Platform setup

How to Run OpenClaw Free on Oracle Cloud

4 min read

Browse more in Platform setup.

All platform setup guides →

This guide walks you through running an OpenClaw Gateway on Oracle Cloud’s Always Free ARM tier so you pay nothing for the server. You use Tailscale to secure access and keep the gateway off the public internet while still reaching it from your devices.

By the end, you have a persistent OpenClaw gateway with token auth, Tailscale Serve, and the Control UI reachable over your tailnet.

Setup flow

Prerequisites

  • An Oracle Cloud account with access to the Always Free tier (sign up at https://www.oracle.com/cloud/free/; see the community signup guide if you hit issues).
  • A Tailscale account (free at https://tailscale.com/).
  • An SSH key pair you can add to the Oracle instance.
  • About 30 minutes to provision the instance, install OpenClaw, and lock down networking.

Steps

  1. 1

    Create an OCI instance for OpenClaw

    Start by provisioning an ARM VM in the Always Free tier so you have a persistent host for the gateway. Matching the image, shape, and resources from the docs keeps you within the free limits while giving OpenClaw enough CPU, RAM, and disk to run smoothly.

    text
    Log into Oracle Cloud Console.

Navigate to Compute > Instances > Create Instance.

Configure:

Name:openclaw
Image: Ubuntu 24.04 (aarch64)
Shape:VM.Standard.A1.Flex (Ampere ARM)
OCPUs: 2 (or up to 4)
Memory: 12 GB (or up to 24 GB)
Boot volume: 50 GB (up to 200 GB free)
SSH key: Add your public key
  2. 2

    Connect to the instance and update the system

    Once the VM is up, SSH in as the ubuntu user and bring the OS packages up to date so you avoid weird dependency issues later. Installing build-essential is important on ARM because some Node/npm dependencies compile native code.

    bash
    ssh ubuntu@YOUR_PUBLIC_IP

sudo apt update && sudo apt upgrade -y
sudo apt install -y build-essential
  3. 3

    Configure the ubuntu user and hostname

    Set a stable hostname so logs and Tailscale show a meaningful name, and set a password for the ubuntu user if you need console access. Enabling linger ensures user-level systemd services like the OpenClaw gateway keep running even after you log out.

    bash
    sudo hostnamectl set-hostname openclaw
sudo passwd ubuntu
sudo loginctl enable-linger ubuntu
  4. 4

    Install and bring up Tailscale

    Tailscale gives you a private mesh network so you never expose the gateway directly to the internet. You install the agent, then bring it up with SSH and a hostname so you can later connect as `ssh ubuntu@openclaw` over your tailnet.

    bash
    curl -fsSL https://tailscale.com/install.sh | sh
sudo tailscale up --ssh --hostname=openclaw
  5. 5

    Install OpenClaw on the Oracle instance

    Use the official OpenClaw installer script so you get the right binaries and systemd units for the gateway. Sourcing your shell config picks up the `openclaw` CLI, and choosing “Do this later” for hatching keeps the install focused on the gateway first.

    bash
    curl -fsSL https://openclaw.ai/install.sh | bash
source ~/.bashrc
  6. 6

    Configure the gateway for Tailscale Serve and token auth

    You bind the gateway to loopback so it is not exposed on the public interface, then switch auth to token mode so only clients with a valid token can talk to it. 1 wires the gateway to the local Tailscale proxy, then you restart the user service to apply everything.

    bash
    openclaw config set gateway.bind loopback
openclaw config set gateway.auth.mode token
openclaw doctor --generate-gateway-token
openclaw config set gateway.tailscale.mode serve
openclaw config set gateway.trustedProxies '["127.0.0.1"]'

systemctl --user restart openclaw-gateway.service
  7. 7

    Lock down the VCN security list to Tailscale only

    Tighten the Oracle VCN so the instance only accepts Tailscale traffic at the network edge, which means no direct SSH, HTTP, or HTTPS from the public internet. You keep the single UDP 41641 rule for Tailscale and leave egress open so the gateway can still reach external APIs.

    text
    Go to Networking > Virtual Cloud Networks in the OCI Console.

Click your VCN, then Security Lists > Default Security List.

Remove all ingress rules except 0.0.0.0/0 UDP 41641 (Tailscale).

Keep default egress rules (allow all outbound).
  8. 8

    Verify the gateway and Control UI

    Before you rely on this setup, confirm the OpenClaw CLI works, the gateway systemd unit is healthy, and Tailscale Serve is active. Then hit the local HTTP port and the tailnet URL to make sure the Control UI is reachable from your devices.

    bash
    openclaw --version
systemctl --user status openclaw-gateway.service
tailscale serve status
curl http://localhost:18789

https://openclaw.<tailnet-name>.ts.net/
  9. 9

    Fallback to an SSH tunnel if Tailscale Serve fails

    If Tailscale Serve is not behaving or you misconfigured the Serve settings, you can still reach the gateway via a local SSH tunnel. This binds your laptop’s port 18789 to the gateway’s loopback port so you can debug the UI without changing the secure network setup.

    bash
    ssh -L 18789:127.0.0.1:18789 ubuntu@openclaw

Configuration

OptionDescriptionExample
gateway.bindControls which interface the OpenClaw gateway listens on; using loopback keeps it off the public network interface.loopback
gateway.auth.modeSets the authentication mode for the gateway; token mode requires clients to present a valid token.token
gateway.tailscale.modeEnables integration with Tailscale; serve mode configures the gateway to work behind Tailscale Serve.serve
gateway.trustedProxiesLists proxy IPs that the gateway trusts for forwarded client IP handling; here it trusts the local Tailscale Serve proxy.["127.0.0.1"]

Troubleshooting

Instance creation fails with “Out of capacity”

Oracle’s free tier ARM capacity is limited and often exhausted in some availability domains. Switch to a different availability domain when creating the instance or retry during off-peak hours until capacity frees up.

Tailscale will not connect

If Tailscale gets stuck or cannot authenticate, reset its state and re-authenticate with the same hostname. This forces a fresh login and often fixes issues after network or config changes.

bash
sudo tailscale up --ssh --hostname=openclaw --reset

Gateway will not start

When the gateway service fails, run the built-in doctor in non-interactive mode to surface config or environment issues, then inspect the user-level systemd logs for detailed errors.

bash
openclaw doctor --non-interactive
journalctl --user -u openclaw-gateway.service -n 50

ARM binary issues or native module failures

Some npm packages or binaries may not ship ARM builds; you need linux-arm64 or aarch64 releases for this Oracle shape. Check the architecture with uname and ensure any native dependencies support arm64.

bash
uname -m

Frequently asked questions

Powered by Mem0

Add persistent memory to OpenClaw

Official Mem0 plugin for OpenClaw keeps context across chats and tools. Smaller prompts, lower cost, better continuity for your agents.

Read the official Mem0 guideOpen Mem0

More in Platform setup

Platform setup

How to Deploy OpenClaw on Northflank

Platform setup

How to Deploy OpenClaw on Render

Platform setup

How to Install OpenClaw on Linux

Platform setup

How to Install OpenClaw with Nix

Platform setup

How to Run OpenClaw with Podman

Platform setup

How to Deploy OpenClaw on Kubernetes