Sign inRequest DemoTry for free
managing twingate
additional resources

How to Setup and Secure OpenClaw on DigitalOcean

Deploy OpenClaw (AI-powered WhatsApp/Telegram assistant) on DigitalOcean with Zero Trust security

Overview

This guide walks you through deploying OpenClaw (formerly ClawdBot and MoltBot), an AI-powered WhatsApp/Telegram assistant, on DigitalOcean using the official OpenClaw Marketplace app, then securing access to the Droplet with Twingate’s Zero Trust network access. You’ll go from zero to a production-ready AI agent platform with enterprise security in under 30 minutes.

What You’ll Build:

  • OpenClaw Gateway running on DigitalOcean Droplet
  • Secure access via Twingate (no public exposure)

Infrastructure:

  • 1 DigitalOcean Droplet with OpenClaw from Marketplace (2-4 vCPU, 4-8 GB RAM recommended)
  • Twingate Connector for secure access (no public Gateway exposure)
  • Private networking only

Who This Is For:

  • Developers wanting to self-host AI assistants
  • Teams needing secure, private AI agent infrastructure
  • Anyone moving from Tailscale to more granular access control

Time to Complete: 20-30 minutes

Note: This guide is for securing remote access to OpenClaw itself. For overall security best practices, see the OpenClaw documentation.

Architecture Overview

[DigitalOcean Droplet]
[OpenClaw Gateway] ← Node.js app on `localhost:18789`
[Claude/OpenAI APIs] ← AI providers


Security Layer:
[Twingate Connector] on same Droplet
[Twingate Cloud] enforces access policies
[Team Members] ← Twingate Client enables secure remote access
                 (like SSH but with Zero Trust controls)

Why Twingate? Essential for secure access to the Gateway. Provides Zero Trust security—control who accesses the Gateway, get audit logs, enforce MFA. Enables secure remote access without exposing ports or managing SSH keys.

Prerequisites

Required

  • a DigitalOcean account (sign up here)
  • a Twingate account (sign up here)
  • an SSH key added to DigitalOcean (for configuration access)
  • (optional) Terraform (for automated infrastructure deployment)

Note: With the marketplace app, manual setup via web UI is quick and straightforward. Terraform is optional for teams needing repeatable infrastructure.

Step 1: Create an OpenClaw Droplet from Marketplace (2 minutes)

1.1 Deploy from DigitalOcean Marketplace

  • Visit the OpenClaw Marketplace page
  • Click Create OpenClaw Droplet
  • Configure:
    • Size: Basic (s-2vcpu-4gb or larger recommended)
    • Region: Choose closest to your team
    • VPC: Create new VPC or use default
    • SSH Key: Add your public key
    • Hostname: openclaw-gateway
    • Enable Monitoring: ✓
    • Project Selection: If you have multiple different projects available, make sure to select your prefered one rather than the default
  • Click Create Droplet

Note: Premium SSD and CPU are the default but other options are available.

What You Get:

  • Ubuntu 22.04 LTS base
  • OpenClaw pre-installed (Version 2026.1.24-1)
  • Node.js and dependencies ready
  • Ready for configuration

Note down:

  • Droplet private IP address

1.2 Alternative: Deploy via API

For automation or CI/CD:

export TOKEN="your-digitalocean-api-token"


curl -X POST -H 'Content-Type: application/json' \
     -H 'Authorization: Bearer '$TOKEN'' -d \
    '{"name":"openclaw-gateway","region":"nyc3","size":"s-2vcpu-4gb","image":"openclaw"}' \
    "https://api.digitalocean.com/v2/droplets"

Step 2: Configure OpenClaw (2 minutes)

2.1 SSH into Your Droplet

ssh root@<your-droplet-private-ip>

You will be prompted to enter an AI provider API key on first run. You can CTRL-C out or enter one now.

2.2 Configure Caddy for Private IP Only

The marketplace image includes Caddy as a reverse proxy. Configure it to only listen on the private IP:

# Get your droplet's private IP
PRIVATE_IP=$(hostname -I | awk '{print $2}')
echo "Private IP: $PRIVATE_IP"


# Update Caddyfile to remove public access
sudo tee /etc/caddy/Caddyfile > /dev/null <<EOF
${PRIVATE_IP} {
    reverse_proxy localhost:18789
    header X-DO-MARKETPLACE "openclaw"
}
EOF


# Optional FQDN support (ie openclaw-gateway.do)
${DOMAIN_NAME} {
   tls internal
   reverse_proxy localhost:18789
   header X-DO-MARKETPLACE "openclaw"
}


# Restart Caddy
sudo systemctl restart caddy


# Verify Caddy is running
sudo systemctl status caddy

What this does: Restricts the reverse proxy to only respond on the private IP address, removing all public internet access. The gateway is now only accessible via Twingate.

Checkpoint: OpenClaw is pre-configured and running, Caddy only listens on private IP. Now let’s set up secure access.

2.3 Locate your OpenClaw Gateway Token

The OpenClaw Gateway requires a token for authentication. You can find the token in the following file:

cat /opt/openclaw.env

Write down the token as you will need it for accessing the Gateway later.

Step 3: Enable Secure Access with Twingate (15 minutes)

First we’ll set up Twingate so we can access the Droplet securely, then lock down the VPC completely.

3.1 Create a Twingate Account

  • Sign up at twingate.com
  • Create Network: yourcompany.twingate.com

3.2 Deploy a Twingate Connector

  • Navigate to your Remote Networks in the Twingate Admin Console
  • Select a Remote Network or create a new one
  • Click Add Connector
  • Select the Linux installation option
  • Generate the Connector tokens (Access Token and Refresh Token)

Still SSH’d into your Droplet:

export TWINGATE_ACCESS_TOKEN="your-access-token"
export TWINGATE_REFRESH_TOKEN="your-refresh-token"
export TWINGATE_NETWORK="yourcompany"  # Without .twingate.com


# Install the Connector
curl "https://binaries.twingate.com/connector/setup.sh" | \
  sudo TWINGATE_ACCESS_TOKEN="$TWINGATE_ACCESS_TOKEN" \
  TWINGATE_REFRESH_TOKEN="$TWINGATE_REFRESH_TOKEN" \
  TWINGATE_NETWORK="$TWINGATE_NETWORK" \
  TWINGATE_LABEL_DEPLOYED_BY="openclaw" \
  bash


# Verify
sudo systemctl status twingate-connector

3.3 Create Twingate Resource

In Twingate Admin Console:

Resource: OpenClaw Gateway

  • Go to Resources → Add Resource
  • Configure:
    • Name: OpenClaw Gateway
    • Address: <droplet-private-ip>
  • Create Resource

Optional Create another resource with the following:

  • Name: OpenClaw Gateway FQDN
  • Address: 127.0.0.1
  • Alias: DOMAIN_NAME (ie openclaw-gateway.do)

** Note:** If you have multiple Remote Networks, make sure you assign the resource to the network where the Connector is installed.

3.4 Set Resource Access

  • Go to the Resources tab
  • Select your OpenClaw Gateway resource
  • Click Add Access
  • Add the group(s) you would like to give access to the OpenClaw Gateway

3.5 Test Twingate Access

On your laptop/desktop:

  • Install the Twingate Client
  • Connect to the client with your Twingate account
  • Open OpenClaw Gateway in browser: https://<droplet-private-ip>/?token=<your-token>
  • Alternative: if you created the FQDN resource, use https://<DOMAIN_NAME>/?token=<your-token>

Note: The token is the OpenClaw Gateway token you located in Step 2.3.

How it works: Twingate enables secure remote connections to your Droplet without opening ports or running a VPN. The Connector creates an outbound connection to Twingate’s cloud, allowing you to access localhost services on the Droplet with Zero Trust policies, audit logs, and no exposed ports on your VPC.

Checkpoint: Twingate access is working! Now we can lock down the VPC.

Step 4: Lock Down the VPC (5 minutes)

Now that Twingate provides access, remove all public inbound ports for maximum security.

4.1 Configure DigitalOcean Cloud Firewall

4.2 Inbound Rules

Zero Inbound Rules (completely locked down):

Leave the inbound rules section empty. Do not add any rules.

Why? Twingate provides all access via outbound Connector connections. No inbound ports needed—not even SSH.

4.3 Outbound Rules

Allow All Outbound (required for API calls, Twingate, and package updates):

TypeProtocolPort RangeDestinations
All ICMPICMPAllAll IPv4, All IPv6
All TCPTCPAllAll IPv4, All IPv6
All UDPUDPAllAll IPv4, All IPv6

4.4 Apply the Firewall

  • Click Create Firewall
  • Verify it’s applied to your Droplet

Verify Lockdown:

# From a machine WITHOUT Twingate Client - should timeout
ssh root@<droplet-public-ip>
# Expected: Connection timeout (no SSH port exposed)


# From your machine WITH Twingate Client - should work
ssh root@<droplet-private-ip>
# Expected: Connected via Twingate

Checkpoint: VPC is completely locked down. All access is via Twingate only.

Troubleshooting

Issue: Can’t connect to Gateway through Twingate

Symptoms: Timeout or connection refused

Debug Steps:

  • Verify Twingate Client is connected

    twingate status

  • Check Connector status in Admin Console

    • Should show “Connected”
    • Check last seen timestamp

  • Verify resource configuration

    • Correct IP address
    • Correct port (18789)
    • User has access policy

  • Verify SSH tunnel is open

    ssh -L 18789:127.0.0.1:18789 root@<droplet-private-ip>

  • Test from Connector host

    # SSH to Connector host
    curl http://127.0.0.1:18789/health

  • Check Gateway is listening

    # On Gateway host
    netstat -tlnp | grep 18789
    # Should show: 127.0.0.1:18789 LISTEN

Issue: Authentication failing

Symptoms: 401 Unauthorized errors

Debug Steps:

  • Verify Gateway token is set

    echo $OPENCLAW_GATEWAY_TOKEN

  • Check token in CLI command

    openclaw --url ws://<ip>:18789 --token <token> health

  • Review Gateway logs

    journalctl -u openclaw-gateway -n 100 | grep auth

Issue: Twingate Connector offline

Symptoms: Resource unreachable, Connector shows “Disconnected”

Debug Steps:

  • Check Connector service

    systemctl status twingate-connector

  • Review Connector logs

    journalctl -u twingate-connector -f

  • Verify network connectivity

    # Test Twingate Cloud connectivity
    ping <network>.twingate.com

  • Regenerate Connector tokens if needed

    • Admin Console → Connectors → Regenerate Tokens
    • Update Connector configuration
    • Restart service

Support & Resources

Twingate Resources

OpenClaw Resources

Conclusion

You now have a production-ready OpenClaw deployment on DigitalOcean with:

Private by Default: Gateway never exposed to internet
Secure Access: Twingate Zero Trust instead of SSH tunnels
Resource Efficient: Single Droplet runs everything
Observable: Full audit logs and monitoring
Scalable: Easy to add team members and regions

Next Steps:

  • Configure custom skills for your use case
  • Set up automated backups to DigitalOcean Spaces
  • Add more team members via Twingate
  • Explore multi-region deployment

Questions? Check the troubleshooting section or reach out on our Twingate Subreddit.

Alternative: Terraform Automation (Optional)

For repeatable, automated infrastructure deployment, use the provided Terraform configuration files in this directory.

Prerequisites

  • Install Terraform (download here)
  • Gather required credentials:
    • DigitalOcean API token
    • Twingate Connector tokens (from Twingate Admin Console)
    • SSH key fingerprint

Quick Start

  • Copy the example variables file:

    git clone https://github.com/Twingate-Community/secure-openclaw.git
    cd secure-openclaw/terraform/digitalocean
    cp terraform.tfvars.example terraform.tfvars

  • Edit terraform.tfvars with your values:

    • do_token: Your DigitalOcean API token
    • twingate_access_token: From Twingate Admin Console
    • twingate_refresh_token: From Twingate Admin Console
    • twingate_network: Your Twingate network name (without .twingate.com)
    • ssh_fingerprint: Your SSH key fingerprint from DigitalOcean
    • region, droplet_size: Customize as needed

  • Deploy:

    terraform init
    terraform plan    # Review what will be created
    terraform apply   # Deploy infrastructure

What Gets Created

The Terraform configuration will automatically create:

  • Firewall: Zero inbound rules, all outbound allowed
  • Droplet: Ubuntu with OpenClaw marketplace image
  • Reserved IP: Static IP address for the droplet
  • Caddy Configuration: Via cloud-init, restricts to private IP only
  • Twingate Connector: Installed and configured via cloud-init

Files Included

  • main.tf: Main infrastructure configuration
  • variables.tf: Variable definitions
  • cloud-init.yaml: Automated server configuration
  • terraform.tfvars.example: Example variables template

After Deployment

  • Get the droplet IP from Terraform outputs:

    terraform output openclaw_private_ip

  • Configure Twingate Resource (required for access):

    • Go to Twingate Admin Console
    • Navigate to Resources → Add Resource
    • Configure:
      • Name: OpenClaw Gateway
      • Address: Use the openclaw_private_ip from step 1
    • Assign the Resource to the Remote Network where the Connector was deployed.

    See Step 3.3 in the main guide above for detailed instructions.

  • Configure AI Provider: After Twingate resource is set up:

    • SSH into the droplet via Twingate
    • Follow the Model Providers documentation to configure providers
    • Restart the gateway: systemctl restart openclaw

Note: The gateway will prompt for AI provider configuration on first access if not already configured.

Appendix: Complete Terraform Example

See the reference repository for complete Infrastructure as Code for DigitalOcean:

  • terraform/digitalocean/ - Production-ready Terraform modules
  • kubernetes/digitalocean/ - DigitalOcean Kubernetes (DOKS) deployment
  • scripts/ - Utility scripts for backup, monitoring, maintenance

Includes:

  • VPC and network configuration
  • Twingate Connector / OpenClaw Gateway Droplet
  • DigitalOcean Firewall rules

Clone and deploy:

git clone https://github.com/Twingate-Community/secure-openclaw
cd secure-openclaw/terraform/digitalocean
cp terraform.tfvars.example terraform.tfvars
# Edit terraform.tfvars with your values
terraform init
terraform apply

Happy deploying! 🚀

Last updated 14 days ago