Clawdbot has taken off in January 2026. The pace of development is relentless – new skills, integrations, and features landing daily.
The docs are decent, but I hit enough edge cases that I wanted to document the entire process from zero to working WhatsApp assistant. This is the manual setup – no Terraform, no automation – just SSH and a terminal.
If you want the IaC approach, check out my Terraform-based setup. This guide is for those who want to understand every step.
Table of Contents
- Create VPS
- Basic VPS Setup
- Firewall (UFW)
- Prepare Your WhatsApp Number
- Installing Prerequisites
- Tailscale Setup
- Clawdbot Installation
- Use Cases and Configuration
- Hardening Your VPS
1. Create VPS
Log into Hetzner Cloud and create a new server.
Recommended specs:
- Type: CX22 (2 vCPU, 4GB RAM) – €4.51/month
- Image: Ubuntu 24.04
- Location: Pick closest to you (I use
nbg1– Nuremberg) - SSH Key: Add your public key here if you have one
The cheapest option (CX22) is more than enough. Clawdbot is lightweight – the gateway idles at ~100MB RAM.
Once created, note your server’s IP address.
2. Basic VPS Setup
SSH into the server as root:
ssh root@your-server-ipIf you didn’t add an SSH key during creation, you’ll receive a root password via email. Use it to log in.
Update the System
apt update && apt upgrade -yIf prompted to reboot for kernel updates:
rebootWait 30 seconds, then reconnect.
3. Firewall (UFW)
Before opening ports for anything, set up a basic firewall. UFW is a simple frontend for iptables:
apt install ufw -yCritical: Allow SSH before enabling the firewall:
ufw allow sshSet default policies:
ufw default deny incoming
ufw default allow outgoingEnable the firewall:
ufw enableType y to confirm.
Check status:
ufw statusOutput should show SSH allowed:
Status: active
To Action From
-- ------ ----
22/tcp ALLOW Anywhere
22/tcp (v6) ALLOW Anywhere (v6)4. Prepare Your WhatsApp Number
Do this before installing Clawdbot - you’ll need a working WhatsApp Business account ready when the onboarding wizard asks you to scan a QR code.
Get a Dedicated Phone Number
Do not use your personal WhatsApp number. If something goes wrong, you risk your main account getting flagged.
Buy a cheap eSIM or SIM for SMS verification:
- Lyca Mobile eSIM - cheapest option, works without a physical SIM slot. Order from the Lyca app or website, activate it on your phone, and you’ll have a number within minutes
- giffgaff - £10 gets you a UK number, pay-as-you-go, no contract
- Lebara - similar pricing
- Any budget MVNO works - you only need it for one SMS verification
You only need the number to receive one SMS. After that, the SIM can live in a drawer.
Setup WhatsApp Business
-
Install WhatsApp Business (not regular WhatsApp) from the Play Store or App Store on your phone
-
Register with your new eSIM/SIM number:
- Make sure the eSIM is active on your phone
- Open WhatsApp Business and register with the new number
- Verify via SMS - the code should arrive on the eSIM
- Complete the business profile setup (name it something like “Atlas” or “My Assistant”)
-
Keep WhatsApp Business installed - you’ll need it to scan the QR code during Clawdbot setup
Tip: If you have a dual-SIM phone, you can run both your personal WhatsApp (on your main number) and WhatsApp Business (on your eSIM) on the same device. They’re separate apps.
5. Installing Prerequisites
Node.js via nvm
Clawdbot requires Node.js. Use nvm for easy version management:
curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.40.3/install.sh | bashReload your shell:
source ~/.bashrcInstall Node 22:
nvm install 22Verify:
node -v # Should print v22.x.x
npm -v # Should print 10.x.x6. Tailscale Setup
Tailscale creates a private mesh network between your devices. This lets you access the Clawdbot dashboard securely without exposing ports to the internet.
Create a Tailscale Account
- Go to tailscale.com and sign up (free tier is plenty)
- Install Tailscale on your local machine too – this is how you’ll access the VPS
Install Tailscale on the VPS
curl -fsSL https://tailscale.com/install.sh | shConnect to your tailnet:
tailscale upThis prints a URL – open it in your browser and authenticate.
Once connected, check your Tailscale IP:
tailscale ip -4You’ll get an IP like 100.x.y.z. This is your VPS’s private Tailscale address.
Verify Connectivity
From your local machine (with Tailscale installed and running):
ping 100.x.y.z # Your VPS's Tailscale IPIf it responds, you’re connected. You can now SSH via Tailscale:
ssh root@100.x.y.zThis works even if you later remove the public SSH rule from UFW.
7. Clawdbot Installation
Install the Claude CLI
Clawdbot uses the Claude CLI under the hood. Install it first:
npm i -g @anthropic-ai/claude-codeNow get your Anthropic auth token. Open a second terminal tab (keep your main SSH session open) and run:
claude setup-tokenThis generates a token you can use on the VPS. Copy the token it gives you.
Back in your main terminal, set the token:
export ANTHROPIC_AUTH_TOKEN=<your-token-here>Add it to your shell profile so it persists across sessions:
echo 'export ANTHROPIC_AUTH_TOKEN=<your-token-here>' >> ~/.bashrcNote: If you have a Claude Max subscription ($200/month), the usage limits work well for a 24/7 assistant. Alternatively, you can use a pay-as-you-go API key with
ANTHROPIC_API_KEYinstead.
Install OpenClaw (Clawdbot)
npm i -g openclawThis takes a minute or two. Once complete, start the onboarding wizard:
openclaw onboardOnboarding Walkthrough
The wizard is interactive. Here’s the QuickStart flow:
◆ I understand this is powerful and inherently risky. Continue?
│ YesAccept the warning.
◆ Onboarding mode
│ ● QuickStart
│ ○ Manual (Configure port, network, Tailscale, and auth options.)QuickStart - handles sensible defaults for you. You can always tweak settings later with openclaw config.
◆ Model/auth provider
│ ○ OpenAI (Codex OAuth + API key)
│ ● Anthropic
│ ○ MiniMax
│ ○ Qwen
│ ○ Synthetic
│ ○ Google
│ ○ CopilotSelect Anthropic (since we set up the Claude CLI token above).
◆ Configure chat channels now?
│ ● Yes / ○ NoYes - select WhatsApp when prompted.
WhatsApp QR Pairing
When you select WhatsApp, the wizard displays a QR code in the terminal. This is where your prepared WhatsApp Business account comes in.
On your phone:
- Open WhatsApp Business (the app you set up in Step 4)
- Go to Settings → Linked Devices
- Tap Link a Device
- Scan the QR code shown in your terminal
Once scanned, the terminal confirms the connection and the wizard continues.
◆ Install Gateway service (recommended)
│ ● Yes / ○ NoYes - installs a systemd unit so the gateway starts on boot and survives reboots.
◆ How do you want to hatch your bot?
│ ● Hatch in TUI (recommended)
│ ○ Open the Web UI
│ ○ Do this laterHatch in TUI - drops you into an interactive terminal to complete setup and start chatting.
Verify the Gateway
After hatching, the gateway should be running. Check:
systemctl status clawdbot-gatewayView logs:
journalctl -u clawdbot-gateway -fTest WhatsApp
From your main phone (your personal WhatsApp):
- Add the business number as a contact
- Open a chat with it
- Send
/start
Clawdbot should respond with a welcome message and pairing instructions.
Useful Commands
The openclaw CLI is your main interface:
openclaw status # Check gateway status
openclaw gateway start # Start the gateway
openclaw gateway stop # Stop the gateway
openclaw gateway restart # Restart the gateway
openclaw config # Open config editor
openclaw help # Full command listNote: After initial linking, WhatsApp linked devices can operate independently for ~14 days. The phone only needs to come online periodically to keep the session active.
8. Use Cases and Configuration
You might be tempted to configure workflows via the Dashboard UI. Don’t.
The chat interface is where Clawdbot shines. Describe what you want in natural language – it’ll figure out the rest.
Examples
Daily tweet digest:
“Send me a summary of my bookmarked tweets every morning at 8am”
Clawdbot walked me through setting up the bird skill (X/Twitter CLI), configuring OAuth, and scheduling the digest.
RSS monitoring:
“Watch Hacker News for posts about Kubernetes and message me when something interesting comes up”
It configured the RSS skill, set up keyword filtering, and sent a test notification.
Git repo health checks:
“Every Monday, check my GitHub repos for stale PRs and dependency updates”
Configured GitHub integration, scheduled the check, and formatted the report.
The Key Insight
Clawdbot doesn’t say “I can’t do that.” It proposes a plan.
If a skill is missing, it’ll suggest installing one. If an API key is needed, it’ll explain where to get it. It’s genuinely collaborative.
9. Hardening Your VPS
Your VPS is running and Clawdbot is working. Now let’s lock things down properly. Skip this at your peril – bots will find your server within hours.
Setup SSH Key Authentication
On your local machine (not the server), generate an SSH key if you don’t have one:
ssh-keygen -t ed25519 -C "your_email@example.com"Press Enter to accept the default location. Set a passphrase if you want extra security.
Copy your public key to the server:
ssh-copy-id root@your-server-ipTest it works – open a new terminal:
ssh root@your-server-ipYou should log in without being prompted for a password (or just your SSH key passphrase if you set one).
Disable Password Authentication
Now that key auth works, disable password login entirely. On the server:
vim /etc/ssh/sshd_configFind and update these lines (uncomment if they have # in front):
PasswordAuthentication no
PubkeyAuthentication yesSave and exit (:wq in vim).
Restart SSH:
systemctl restart sshWarning: Don’t close your current SSH session until you’ve verified you can connect in a new terminal. If you lock yourself out, you’ll need Hetzner’s console access.
Install fail2ban
fail2ban monitors auth logs and bans IPs that fail login attempts repeatedly.
apt install fail2ban -yCreate a local config (so updates don’t overwrite your settings):
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
vim /etc/fail2ban/jail.localFind the [sshd] section and update it:
[sshd]
enabled = true
port = ssh
logpath = /var/log/auth.log
maxretry = 3
bantime = 86400
findtime = 600This bans IPs for 24 hours after 3 failed attempts within 10 minutes.
Start and enable fail2ban:
systemctl start fail2ban
systemctl enable fail2banCheck it’s working:
fail2ban-client status sshdEnable Automatic Security Updates
Install unattended-upgrades to automatically apply security patches:
apt install unattended-upgrades apt-listchanges -yConfigure it:
vim /etc/apt/apt.conf.d/50unattended-upgradesEnsure these lines are uncommented:
Unattended-Upgrade::Allowed-Origins {
"${distro_id}:${distro_codename}-security";
};Enable automatic updates:
vim /etc/apt/apt.conf.d/20auto-upgradesAdd:
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";
APT::Periodic::AutocleanInterval "7";Kernel Hardening (Optional but Recommended)
Add sysctl settings to prevent common network attacks:
vim /etc/sysctl.d/99-security.confAdd:
# IP Spoofing protection
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# Ignore ICMP redirects
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
# Ignore source routed packets
net.ipv4.conf.all.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
# Log Martian packets
net.ipv4.conf.all.log_martians = 1
# Ignore broadcast pings
net.ipv4.icmp_echo_ignore_broadcasts = 1Apply:
sysctl -p /etc/sysctl.d/99-security.confSecurity Checklist
Before calling it done, verify:
- SSH key-only authentication (password disabled)
- fail2ban active with 24h bans
- UFW firewall enabled (SSH only)
- Automatic security updates configured
- Kernel hardening applied
- Clawdbot bound to loopback only
- Tailscale Serve for private HTTPS access
- Dedicated WhatsApp number (not personal)
Troubleshooting
Can’t connect via SSH after disabling password auth:
Use Hetzner’s web console to access the server and fix /etc/ssh/sshd_config.
Clawdbot gateway won’t start:
journalctl -u clawdbot-gateway -n 50 --no-pagerCheck for port conflicts or missing dependencies.
WhatsApp disconnects frequently: Ensure the spare phone stays online. Check battery optimisation settings. Consider running WhatsApp in an emulator for better reliability.
Tailscale Serve not working:
tailscale serve statusVerify the gateway is actually running on the configured port.
Questions? Find me on LinkedIn or drop a comment below.