place
sudo ufw allow 41641/udp

If you plan to run OpenClaw as a web server accessible from the internet (not just from your Tailscale network), add these too.

sudo ufw allow 80/tcp
sudo ufw allow 443/tcp

Enable the firewall.

sudo ufw enable

Verify it looks right.

sudo ufw status verbose

You should see deny (incoming) as the default, with your Tailscale rules listed.

Step 3: Lock Down SSH

Now we’ll make SSH only work over Tailscale. This means port 22 on the public internet will be blocked — only your Tailscale IP can reach it.

Open the SSH config file.

sudo nano /etc/ssh/sshd_config

Find and update these lines (or add them if missing).

PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
MaxAuthTries 3

Save the file (Ctrl+O, Enter, Ctrl+X), then restart SSH.

sudo systemctl restart ssh

Open a new terminal and test that you can still connect — use your Tailscale IP this time.

ssh [email protected]

If that works, you’re good. Port 22 is now blocked from the public internet.

Host myvps
HostName 100.x.x.x
User your-username

Step 4: Keep the System Updated

Run updates now, before installing anything else.

sudo apt update && sudo apt upgrade -y

If you see a message about a pending kernel upgrade, reboot.

sudo reboot

Tailscale and UFW will start automatically on reboot. Give it 30 seconds, then reconnect over Tailscale.

Enable automatic security updates so you don’t have to think about this in the future.

sudo apt install unattended-upgrades -y
sudo dpkg-reconfigure --priority=low unattended-upgrades

Step 5: Verify Everything Looks Clean

Run these checks to confirm your setup is working correctly.

# Who is currently logged in
w

# Recent login history
last -n 20

# Failed login attempts (should be empty or very few)
sudo grep "Failed password" /var/log/auth.log | tail -20

# What ports are listening
sudo ss -tlnp

# Current firewall rules
sudo ufw status verbose

If grep "Failed password" returns nothing, that’s ideal. A handful of attempts for root or admin are normal — bots scan the internet constantly. Since nothing is publicly reachable, these attempts go nowhere.

Now Install OpenClaw

Your server is locked down. Here’s what you have:

Default: deny (incoming)

tailscale0 ALLOW IN Anywhere ← Tailscale tunnel traffic
41641/udp ALLOW IN Anywhere ← Tailscale handshake

No public SSH. No exposed services. The VPS does not respond to port scans from the internet.

You can now install OpenClaw knowing that the attack surface is minimal. If OpenClaw opens any internal ports, they’ll only be reachable over your Tailscale network unless you explicitly add a UFW rule for them.

Common Issues

Can’t connect after restarting SSH Use your VPS provider’s web console. Log in there, check that Tailscale is running (tailscale status), and review your sshd_config for typos.

Tailscale shows as disconnected after reboot Run sudo systemctl enable tailscaled to make sure it starts on boot, then sudo tailscale up.

UFW is blocking something it shouldn’t Run sudo ufw status numbered to see all rules, then sudo ufw delete NUMBER to remove a specific rule.

I need to open a port for OpenClaw If OpenClaw needs to be publicly accessible (not just from your Tailscale network), add the specific port:

sudo ufw allow 8080/tcp   # replace with the actual port

Only do this if that service actually needs public access.