openclaw/docs/platforms/oracle.md
2026-01-26 11:14:30 -08:00

8.4 KiB

summary read_when
Clawdbot on Oracle Cloud (Always Free ARM, best value)
Setting up Clawdbot on Oracle Cloud
Looking for free VPS hosting for Clawdbot
Want 24/7 Clawdbot without paying anything

Clawdbot on Oracle Cloud (OCI)

Goal

Run a persistent Clawdbot Gateway on Oracle Cloud's Always Free ARM tier — $0/month forever with more resources than most paid VPS options.

Cost Comparison (2026)

Provider Plan Specs Price/mo Notes
Oracle Cloud Always Free ARM 4 OCPU, 24GB RAM $0 Best value, this guide
Hetzner CX22 2 vCPU, 4GB RAM €3.79 (~$4) Cheapest paid, EU datacenters
DigitalOcean Basic 1 vCPU, 1GB RAM $6 Easy UI, good docs
Vultr Cloud Compute 1 vCPU, 1GB RAM $6 Many locations
Linode Nanode 1 vCPU, 1GB RAM $5 Now part of Akamai

Why Oracle? The Always Free tier gives you 4x the CPU and 24x the RAM of a $6 DigitalOcean droplet — for $0. The tradeoff is ARM architecture (most things work) and Oracle's signup process (can be finicky).


Prerequisites

1) Create an OCI Instance

  1. Log into Oracle Cloud Console
  2. Navigate to Compute → Instances → Create Instance
  3. Configure:
    • Name: clawdbot
    • Image: Ubuntu 24.04 (aarch64)
    • Shape: VM.Standard.A1.Flex (Ampere ARM)
    • OCPUs: 2 (or up to 4)
    • Memory: 12 GB (or up to 24 GB)
    • Boot volume: 50 GB (up to 200 GB free)
    • SSH key: Add your public key
  4. Click Create
  5. Note the public IP address

Tip: If instance creation fails with "Out of capacity", try a different availability domain or retry later. Free tier capacity is limited.

2) Configure VCN Security (Critical)

OCI's Virtual Cloud Network (VCN) acts as a firewall at the network edge — traffic is blocked before it reaches your instance. This is more secure than host-based firewalls.

  1. Go to Networking → Virtual Cloud Networks
  2. Click your VCN → Security Lists → Default Security List
  3. Remove all ingress rules except:
    • 0.0.0.0/0 UDP 41641 (Tailscale)
  4. Keep default egress rules (allow all outbound)

This blocks everything except Tailscale. You'll SSH via Tailscale, not the public IP.

3) Connect and Update

# Initial connection via public IP (one time only)
ssh ubuntu@YOUR_PUBLIC_IP

# Update system
sudo apt update && sudo apt upgrade -y
sudo apt install -y build-essential

Note: build-essential is required for ARM compilation of some dependencies.

4) Configure User and Hostname

# Set hostname
sudo hostnamectl set-hostname clawdbot

# Set password for ubuntu user
sudo passwd ubuntu

# Enable lingering (keeps user services running after logout)
sudo loginctl enable-linger ubuntu

5) Install Tailscale

curl -fsSL https://tailscale.com/install.sh | sh
sudo tailscale up --ssh --hostname=clawdbot

This enables Tailscale SSH, so you can connect via ssh clawdbot from any device on your tailnet — no public IP needed.

Verify:

tailscale status

From now on, connect via Tailscale: ssh ubuntu@clawdbot (or use the Tailscale IP).

6) Install Homebrew (ARM)

/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"

# Add to PATH
echo 'eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)"' >> ~/.bashrc
echo 'export HOMEBREW_NO_AUTO_UPDATE=1' >> ~/.bashrc
echo 'export HOMEBREW_NO_ENV_HINTS=1' >> ~/.bashrc
source ~/.bashrc

# Install GCC (needed for some packages on ARM)
brew install gcc

7) Install Clawdbot

curl -fsSL https://clawd.bot/install.sh | bash
source ~/.bashrc

When prompted "How do you want to hatch your bot?", select "Do this later".

8) Configure Gateway with Tailscale Serve

clawdbot config set gateway.bind loopback
clawdbot config set gateway.tailscale.mode serve
clawdbot config set gateway.trustedProxies '["127.0.0.1"]'
clawdbot config set gateway.auth.allowTailscale true
clawdbot config set gateway.controlUi.allowInsecureAuth true
systemctl --user restart clawdbot-gateway

This configures:

  • Gateway binds to loopback only (127.0.0.1)
  • Tailscale Serve provides HTTPS and handles external routing
  • Authentication via Tailscale identity headers (no tokens needed)

9) Verify

# Check version
clawdbot --version

# Check daemon status
systemctl --user status clawdbot-gateway

# Check Tailscale Serve
tailscale serve status

# Test local response
curl http://localhost:18789

Access the Control UI

From any device on your Tailscale network:

https://clawdbot.<tailnet-name>.ts.net/

Replace <tailnet-name> with your tailnet name (visible in tailscale status).

No SSH tunnel needed. Tailscale provides:

  • HTTPS encryption (automatic certs)
  • Authentication via Tailscale identity
  • Access from any device on your tailnet (laptop, phone, etc.)

Security: Why VCN + Tailscale Is Enough

With the VCN configured as above (only UDP 41641 open), you have defense in depth that makes traditional VPS hardening redundant.

How it works: The VCN blocks traffic at the network edge — before it reaches your instance. Combined with Tailscale SSH (which bypasses sshd entirely), there's no attack surface for typical threats.

What's Already Protected

Traditional Step Needed? Why
UFW firewall No VCN blocks before traffic reaches instance
fail2ban No No brute force if port 22 blocked at VCN
sshd hardening No Tailscale SSH doesn't use sshd
Disable root login No Tailscale uses Tailscale identity, not system users
SSH key-only auth No Tailscale authenticates via your tailnet
Disable IPv6 No OCI free tier doesn't assign public IPv6
  • Credential permissions: chmod 700 ~/.clawdbot
  • Security audit: clawdbot security audit
  • System updates: sudo apt update && sudo apt upgrade regularly
  • Monitor Tailscale: Review devices in Tailscale admin console

Verify Security Posture

# Confirm no public ports listening
sudo ss -tlnp | grep -v '127.0.0.1\|::1'

# Verify Tailscale SSH is active
tailscale status | grep -q 'offers: ssh' && echo "Tailscale SSH active"

# Optional: disable sshd entirely
sudo systemctl disable --now ssh

Fallback: SSH Tunnel

If Tailscale Serve isn't working, use an SSH tunnel:

# From your local machine (via Tailscale)
ssh -L 18789:127.0.0.1:18789 ubuntu@clawdbot

Then open http://localhost:18789.


Troubleshooting

Instance creation fails ("Out of capacity")

Free tier ARM instances are popular. Try:

  • Different availability domain
  • Retry during off-peak hours (early morning)
  • Use the "Always Free" filter when selecting shape

Tailscale won't connect

# Check status
sudo tailscale status

# Re-authenticate
sudo tailscale up --ssh --hostname=clawdbot --reset

Gateway won't start

clawdbot gateway status
clawdbot doctor --non-interactive
journalctl --user -u clawdbot-gateway -n 50

Can't reach Control UI

# Verify Tailscale Serve is running
tailscale serve status

# Check gateway is listening
curl http://localhost:18789

# Restart if needed
systemctl --user restart clawdbot-gateway

ARM binary issues

Some tools may not have ARM builds. Check:

uname -m  # Should show aarch64

Most npm packages work fine. For binaries, look for linux-arm64 or aarch64 releases.


Persistence

All state lives in:

  • ~/.clawdbot/ — config, credentials, session data
  • ~/clawd/ — workspace (SOUL.md, memory, artifacts)

Back up periodically:

tar -czvf clawdbot-backup.tar.gz ~/.clawdbot ~/clawd

See Also