OpenClaw Quick Start — Complete Setup Guide

Quick Start

OpenClaw — Complete Setup

Prerequisites: AWS account (free tier), Discord server, ChatGPT Pro account, terminal knowledge. See the full tutorial for detailed explanation on any step.

1. AWS Account & EC2 Instance

In AWS Console:

Go to aws.amazon.com → Create account
EC2 Dashboard → Launch instance
Name: OpenClaw
AMI: Ubuntu 24.04 LTS — free tier eligible
Instance Type: t3.small (free tier)
Key pair: Create new → name it openclaw-key → download .pem file
Network: Default VPC
Security Group: Create new with these inbound rules:
- SSH port 22 from My IP only
- HTTP port 80 from anywhere (0.0.0.0/0)
- HTTPS port 443 from anywhere (0.0.0.0/0)
Storage: 20 GB
Launch → wait for "running" status → note the Public IPv4 address

2. SSH Setup & Security Prep

On your computer:

💻 Your Computer

chmod 600 ~/Downloads/openclaw-key.pem
ssh -i ~/Downloads/openclaw-key.pem ubuntu@YOUR_PUBLIC_AWS_IP

3. Server Hardening

On EC2 (logged in as ubuntu):

Step 1: Create admin user

☁️ AWS EC2

sudo adduser clawadmin
sudo usermod -aG sudo clawadmin

Set a password and hit enter through the rest.

Step 2: Copy SSH keys to clawadmin

☁️ AWS EC2

sudo mkdir -p /home/clawadmin/.ssh
sudo cp /home/ubuntu/.ssh/authorized_keys /home/clawadmin/.ssh/
sudo chown -R clawadmin:clawadmin /home/clawadmin/.ssh
sudo chmod 700 /home/clawadmin/.ssh
sudo chmod 600 /home/clawadmin/.ssh/authorized_keys

Step 3: Test clawadmin login (NEW terminal on your computer)

💻 Your Computer — new terminal

ssh -i ~/Downloads/openclaw-key.pem clawadmin@YOUR_PUBLIC_AWS_IP

If this fails — stop and fix before continuing.

Step 4: Enable UFW firewall (logged in as clawadmin)

☁️ AWS EC2

sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow 22/tcp
sudo ufw enable

Type y when prompted.

Step 5: Harden SSH config

☁️ AWS EC2

sudo nano /etc/ssh/sshd_config

Find or add these lines (use Ctrl+W to search):

📝 sshd_config

PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
AllowUsers clawadmin

Save: Ctrl+O, Enter, Ctrl+X. Then restart SSH:

☁️ AWS EC2

sudo systemctl restart ssh

Step 6: Lock ubuntu user

☁️ AWS EC2

sudo usermod -L ubuntu

Step 7: Install fail2ban

☁️ AWS EC2

sudo apt update
sudo apt install fail2ban -y
sudo systemctl enable fail2ban
sudo systemctl start fail2ban

4. OpenClaw Installation

On EC2 (logged in as clawadmin):

Step 1: Install Node.js

OpenClaw requires Node.js 22.16+ minimum, with Node.js 24 recommended. Ubuntu's default is too old, so we pull it from NodeSource:

☁️ AWS EC2

sudo apt update
sudo apt install -y curl
curl -fsSL https://deb.nodesource.com/setup_24.x | sudo bash -
sudo apt install -y nodejs
node --version   # should be v24.x.x

Step 2: Install OpenClaw globally

☁️ AWS EC2

sudo npm install -g openclaw@latest
openclaw --version

Step 3: Run the onboarding wizard

☁️ AWS EC2

openclaw onboard --install-daemon

Answer the prompts:

Safety: Yes
Mode: QuickStart
Provider: OpenAI
Auth method: OpenAI Codex (ChatGPT OAuth)
OAuth URL: Copy URL shown → paste in browser → authorize with ChatGPT account
After authorization: Browser shows an error with http://localhost:1455/auth/callback?code=... in address bar — copy that full URL immediately (60-second expiry)
Paste URL back: Paste the full localhost redirect URL back into terminal
Channel: Skip for now
Skills / Hooks: Skip / No
Daemon: Accept — installs OpenClaw as a systemd service

When the wizard finishes, you'll see this in the terminal:

☁️ AWS EC2 — expected output

◇  Dashboard ready ────────────────────────────────────────────────────────────
│
│  Dashboard link (with token):
│  http://127.0.0.1:18789/#token=ab37129468a6d80013f79e1ec8b708256ee57fb32
│
╰──────────────────────────────────────────────────────────────────────────────

Save that token — you'll need it soon.

Step 4: Fix config for remote access

By default OpenClaw binds to loopback only. Change bind to lan and add controlUi for insecure auth over HTTP:

Here's what the gateway section looks like before any changes:

📝 ~/.openclaw/openclaw.json — before editing

"gateway": {
    "port": 18789,
    "mode": "local",
    "bind": "loopback",
    "auth": { ... },
    "tailscale": {
      "mode": "off",
      "resetOnExit": false
    },

4aOpen config

nano ~/.openclaw/openclaw.json

4bChange bind

Find "bind": "loopback" and change to "bind": "lan"

4cAdd controlUi

After the closing } of the "tailscale" block, add a comma then: "controlUi": { "allowInsecureAuth": true }

4dSave & exit

Ctrl+O, Enter, then Ctrl+X

Your gateway section should look like this when done:

📝 ~/.openclaw/openclaw.json — gateway section after

"gateway": {
    "port": 18789,
    "mode": "local",
    "bind": "lan",
    "auth": { ... },
    "tailscale": {
      "mode": "off",
      "resetOnExit": false
    },
    "controlUi": {
      "allowInsecureAuth": true
    },

JSON formatting matters — a lot. Every brace, quote, and comma must be exactly right. A single missing comma before "controlUi" will prevent OpenClaw from starting. If it won't come up after this step, that's the first thing to check.

Step 5: Open port 18789

First, find your home IP on your computer:

💻 Your Computer

curl ifconfig.me

Then on the server:

☁️ AWS EC2

sudo ufw allow from YOUR_HOME_IP to any port 18789

Also add in AWS Security Group: Custom TCP | Port 18789 | Source: My IP → Save rules.

Step 6: Restart and access the Control UI

☁️ AWS EC2

openclaw gateway restart

Then in your browser:

🌐 Browser

http://YOUR_SERVER_PUBLIC_IP:18789/#token=YOUR_LONG_TOKEN_HERE

5. Discord Setup

In Discord and Discord Developer Portal:

Step 1: Create a private Discord server

Make a new server on Discord (or use an existing one) that only you can access.

Step 2: Create Discord application and bot

Go to Discord Developer Portal
New Application → name it OpenClaw
Go to Bot tab → Add Bot
Under TOKEN, click Copy and save this token

Step 3: Enable required intents

Still on Bot page, scroll to "Privileged Gateway Intents"
Enable: Message Content Intent and Server Members Intent

Step 4: Generate OAuth invite link

OAuth2 → URL Generator
Scopes: select bot
Permissions: Send Messages, Read Messages, Read Message History
Copy the generated URL, paste in browser, select your Discord server

Step 5: Add Discord token to OpenClaw config

☁️ AWS EC2

nano ~/.openclaw/openclaw.json

Use Ctrl+W to search for "gateway". After the closing brace of the gateway block, add a comma and then this channels block with your Discord bot token:

📝 openclaw.json

  "channels": {
    "discord": {
      "enabled": true,
      "token": "YOUR_BOT_TOKEN_FROM_STEP_2",
      "dm": {
        "enabled": true,
        "policy": "pairing"
      }
    }
  },

Important: Make sure there's a comma after the gateway block's closing brace before adding this. Save: Ctrl+O, Enter, Ctrl+X.

Step 6: Restart OpenClaw

☁️ AWS EC2

openclaw gateway restart

Wait 15–20 seconds, then go to Discord and message the bot — it should respond!

6. Security Best Practices

You've already done the most important things: key-only SSH and IP-restricted access. Continue with:

Keep updated: Run openclaw update regularly
Keep OS updated: Run sudo apt update && sudo apt upgrade regularly
Limit message access: Only allow trusted users to message your bot
Monitor logs: Check openclaw logs --follow regularly
Treat external content as hostile: Don't let the bot execute arbitrary code from untrusted sources
No secrets on the filesystem: Don't store API keys, passwords, or sensitive data where the agent can read them
Keep backups: Regularly backup ~/.openclaw/

Read the full Prompt Injection section for detailed security hardening.

Done! You have a hardened, Discord-connected OpenClaw instance running on AWS EC2. Read the full tutorial for deeper explanations and advanced configuration.