This weekend at 3AM. Out with friends. They were testing a prototype I’ve been working on. Someone found a bug.
I opened WhatsApp, texted my new hire about the bug. He replied in 2 mins with a plan. I approved it.
5 mins later, I told my friend. Try again. It’s fixed.
They laughed. Thought I was joking. Truth is, I was genuinely surprised it worked.
He’s not human.
I set up a VPS (a $5 computer in the cloud) with an AI agent installed. He has full shell access to the server. He can write code, run commands, manage files. He messages me on WhatsApp when he needs clarification. Just like any new hire would ask their manager.
He works 24/7. Never sleeps. Never complains.
This post is the full setup guide. Everything I did to get here.
By the end, you’ll have your own AI employee running on infrastructure you control. Not a chatbot in a browser tab. A persistent agent with its own compute, its own memory, and the ability to act on its own. Text it at midnight. Wake up to working code. Ask it to watch something and ping you when it changes.
A note on security: 42,000 OpenClaw instances got exposed last month. API keys leaked. Chat histories sitting there for anyone to grab. Most of those people thought they were building something private.
This guide does it right. Gateway binds to localhost only. Invisible to port scanners. WhatsApp connections are outbound, so no ports need to be open. SSH is the only way in, and only you have the key.
But “secure” doesn’t mean “invulnerable.” Prompt injection is unsolved. Supply chain attacks on plugins are real. We’ll cover what’s protected and what isn’t.
What You’re Building Link to heading
Here’s how it works:
┌─────────────────────────────────────────────────────────────┐
│ THE INTERNET │
│ │ │
│ ❌ Port 18789 CLOSED (firewall blocks it) │
│ ❌ No web dashboard exposed │
│ ✅ Only SSH (port 22) for you to manage │
│ │ │
│ ┌───────────────────────▼─────────────────────────────┐ │
│ │ YOUR VPS (Ubuntu) │ │
│ │ │ │
│ │ ┌──────────────────────────────────────────┐ │ │
│ │ │ OpenClaw Gateway │ │ │
│ │ │ (bound to localhost only) │ │ │
│ │ │ │ │ │
│ │ │ • Claude Opus 4.5 brain │ │ │
│ │ │ • Full shell access │ │ │
│ │ │ • Memory across sessions │ │ │
│ │ └──────────────────────────────────────────┘ │ │
│ │ │ │ │
│ │ │ OUTBOUND connection │ │
│ │ ▼ (your server calls out) │ │
│ └───────────────────────────────────────────────────────┘ │
│ │ │
│ ▼ │
│ WhatsApp Servers │
│ │ │
│ ▼ │
│ YOUR PHONE │
└─────────────────────────────────────────────────────────────┘
The key insight: WhatsApp connections are outbound. Your server calls WhatsApp’s servers. WhatsApp never calls you.
That means no incoming ports. Nothing for scanners to find. Nothing to exploit.
What You Need Link to heading
A VPS account. I use Hetzner. DigitalOcean, Vultr, Linode - all work fine.
A phone with WhatsApp. Ideally a separate number. An eSIM works great.
Claude access. Either a Pro subscription or an API key.
About 30 minutes.
Basic terminal comfort helps. But if you can copy-paste commands, you’ll be fine.
Cost Link to heading
Hetzner CX22 VPS: €4.35/month (~$4.75). 2 vCPU, 4GB RAM, 40GB SSD.
Claude Pro: $20/month. Flat rate, no per-token charges.
Or use the Anthropic API. Pay per use. ~$3/million input tokens, ~$15/million output.
WhatsApp is free.
Total: under $25/month with Claude Pro.
Step 1: Generate Your SSH Key Link to heading
On your local machine. Mac/Linux terminal, or PowerShell on Windows.
ssh-keygen -t ed25519 -C "openclaw-vps"
It asks for a file location. Hit Enter for the default. Or specify something like ~/.ssh/openclaw_vps.
It asks for a passphrase. Use one. This key will access a server with an AI that has shell access. The minor inconvenience of typing a passphrase is worth it.
Now grab your public key:
cat ~/.ssh/id_ed25519.pub
If you saved to a custom location:
cat ~/.ssh/openclaw_vps.pub
Copy the entire output. It looks like:
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAA... openclaw-vps
Step 2: Create Your VPS Link to heading
Cost: ~€4.35/month (~$4.75) for the recommended Hetzner CX22
I use Hetzner. Cheap, fast, data centers in Europe and the US.
Other providers work fine. DigitalOcean is $6/mo for 1GB, $12/mo for 2GB. Vultr is similar. Linode is $5/mo for 1GB.
Here’s the Hetzner setup:
Create an account at hetzner.com/cloud. Verify your email.
Before creating the server, add your SSH key. Go to Security, then SSH Keys, then Add SSH Key. Paste your public key from Step 1. Name it something like openclaw-vps.
Now create a new server. Click Add Server.
Location: Pick the closest to you. Falkenstein, Nuremberg, Helsinki, Ashburn, or Hillsboro.
Image: Ubuntu 24.04.
Type: Shared vCPU, then CX22. 2 vCPU, 4GB RAM, 40GB SSD. This is plenty.
Networking: Leave defaults. Public IPv4 + IPv6.
SSH Keys: Select the key you just added.
Name: Something like openclaw or ai-assistant.
Click Create & Buy Now.
Note your server’s IP address. It appears on the server list once created.
Server creation takes about 30 seconds.
Step 3: Connect Link to heading
ssh root@YOUR_VPS_IP
If you used a custom key location:
ssh -i ~/.ssh/openclaw_vps root@YOUR_VPS_IP
You’ll see something like:
The authenticity of host '203.0.113.50' can't be established.
ED25519 key fingerprint is SHA256:abc123...
Are you sure you want to continue connecting (yes/no/[fingerprint])?
Type yes. The full word, not just y. This trips people up.
You’re in.
Step 4: Harden the Server Link to heading
Update everything:
apt update && apt upgrade -y
apt install -y curl wget git ufw
Create a non-root user. Replace deploy with whatever username you want:
adduser deploy --gecos ""
usermod -aG sudo deploy
You’ll be prompted to set a password. Pick something strong. You’ll need it for sudo commands.
Copy your SSH key to the new user:
mkdir -p /home/deploy/.ssh
cp ~/.ssh/authorized_keys /home/deploy/.ssh/
chown -R deploy:deploy /home/deploy/.ssh
chmod 700 /home/deploy/.ssh
chmod 600 /home/deploy/.ssh/authorized_keys
Before continuing. Open a new terminal on your local machine. Verify you can SSH as deploy:
ssh deploy@YOUR_VPS_IP
If you used a custom key:
ssh -i ~/.ssh/openclaw_vps deploy@YOUR_VPS_IP
If this works, you’re good. Keep your root session open for now. Go back to it.
Set up the firewall. In the root session:
ufw default deny incoming
ufw default allow outgoing
ufw allow ssh
ufw --force enable
Check it:
ufw status
You should see SSH allowed. Everything else blocked. That’s it. No port 18789, no web dashboard port, nothing.
WhatsApp works over outbound connections. We don’t need to open anything.
Now log out of the root session:
exit
From now on, always SSH as your deploy user. Not root.
Step 5: Install OpenClaw Link to heading
SSH into your VPS as the deploy user:
ssh deploy@YOUR_VPS_IP
Add -i ~/.ssh/openclaw_vps if you used a custom key path.
Run the official installer:
curl -fsSL https://openclaw.ai/install.sh | bash
This handles Node.js installation and path configuration automatically. When it finishes, reload your shell:
source ~/.bashrc
Verify:
openclaw --version
Step 6: Set Up Claude Authentication Link to heading
Cost: $20/month for Claude Pro (Option A) or pay-per-use with API key (Option B)
You have two options here.
Option A: Claude Pro/Max Subscription (Recommended) Link to heading
This uses your existing Claude subscription. No per-token charges. You authenticate once, and it handles token refresh automatically.
Claude Pro is $20/month. Claude Max ($100/month or $200/month) works the same way. Gives you higher rate limits if you need them.
On your local machine. Not the VPS. Open a new terminal.
Install Claude Code CLI and log in:
npm install -g @anthropic-ai/claude-code
claude login
This opens your browser. Authorize it.
Now extract and transfer the credentials securely. Still on your local machine:
# Mac - extract credentials with restricted permissions
(umask 077 && security find-generic-password -s "Claude Code-credentials" -w > /tmp/claude-creds.json)
# Linux - if you authenticated on a Linux machine
(umask 077 && cat ~/.claude/.credentials.json > /tmp/claude-creds.json)
Create the directory on your VPS and copy the credentials. Still on your local machine:
ssh deploy@YOUR_VPS_IP "mkdir -p ~/.claude && chmod 700 ~/.claude"
scp /tmp/claude-creds.json deploy@YOUR_VPS_IP:~/.claude/.credentials.json
ssh deploy@YOUR_VPS_IP "chmod 600 ~/.claude/.credentials.json"
rm /tmp/claude-creds.json
If you used a custom SSH key, add -i ~/.ssh/openclaw_vps to each ssh/scp command.
If your token expires: The refresh token handles this automatically. If it fails (rare), just repeat this process. Run claude login locally, extract, and copy again.
Option B: API Key Link to heading
Simpler setup. But you pay per token.
Go to console.anthropic.com. Create an API key. You’ll enter it during onboarding (next step).
Which should you pick? If you’ll use this heavily, Pro at $20/month is cheaper than API billing. If you’re just experimenting, an API key with a spending limit is fine.
Step 7: Run the Onboarding Wizard Link to heading
SSH into your VPS as deploy. If you’re not already connected:
ssh deploy@YOUR_VPS_IP
Run the onboarding wizard:
openclaw onboard --install-daemon
The wizard walks you through everything. Here’s what to select:
Gateway mode: Local. Running on this machine.
Gateway bind: Loopback (127.0.0.1). This is critical. This keeps you off Shodan.
Gateway auth: Token. Defense in depth, even on loopback.
Tailscale: Off. Unless you specifically need it.
Channel: WhatsApp. Our messaging surface.
When the wizard shows a QR code (right after you select WhatsApp):
Open WhatsApp on your phone. Go to Settings, then Linked Devices, then Link a Device. Scan the QR code. Wait for “WhatsApp linked” confirmation. About 10 seconds.
Then continue with the wizard:
WhatsApp DM policy: Pairing. Strangers must be approved.
Hooks: Enable session-memory and command-logger. Memory across sessions plus audit trail.
When it asks about auth: If you copied credentials in Step 6, select “Anthropic token (Claude Code CLI)”. It’ll detect them automatically. If you’re using an API key, select that and paste it.
The --install-daemon flag sets up a systemd service. OpenClaw runs in the background and survives reboots.
Step 8: Verify Everything Works Link to heading
Check the gateway status:
openclaw gateway status
Run the health check:
openclaw health
Check the full status:
openclaw status --all
You should see: Gateway running. WhatsApp linked. Auth configured.
If the systemd service didn’t install correctly (sometimes happens on VPS), install it manually:
openclaw gateway install
If you see errors about systemd user services not being available, enable lingering:
sudo loginctl enable-linger deploy
Then try the install again.
Step 9: Test Your Digital Employee Link to heading
Open WhatsApp. Send a message to yourself. Or to the number you linked.
Try these:
What server are you running on? Show me disk usage and memory.
Your AI employee should respond with actual system information from your VPS. This confirms everything’s working.
Watch this Amazon product for price drops. [paste link] Message me when it goes below $50.
It’ll write a script, schedule it to run every hour, and ping you when the price drops. You just set up price tracking via text message.
I have a business idea: a tool that converts voice memos to blog posts. Research what exists, find gaps, and write up your findings. Take your time.
Send this before bed. Wake up to a research document on your server. Your AI worked while you slept.
Monitor RSS feeds, scrape job boards, track competitor pricing, run scheduled reports. Try something. See what sticks.
If someone else messages the bot, they’ll get a pairing code. You can approve them with:
openclaw pairing list whatsapp
openclaw pairing approve whatsapp <CODE>
Or just don’t approve them. Your call.
Security: What’s Protected and What Isn’t Link to heading
You’ve built something secure. But “secure” doesn’t mean “invulnerable.”
What This Setup Handles Link to heading
Internet scanning. Your gateway binds to localhost. Shodan, Censys, random port scanners - they’ll find nothing on 18789. You’re invisible.
Unauthorized access. DM pairing means strangers can’t just message your bot. They get a code. Nothing happens until you approve it.
Brute force. UFW blocks everything except SSH. There’s nothing to brute force.
Accidental exposure. Even if you mess up some config, the firewall is your backstop.
What This Setup Does NOT Handle Link to heading
Prompt injection. If your AI reads malicious content (a webpage, a forwarded message, a file), it could be manipulated into doing something you didn’t intend.
This isn’t a solved problem in AI. It’s not even close to solved.
What helps: Treat web content as hostile. Don’t have your AI “read this URL and do exactly what it says.” Be skeptical of forwarded messages.
Supply chain attacks. OpenClaw has a skills/plugins system. Third-party skills from ClawHub could be malicious. Security researchers already found crypto-stealing skills in the wild.
What helps: Don’t install skills you haven’t reviewed. Stick to built-in functionality until you understand what you’re running.
Disk access = full compromise. Your ~/.openclaw/ directory contains API keys, OAuth tokens, session logs, and WhatsApp credentials. If someone gets shell access to your server, they have everything.
What helps: Use full-disk encryption on your VPS. Keep file permissions tight. The good news: SSH key authentication (which you set up) makes unauthorized shell access extremely difficult. Protect your private key.
Your own mistakes. If you change gateway.bind to "lan" or set dmPolicy to "open", you’ve joined the 42,000. The firewall helps. But it’s not a substitute for correct configuration.
The Golden Rules Link to heading
Never change gateway.bind from loopback. Unless you fully understand what you’re doing and why.
Never install skills without reviewing them. If you can’t read the code, don’t run it.
Run openclaw security audit periodically. It flags common misconfigurations.
Treat everything the AI reads from the web as potentially hostile.
Useful Commands Link to heading
Check status:
openclaw status --all
openclaw health
View logs:
openclaw logs --follow
Restart the gateway:
openclaw gateway restart
Run security audit:
openclaw security audit
WhatsApp commands (send these in chat):
/status - Current session info
/new - Start fresh session
/compact - Compress context when things slow down
What You’ve Built Link to heading
A 24/7 AI assistant. Running on infrastructure you control. With full shell access to the server. Invisible to the public internet. Accessible only through your WhatsApp. With memory that persists across conversations.
It’s not a toy chatbot. It’s closer to a remote employee who happens to be software.
What’s Next Link to heading
I wanted to include the full software engineering workflow here. Coding, debugging, deployments via WhatsApp. But this post is already long enough. Once I have a repeatable workflow, I’ll write it up.
Subscribe if you want that post when it’s ready.
Learn More Link to heading
For deeper customization (skills, multi-channel setups, team access, security configs), check out the OpenClaw documentation.
Hit any issues? Drop a comment below - I’ll help where I can.
OpenClaw is open-source. This guide is not affiliated with or endorsed by Anthropic. Run AI agents at your own risk - especially ones with shell access.