OpenClaw on Oracle Cloud (OCI)
Goal
Run a persistent OpenClaw Gateway on Oracle Cloud’s Always Free ARM tier. Oracle’s free tier can be a great fit for OpenClaw (especially if you already have an OCI account), but it comes with tradeoffs:- ARM architecture (most things work, but some binaries may be x86-only)
- Capacity and signup can be finicky
Cost Comparison (2026)
Prerequisites
- Oracle Cloud account (signup) — see community signup guide if you hit issues
- Tailscale account (free at tailscale.com)
- ~30 minutes
1) Create an OCI Instance
- Log into Oracle Cloud Console
- Navigate to Compute → Instances → Create Instance
- Configure:
- Name:
openclaw - Image: Ubuntu 24.04 (aarch64)
- Shape:
VM.Standard.A1.Flex(Ampere ARM) - OCPUs: 2 (or up to 4)
- Memory: 12 GB (or up to 24 GB)
- Boot volume: 50 GB (up to 200 GB free)
- SSH key: Add your public key
- Name:
- Click Create
- Note the public IP address
2) Connect and Update
build-essential is required for ARM compilation of some dependencies.
3) Configure User and Hostname
4) Install Tailscale
ssh openclaw from any device on your tailnet — no public IP needed.
Verify:
ssh ubuntu@openclaw (or use the Tailscale IP).
5) Install OpenClaw
Note: If you hit ARM-native build issues, start with system packages (e.g. sudo apt install -y build-essential) before reaching for Homebrew.
6) Configure Gateway (loopback + token auth) and enable Tailscale Serve
Use token auth as the default. It’s predictable and avoids needing any “insecure auth” Control UI flags.7) Verify
8) Lock Down VCN Security
Now that everything is working, lock down the VCN to block all traffic except Tailscale. OCI’s Virtual Cloud Network acts as a firewall at the network edge — traffic is blocked before it reaches your instance.- Go to Networking → Virtual Cloud Networks in the OCI Console
- Click your VCN → Security Lists → Default Security List
- Remove all ingress rules except:
0.0.0.0/0 UDP 41641(Tailscale)
- Keep default egress rules (allow all outbound)
Access the Control UI
From any device on your Tailscale network:<tailnet-name> with your tailnet name (visible in tailscale status).
No SSH tunnel needed. Tailscale provides:
- HTTPS encryption (automatic certs)
- Authentication via Tailscale identity
- Access from any device on your tailnet (laptop, phone, etc.)
Security: VCN + Tailscale (recommended baseline)
With the VCN locked down (only UDP 41641 open) and the Gateway bound to loopback, you get strong defense-in-depth: public traffic is blocked at the network edge, and admin access happens over your tailnet. This setup often removes the need for extra host-based firewall rules purely to stop Internet-wide SSH brute force — but you should still keep the OS updated, runopenclaw security audit, and verify you aren’t accidentally listening on public interfaces.
What’s Already Protected
Still Recommended
- Credential permissions:
chmod 700 ~/.openclaw - Security audit:
openclaw security audit - System updates:
sudo apt update && sudo apt upgraderegularly - Monitor Tailscale: Review devices in Tailscale admin console
Verify Security Posture
Fallback: SSH Tunnel
If Tailscale Serve isn’t working, use an SSH tunnel:http://localhost:18789.
Troubleshooting
Instance creation fails (“Out of capacity”)
Free tier ARM instances are popular. Try:- Different availability domain
- Retry during off-peak hours (early morning)
- Use the “Always Free” filter when selecting shape
Tailscale won’t connect
Gateway won’t start
Can’t reach Control UI
ARM binary issues
Some tools may not have ARM builds. Check:linux-arm64 or aarch64 releases.
Persistence
All state lives in:~/.openclaw/— config, credentials, session data~/.openclaw/workspace/— workspace (SOUL.md, memory, artifacts)
See Also
- Gateway remote access — other remote access patterns
- Tailscale integration — full Tailscale docs
- Gateway configuration — all config options
- DigitalOcean guide — if you want paid + easier signup
- Hetzner guide — Docker-based alternative