Part 1: Setting Up the LXC Container

First things first - we need somewhere for OpenClaw to live. We’re going to create a Debian LXC container with some specific settings that make it play nice with OpenClaw’s quirks.

Why Debian?

I tested this with both Ubuntu and Debian. Ubuntu worked fine, but Debian ended up being lighter and more stable for this use case. Plus, since Proxmox itself runs on Debian, things just tend to work better. Fewer weird edge cases. Tho honestly, it really doesn’t matter that much, so feel free to use whatever you want.

You could use Ubuntu if you really want to, but this guide assumes Debian.

Creating the container with the helper script

Instead of clicking through Proxmox’s web UI, we’re going to use a community script that makes this way easier. Open your Proxmox node’s shell (either through the web interface or SSH) and run this:

bash -c "$(curl -fsSL https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/ct/debian.sh)"

Quick note about running random scripts from the internet: yeah, I know, security best practices and all that. This particular script is from the Proxmox VE Helper Scripts project which is well-maintained and widely used in the Proxmox community. But you should still at least skim through it to see what it’s doing. Don’t just blindly trust me.

When the script starts, pick Advanced Install. The basic install works, but we need to enable some specific features that aren’t on by default.

Container settings that actually matter

The script will ask you a bunch of questions. Here’s what I recommend and why:

Container Type: Unprivileged

This one’s important. Unprivileged containers are more secure - the root user inside the container maps to a non-root user on your Proxmox host. If something goes wrong and someone breaks out of the container, they don’t automatically have root on your host.

There’s basically no downside to unprivileged for our use case, so go with that.

Root Password

Just set a strong password. You’ll need it to SSH into the container.

Hostname: openclaw

Call it whatever you want, but openclaw makes sense and keeps things clear when you’re looking at your container list.

Disk Size: 60GB

OpenClaw doesn’t explicitly mention hardware requirements, but I’d recommend going with at least 60GB.

I’m currently at about 60% disk usage after regular use. If you start with 30GB, you’ll be resizing the disk in a month. Save yourself the hassle.

Also, LXC uses thin provisioning by default. That 60GB allocation doesn’t immediately consume 60GB on your host - it only uses what it actually needs. So there’s no real penalty for allocating more upfront.

CPU: 4 cores

Four cores is a good baseline. OpenClaw can be CPU-intensive when you’re running multiple sessions and agents.

Quick Proxmox LXC thing: assigning 4 cores doesn’t mean you’re reserving them exclusively. Proxmox uses fair scheduling. Those 4 cores are a maximum, not a reservation. If your host has spare capacity, feel free to go higher. I’m running with 8 cores and it works great.

RAM: 8192 MiB (8GB)

4 gigs is probably enough but if you have more to space, I’d recommend going for 8. OpenClaw’s Node.js server uses a couple GB, then you need headroom for Docker containers, file indexing, code analysis, all the background stuff that happens during agent runs.

Network: DHCP is fine

Just use the defaults here unless you have some specific networking setup you’re trying to accomplish. Bridge vmbr0, DHCP for IPv4, auto for IPv6. It works.

The critical part: enabling features

This is where most people get tripped up if they’re just clicking through defaults. OpenClaw needs some specific container features enabled or things will break in weird ways later.

TUN/TAP Device Support: Yes

This enables virtual network interfaces. You’ll have the option later to access your gateway via tailscale, and you’ll need this in order to do so.

Even if you don’t think you need it right now, enable it anyway. It’s way easier than reconfiguring the container later.

Nesting: Yes

This is the big one. You absolutely need nesting enabled.

Nesting allows containers within containers. We’ll be using Docker later for agent sandboxing.

Even if you’re not sure about using Docker sandboxing yet, enable nesting now. It’s way easier than reconfiguring the container later.

GPU Passthrough: No

Leave this disabled unless you specifically want to run a local LLM in this same container.

If you’re thinking about running Ollama or llama.cpp for a local model, my strong recommendation is to set up a separate container for that. The Proxmox Helper Scripts even have an Ollama-specific script that makes it easy.

Why separate containers? A few reasons:

• Easier to manage resources (give the LLM container access to your GPU, keep OpenClaw simple)
• Better stability (LLM crashes don’t take down your development environment)
• Simpler troubleshooting (one thing per container)
• Cleaner backups

You can always connect OpenClaw to a local LLM via API. Keep them separate.

Keyctl Support: Yes

This enables access to the kernel keyring for credential storage. Some development tools expect this to be available. It doesn’t hurt anything to enable it, and it prevents weird authentication issues down the line.

Double-check before creating

The script will show you a summary before actually creating the container. Here’s what mine looked like:

    ____       __    _
   / __ \___  / /_  (_)___ _____
  / / / / _ \/ __ \/ / __ `/ __ \
 / /_/ /  __/ /_/ / / /_/ / / / /
/_____/\___/_.___/_/\__,_/_/ /_/

  🧩  Using Advanced Install on node homelab01

  💡  PVE Version 9.1.4 (Kernel: 6.17.4-2-pve)
  🖥️  Operating System: debian
  🌟  Version: 13
  📦  Container Type: Unprivileged
  🆔  Container ID: 113
  🏠  Hostname: openclaw
  💾  Disk Size: 60 GB
  🧠  CPU Cores: 4
  🛠️  RAM Size: 4096 MiB
  🌉  Bridge: vmbr0
  📡  IPv4: dhcp
  📡  IPv6: auto
  🗂️  FUSE Support: no
  📡  TUN/TAP Support: yes
  📦  Nesting: Enabled
  📦  Keyctl: Enabled
  🎮  GPU Passthrough: no
  💡  Timezone: America/Edmonton
  🔍  Verbose Mode: yes
  🚀  Creating an LXC of Debian using the above advanced settings
  ✔️   Updated app defaults: /usr/local/community-scripts/defaults/debian.vars
  ✔️   Storage local (Free: 90.4GB  Used: 14.2GB) [Template]
  ✔️   Storage local-lvm (Free: 659.6GB  Used: 1.1TB) [Container]
  ✔️   Storage 'local-lvm' (lvmthin) validated
  ✔️   Template storage 'local' validated
  ✔️   Cluster is quorate

Make sure nesting, TUN/TAP, and keyctl all show as enabled. Those are the critical ones.

If everything looks good, confirm it and let the script do its thing. It’ll download the Debian template if you don’t have it cached already, then create and configure the container. Takes about 2-5 minutes depending on your internet speed and storage.

When it’s done, start the container.

Quick check that it worked

From your Proxmox host, jump into the container:

pct enter <container-id>

Replace <container-id> with whatever ID Proxmox assigned (the script will tell you).

Once you’re in, run a few quick checks:

# What version of Debian are we running?
cat /etc/debian_version

# Is nesting actually enabled?
cat /proc/sys/kernel/unprivileged_userns_clone
# Should show: 1

# How much RAM do we have?
free -h

# How much disk space?
df -h

If those all look reasonable, you’re good. The container is ready.

When things go wrong

Container won’t start: Check the Proxmox logs to see what’s up:

pct status <container-id>

Also make sure your storage pool has enough space:

pvesm status

Docker doesn’t work later (after we install it): If you get permission errors or Docker just refuses to start, nesting probably isn’t properly enabled. Stop the container and check /etc/pve/lxc/<container-id>.conf on your Proxmox host. You should see:

features: keyctl=1,nesting=1
lxc.apparmor.profile: unconfined
lxc.cgroup2.devices.allow: c 10:200 rwm
lxc.mount.entry: /dev/net/tun dev/net/tun none bind,create=file

If those lines are missing, add them, then start the container again.

That’s it for Part 1

Container created, features enabled, basic checks passed. We’re ready to move on.

In Part 2, we’ll prep the environment - system updates, security basics, and installing all the dependencies OpenClaw needs (Node.js, Git, Docker, etc.).

Take a break if you need one. The container isn’t going anywhere.

---

Helpful links:

• Proxmox VE Helper Scripts
• Proxmox LXC documentation