โก Setup Guide ยท VPS + Tailscale + Telegram
OpenClaw Zero to One
Setup Guide
Run your own always-on AI agent on a private server โ for as little as $9.99/month. This guide covers the full stack: VPS provisioning, Tailscale security, OpenClaw install, Telegram integration, and hatching your first Claw.
~$10
per month (Hetzner KVM 2)
7
setup phases
24/7
always-on agent
0
subscription bypasses needed
INSIGHT
What Makes OpenClaw Different
Key ideas from CJ Hes & Alex Lieberman's walkthrough
๐ฆ What is OpenClaw?
โผ
OpenClaw is an always-on AI agent that runs on your own server, 24/7 โ even while you sleep. Think of it as Jarvis from Iron Man: it monitors channels, executes tasks, remembers your preferences, and can orchestrate sub-agents to do complex work autonomously.
Unlike Claude.ai or ChatGPT sessions, OpenClaw persists between conversations, builds long-term memory about you, and proactively does things without you asking.
๐ Why Tailscale is Non-Negotiable
โผ
The second you spin up a VPS, bots immediately start probing it. Tailscale creates a private network overlay that makes your server invisible to the public internet โ only your devices can reach it.
โ Real Example
CJ had a dev server with nothing sensitive on it get compromised โ someone put a crypto miner on it. Tailscale prevents exactly this.
Think of it as: your VPS moves from a public street address to a gated community where only you know the address.
๐ก The Gateway โ OpenClaw's Core Innovation
โผ
The gateway is a message bus that runs 24/7 on your server. Everything flows through it:
- Inputs: Messages from you (Telegram/Discord/Slack) + messages from sub-agents
- Queue: Incoming messages wait in a queue
- Main Agent: Picks up messages, takes action, orchestrates sub-agents
- Outputs: Replies back to you + instructions to sub-agents
This is what enables true agent collaboration โ your Claw can spin up a sub-agent, they communicate through the gateway, and you get a final result.
๐ Skills vs Hooks โ Know the Difference
โผ
| Concept | What it is | Example |
|---|---|---|
| Skill | Markdown file = instructions for a specific workflow | GitHub PR flow, Notion writes, image generation |
| Hook | Code that fires when a specific event occurs | boot.md (runs on startup), command logger (records all actions) |
๐ก Pro Tip
Don't start with pre-built skills. Walk your Claw through a workflow manually 2โ3 times, then say: "Based on this workflow, make a repeatable skill for yourself." Custom > generic.
REF
Core Concepts at a Glance
| Term | What it means |
|---|---|
| Tailscale | Private network overlay โ makes VPS invisible to the public internet. Only your devices connect. |
| Gateway | The central message bus. Runs 24/7. Routes all messages between you, the Claw, and sub-agents. |
| Skills | Markdown instruction files for specific workflows (think: YouTube tutorial for your agent). |
| Hooks | Event-triggered code that fires when things happen (boot, command run, etc.). |
| Hatching | First-run onboarding. The Claw wakes up and learns who you are. |
| BotFather | Telegram's official bot for creating new Telegram bots โ used to get your bot token. |
01
VPS Setup
Spin up your server on Hetzner
โน Recommended Provider
Hetzner โ European company, reliable, great pricing. KVM 2 plan (~$9.99/mo) = 2 vCPU, 8GB RAM, 100GB NVMe. Choose Ubuntu 24.04 LTS.
Steps
1
Create a Hetzner account โ click Add Server
2
Choose Ubuntu 24.04 LTS, US East (or nearest region)
3
Select KVM 2 plan (~$9.99/mo) โ 8GB RAM recommended. 4GB works but 8GB is safer.
4
Add your SSH key during setup (this is the password between your laptop and server)
5
Give it a name (e.g. Jarvis, Ron) โ you'll be talking to it
6
Note the public IP address โ you'll need this next
โ Skip These
Volumes, firewalls, backups, placement groups โ ignore all of these during initial setup.
02
Secure the Server
Use Claude Code locally to harden and isolate via Tailscale
๐ก Use Claude Code for This
Open Claude Code locally. Paste your VPS IP + the OpenClaw setup guide. Let Claude handle the SSH commands and hardening โ this is the fastest path.
Security Layers (Apply in Order)
1
Tell Claude: "Set this up and tell me when we can SSH into the VPS" โ confirm connectivity
2
Tell Claude: "Set up Tailscale" โ Claude installs it โ approve the auth link in your browser
3
Your VPS now has a Tailscale IP โ this is your new private-only address
4
Apply hardening: SSH keys-only (no passwords), UFW firewall, fail2ban intrusion prevention, auto-updates
5
Optional: "Red team this box. Find any security flaws." โ Codex will find attack surface and suggest fixes
โน Security Principle
No single layer is bulletproof โ stack them. Tailscale โ UFW firewall โ SSH key-only โ fail2ban โ auto-updates = robust defence in depth.
03
Install OpenClaw
Install Node, OpenClaw, and run onboarding on the VPS
Steps
1
Tell Claude: "Skip security for now. Install Node and OpenClaw. Don't run onboarding."
2
SSH directly into the VPS:
ssh user@<tailscale-ip>3
Run:
openclaw onboard โ select Quick Start๐ก Why Run Onboarding Yourself?
You can't have Claude do onboarding โ you need to log into accounts (Codex, Telegram), approve redirects, and interact with the setup prompts directly. Plus, the hatching experience is fun.
ssh user@<your-tailscale-ip>
openclaw onboard
openclaw onboard
04
Connect Codex (Model Provider)
Log in with a Codex account for better rate limits and cost
Steps
1
In onboarding, choose Codex as the model provider
2
A URL appears in the terminal โ open it in your browser โ log in to your Codex account
3
Copy the redirect URL your browser shows after login โ it won't open locally
4
Paste that redirect URL back into the OpenClaw terminal โ this completes auth
5
Select model: GPT-4.5.3 Codex
โ Common Gotcha
The redirect URL after Codex login will NOT open in your local browser โ it's trying to redirect to the remote machine. Copy it and paste it into the OpenClaw terminal instead.
05
Connect Telegram
Create a bot via BotFather and link it to your Claw
Steps
1
In onboarding, select Telegram as the messaging channel
2
Open Telegram โ search for @BotFather โ start a chat
3
Send:
/newbot โ give it a display name (e.g. Ron)4
Choose a username ending in
bot (e.g. RonJohnbot) โ most short names are taken5
Copy the bot token BotFather gives you โ paste it into OpenClaw onboarding
6
Skip skills for now. Skip API keys for now. You can add these later.
06
Enable Hooks & Hatch
Install the gateway, enable memory hooks, and hatch your Claw
Steps
1
Enable ALL hooks โ especially:
boot.md (runs on startup) and command logger (records all actions for memory)2
OpenClaw installs the gateway automatically โ this is the message bus that runs 24/7
3
Run:
openclaw hatch in your terminal4
In Telegram, find your bot โ tap Start โ a pairing code appears
5
Paste the pairing code back into OpenClaw โ Telegram and terminal are now linked
๐ก Why Enable All Hooks?
Hooks are what give OpenClaw long-term memory. The command logger records everything it does โ so it can reference past actions in future sessions. This is one of OpenClaw's biggest differentiators.
07
Configure Your Claw's Identity
Give it a personality, preferences, and context about who you are
Steps
1
Dump as much about yourself as possible: who you are, your preferences, your workflows, your goals
2
Give it a personality โ example: "You are very sassy. You are opinionated and you act on those opinions."
3
Test it: say "hi" in Telegram โ same agent, different channel than your terminal
4
When it does something wrong, ask it: "Why did you do that, and what can we do so you do it right in the future?"
๐ก Building Workflows
Walk the Claw through a workflow manually 2โ3 times (e.g., GitHub PR โ preview deploy โ browser test โ ship). Then say: "Based on this workflow, make a repeatable skill for yourself."
REF
Which Model to Use
| Model | Use Case | Trade-off |
|---|---|---|
| GPT-4.5.3 Codex | Default for most use cases | High rate limits, cost-effective, no subscription bypass needed |
| Claude Opus (Anthropic API) | Complex agentic reasoning | Best quality, but expensive โ Claude Code sub token won't work here |
โ Note
Anthropic has blocked Claude Code subscription tokens from being used with OpenClaw. If you use Anthropic API, you pay full API prices. Codex avoids this entirely.
REF
Best First Use Case
The "now what?" answer โ lowest hanging fruit
๐ก CJ's Recommendation
"If you had a perfect assistant, what would they do for you?" โ That's your first use case. Start with the simplest version of task management.
The best starting point: personal assistant for email + Slack + task management.
- Monitor your Slack channels and email inbox
- Keep a self-updating task tracker
- Message you daily with your to-dos and priorities
- When it breaks, ask why โ the amount it can self-correct will surprise you
Once this runs smoothly, expand to custom workflows specific to your work โ GitHub PRs, content creation, research, client management, etc.
โ
Watch-Outs & Gaps
What to be careful about
โ Don't Use 4GB RAM
It technically works but 8GB is strongly recommended. Don't cheap out on RAM โ it's the difference between smooth operation and constant issues.
โ Don't Skip Tailscale
Your VPS gets probed by bots immediately after spin-up. Tailscale is not optional โ it's the foundation of your security.
โ Codex Redirect URL
The redirect URL after logging in to Codex will NOT open locally โ your browser is on a different machine than OpenClaw. Always copy and paste it back into the terminal.
โ "Now What?" is Real
Setup is half the battle. Many people get OpenClaw running, then stall. Have a first use case (email/Slack monitoring) queued up and ready to configure immediately after hatching.
โน What This Guide Doesn't Cover
Specific personal assistant workflow setup (email integration, Slack monitoring, task management config) โ that's a Part 2 topic. This guide gets you to zero-to-one.
โ
Complete Setup Checklist
Tick off as you go โ state saves automatically
Create Hetzner account + spin up Ubuntu 24.04 LTS, KVM 2 plan (8GB RAM)
Add SSH key during VPS setup โ note the public IP
Use Claude Code locally to SSH into the VPS and confirm access
Install Tailscale via Claude โ approve auth link โ get Tailscale IP
Apply security hardening: SSH keys-only, UFW, fail2ban, auto-updates
Install Node and OpenClaw via Claude (don't run onboarding yet)
SSH into VPS using Tailscale IP โ run
openclaw onboardChoose Codex โ log in โ copy redirect URL โ paste it into terminal
Select model: GPT-4.5.3 Codex
Select Telegram โ open @BotFather โ /newbot โ get token โ paste into OpenClaw
Skip skills and API keys for now
Enable ALL hooks (boot.md + command logger most important)
Gateway installs automatically โ run
openclaw hatchOpen your Telegram bot โ Start โ get pairing code โ paste into terminal
Configure identity: dump info about yourself, assign personality
Test: say "hi" in Telegram โ same agent should respond
Set up first use case: email/Slack monitoring + task tracker