Platform setup

How to Deploy OpenClaw on Google Cloud (GCP)

4 min read

Browse more in Platform setup.

All platform setup guides →

This guide walks you through deploying OpenClaw on Google Cloud Platform using a Compute Engine VM and Docker. You set up a persistent OpenClaw Gateway with durable state on disk, safe restarts, and a Control UI you can reach from your laptop over SSH.

By the end, you have an OpenClaw gateway running 24/7 on GCP with its config and workspace surviving VM rebuilds.

Setup flow

Prerequisites

  • A GCP account (free tier eligible for e2-micro).
  • gcloud CLI installed on your machine, or access to the GCP Cloud Console.
  • SSH access from your laptop to GCP VMs.
  • Docker and Docker Compose knowledge, since the gateway runs in a container.
  • Model auth credentials and any optional provider credentials you plan to use (WhatsApp QR, Telegram bot token, Gmail OAuth).
  • ~20–30 minutes to complete the setup end to end.

Steps

  1. 1

    Install and initialize the gcloud CLI

    Start by installing and authenticating the gcloud CLI so you can script project, VM, and SSH operations from your terminal. This makes it much faster to iterate on the deployment than clicking through the console, and it’s what later commands in this guide assume.

    bash
    gcloud init
gcloud auth login
  2. 2

    Create and configure your GCP project

    Create a dedicated project for your OpenClaw gateway so billing, IAM, and logs stay isolated. You then enable billing and the Compute Engine API, which are required before you can create VMs.

    bash
    gcloud projects create my-openclaw-project --name="OpenClaw Gateway"
gcloud config set project my-openclaw-project

gcloud services enable compute.googleapis.com
  3. 3

    Create a Compute Engine VM for the gateway

    Provision a Debian 12 VM sized to handle Docker builds; e2-small is the minimum recommended, while e2-micro often OOMs during pnpm install. You also allocate a 20GB boot disk, which is enough for the OpenClaw repo, Docker image, and persistent state.

    bash
    gcloud compute instances create openclaw-gateway \
  --zone=us-central1-a \
  --machine-type=e2-small \
  --boot-disk-size=20GB \
  --image-family=debian-12 \
  --image-project=debian-cloud
  4. 4

    SSH into the VM

    Once the VM is up, SSH in so you can install Docker and OpenClaw. SSH key propagation can lag by a minute or two after creation, so if the first attempt fails, wait briefly and retry.

    bash
    gcloud compute ssh openclaw-gateway --zone=us-central1-a
  5. 5

    Install Docker and basic tooling on the VM

    Install git, curl, and Docker on the VM so you can clone the OpenClaw repo and run it in a container. Adding your user to the docker group lets you run docker without sudo, but you need to log out and back in for that to take effect.

    bash
    sudo apt-get update
sudo apt-get install -y git curl ca-certificates
curl -fsSL https://get.docker.com | sudo sh
sudo usermod -aG docker $USER

exit

gcloud compute ssh openclaw-gateway --zone=us-central1-a

docker --version
docker compose version
  6. 6

    Clone the OpenClaw repository on the VM

    Pull the OpenClaw source so you can build a custom Docker image with all required binaries baked in. Building from the repo gives you a reproducible image and ensures the gateway binaries persist across container restarts.

    bash
    git clone https://github.com/openclaw/openclaw.git
cd openclaw
  7. 7

    Create persistent host directories for OpenClaw state

    openclaw so your gateway config, agent auth profiles, and workspace survive container rebuilds. These paths are later mounted into the container via Docker Compose.

    bash
    mkdir -p ~/.openclaw
mkdir -p ~/.openclaw/workspace
  8. 8

    Configure the OpenClaw environment variables

    env file in the repo root to define the image name, gateway bind/port, and where to mount config and workspace directories. Use strong random values for secrets like OPENCLAW_GATEWAY_TOKEN and GOG_KEYRING_PASSWORD so your gateway isn’t trivially guessable.

    bash
    OPENCLAW_IMAGE=openclaw:latest
OPENCLAW_GATEWAY_TOKEN=change-me-now
OPENCLAW_GATEWAY_BIND=lan
OPENCLAW_GATEWAY_PORT=18789

OPENCLAW_CONFIG_DIR=/home/$USER/.openclaw
OPENCLAW_WORKSPACE_DIR=/home/$USER/.openclaw/workspace

GOG_KEYRING_PASSWORD=change-me-now
XDG_CONFIG_HOME=/home/node/.openclaw
  9. 9

    Generate strong secrets for your gateway

    Before you trust this gateway on a network, replace placeholder secrets with real random values. env.

    bash
    openssl rand -hex 32
  10. 10

    Create the Docker Compose configuration for the gateway

    yml that builds the OpenClaw image, mounts your persistent directories, and binds the gateway port loopback-only on the VM. The command section starts the gateway with --allow-unconfigured for bootstrap, but you should still configure proper auth and bind settings later.

    yaml
    services:
  openclaw-gateway:
    image: ${OPENCLAW_IMAGE}
    build: .
    restart: unless-stopped
    env_file:
      - .env
    environment:
      - HOME=/home/node
      - NODE_ENV=production
      - TERM=xterm-256color
      - OPENCLAW_GATEWAY_BIND=${OPENCLAW_GATEWAY_BIND}
      - OPENCLAW_GATEWAY_PORT=${OPENCLAW_GATEWAY_PORT}
      - OPENCLAW_GATEWAY_TOKEN=${OPENCLAW_GATEWAY_TOKEN}
      - GOG_KEYRING_PASSWORD=${GOG_KEYRING_PASSWORD}
      - XDG_CONFIG_HOME=${XDG_CONFIG_HOME}
      - PATH=/home/linuxbrew/.linuxbrew/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
    volumes:
      - ${OPENCLAW_CONFIG_DIR}:/home/node/.openclaw
      - ${OPENCLAW_WORKSPACE_DIR}:/home/node/.openclaw/workspace
    ports:
      # Recommended: keep the Gateway loopback-only on the VM; access via SSH tunnel.
      # To expose it publicly, remove the `127.0.0.1:` prefix and firewall accordingly.
      - "127.0.0.1:${OPENCLAW_GATEWAY_PORT}:18789"
    command:
      [
        "node",
        "dist/index.js",
        "gateway",
        "--bind",
        "${OPENCLAW_GATEWAY_BIND}",
        "--port",
        "${OPENCLAW_GATEWAY_PORT}",
        "--allow-unconfigured",
      ]
  11. 11

    Set allowed origins when binding the gateway to LAN

    When you bind the gateway to lan, you must explicitly allow the Control UI origin or the browser will be blocked. 1:18789 can talk to the gateway over the tunnel.

    bash
    docker compose run --rm openclaw-cli config set gateway.controlUi.allowedOrigins '["http://127.0.0.1:18789"]' --strict-json
  12. 12

    Access the OpenClaw Control UI from your laptop

    1:18789 locally. You can then open the dashboard, handle shared-secret auth, and approve your browser device if it shows as unauthorized.

    bash
    gcloud compute ssh openclaw-gateway --zone=us-central1-a -- -L 18789:127.0.0.1:18789

# In another terminal, if needed
# Reprint a clean dashboard link

docker compose run --rm openclaw-cli dashboard --no-open

# If Control UI shows unauthorized / pairing required

docker compose run --rm openclaw-cli devices list
docker compose run --rm openclaw-cli devices approve <requestId>

Configuration

OptionDescriptionExample
OPENCLAW_IMAGEThe Docker image name and tag used for the OpenClaw gateway service.openclaw:latest
OPENCLAW_GATEWAY_TOKENShared-secret token used for gateway authentication when the Control UI prompts for it.f3b9c2e4d7a84b6a9c1e2f3a4b5c6d7e
OPENCLAW_GATEWAY_BINDControls how the gateway binds its network interface, such as LAN for internal access.lan
OPENCLAW_GATEWAY_PORTThe port the OpenClaw gateway listens on inside the container and is forwarded over SSH.18789
OPENCLAW_CONFIG_DIRHost directory where OpenClaw stores configuration and auth profiles, mounted into the container./home/openclaw/.openclaw
OPENCLAW_WORKSPACE_DIRHost directory for the OpenClaw workspace, mounted into the container for persistent data./home/openclaw/.openclaw/workspace
GOG_KEYRING_PASSWORDPassword used by the keyring inside the container for secure storage.9a7c5e3b1d2f4c6e8a0b1c2d3e4f5a6b
XDG_CONFIG_HOMEConfig directory path inside the container where OpenClaw expects its configuration./home/node/.openclaw
gateway.controlUi.allowedOriginsGateway configuration key that whitelists browser origins allowed to access the Control UI.["http://127.0.0.1:18789"]

Troubleshooting

SSH connection refused when trying to connect to the new VM

On fresh VMs, SSH key propagation can lag behind instance creation. Wait 1–2 minutes after creating the VM, then retry the gcloud compute ssh command.

bash
gcloud compute ssh openclaw-gateway --zone=us-central1-a

OS Login errors when connecting to the VM

If OS Login is enabled and you see permission-related errors, inspect your OS Login profile and ensure your account has Compute OS Login or Compute OS Admin Login IAM roles.

bash
gcloud compute os-login describe-profile

Docker build fails with 'Killed' and 'exit code 137' during pnpm install

Exit code 137 indicates the kernel OOM-killed the build process because the VM ran out of memory. Stop the instance, upgrade to at least e2-small (or e2-medium for more reliable builds), then start it again and rerun the build.

bash
# Stop the VM first
gcloud compute instances stop openclaw-gateway --zone=us-central1-a

# Change machine type
gcloud compute instances set-machine-type openclaw-gateway \
  --zone=us-central1-a \
  --machine-type=e2-small

# Start the VM
gcloud compute instances start openclaw-gateway --zone=us-central1-a

Frequently asked questions

Powered by Mem0

Add persistent memory to OpenClaw

Official Mem0 plugin for OpenClaw keeps context across chats and tools. Smaller prompts, lower cost, better continuity for your agents.

Read the official Mem0 guideOpen Mem0

More in Platform setup

Platform setup

How to Deploy OpenClaw on Northflank

Platform setup

How to Deploy OpenClaw on Render

Platform setup

How to Install OpenClaw on Linux

Platform setup

How to Install OpenClaw with Nix

Platform setup

How to Run OpenClaw with Podman

Platform setup

How to Deploy OpenClaw on Kubernetes