Dependencies installed, environment ready. Time to actually install OpenClaw and get it running.

Before you start

Important: Use SSH login for OpenClaw

For OpenClaw installation and operation, you need to login via SSH, not just su - openclaw.

This is because systemd user services (which we’ll set up later) require an actual SSH session to work properly.

Login via SSH:

ssh openclaw@localhost

Or from outside the container:

ssh openclaw@<container-ip>

Use the password you set when creating the openclaw user.

Verify you’re logged in correctly:

whoami
# should output: openclaw

Installing OpenClaw

OpenClaw has a one-line installer that downloads the CLI, installs it globally, and automatically launches the onboarding wizard.

Important: Make sure you’re the openclaw user:

whoami
# should output: openclaw

Run the installer:

curl -fsSL https://openclaw.ai/install.sh | bash

The script will:

• Install Node.js and npm if not already present
• Install the OpenClaw CLI globally
• Automatically start the onboarding process

Onboarding wizard

After installation completes, you’ll see the onboarding prompts.

Step 1: Risk acknowledgment

◆  I understand this is powerful and
   inherently risky. Continue?
│  ● Yes / ○ No

Select Yes.

Step 2: Onboarding mode

Onboarding mode
│ ○  QuickStart (Configure
│  details later via openclaw
│  configure.)
│ ●   Manual

Select Manual. We need to configure specific settings for container deployment.

Step 3: Model provider

This is important - your setup is only as good as the model you choose.

OpenClaw needs models with:

• Large context windows (for handling lots of code and memory)
• Good tool calling capabilities
• Strong reasoning (smaller models like GPT-4o mini struggle with complex tasks)

Recommended providers:

Budget-friendly:

• Z.ai (GLM) - Cheapest option I’ve tested. Works well for most tasks. Even GLM struggles sometimes on complex tasks, but it’s solid for the price.
• Kimi (Moonshot AI) - Slightly better than GLM. Good balance of cost and performance.
• Minimax - I’ve heard it’s good but haven’t tested it personally.

Premium (expensive):

• Anthropic (Claude) - Works great, but:
  • Using Pro/Max subscription API access is NOT officially supported (risk of getting banned)
  • Official API is allowed but expensive for heavy usage
• OpenAI - Similar pricing to Anthropic. Expensive for continuous use.

Free options:

• build.nvidia.com - Kimi models available for free
• OpenRouter - Has some free models plus paid options
• Local LLM - Possible, but you need a large model. Small local models won’t handle OpenClaw’s complexity well.

My recommendation: Start with Z.ai (GLM) if you’re budget-conscious, or Kimi if you want slightly better performance. Test it out and upgrade to premium models if you need more reliability.

After selecting your provider, enter your API key when prompted.

Step 4: Gateway setup

◆  What do you want to set up?
│  ● Local gateway (this machine)
│    (No gateway detected (ws://127.0.0.1:18789))
│  ○ Remote gateway (info-only)

Select Local gateway (this machine).

Workspace directory:

Workspace directory
│  /home/openclaw/.openclaw/workspace

This is the default. Just press Enter to continue.

Model: (already configured in Step 3)

Gateway port:

Gateway port
│  18789

Keep the default port 18789. Press Enter.

Gateway bind:

◆  Gateway bind
│  ○ Loopback (127.0.0.1)
│  ● LAN (0.0.0.0)
│  ○ Tailnet (Tailscale IP)
│  ○ Auto (Loopback → LAN)
│  ○ Custom IP

Important: Select LAN (0.0.0.0).

Since we’re running in a container and need to access the gateway from outside localhost, we must bind to 0.0.0.0. Choosing Loopback would make it inaccessible from your network.

Gateway auth:

Gateway auth
│  ● Token (Recommended default (local + remote))
│  ○ Password

Select Token (Recommended).

Tailscale exposure:

◆  Tailscale exposure
│  ● Off (No Tailscale exposure)
│  ○ Serve
│  ○ Funnel

Select Off for now. You can configure Tailscale remote access later if needed.

Gateway token:

◆  Gateway token (blank to generate)
   Needed for multi-machine or non-loopback access

You have two options:

• Leave it blank - OpenClaw will auto-generate a secure token for you
• Enter something memorable - If you want to type it yourself (you’ll need this token to login on every device that connects to the gateway)

If you’re unsure, just leave it blank.

Chat channels:

Configure chat channels now?
│  ● Yes / ○ No

If you want to set up Telegram or Discord now, select Yes and continue to Step 5. Otherwise, select No and you can configure channels later with openclaw configure.

Step 5: Select channel

◆  Select channel
│  (QuickStart)

OpenClaw can connect to various messaging platforms. I personally use Discord, Telegram, and iMessage.

For this guide, we’ll cover Telegram and Discord. iMessage requires a node (which will be separate from this gateway install) and will be in a separate guide later.

Setting up Telegram

1. Create a bot with BotFather:

Open Telegram and start a chat with @BotFather.

2. Create a new bot:

Send the command:

/newbot

(Or /mybots if you already have bots and want to manage them)

3. Choose a name:

BotFather will ask for a bot name. This can be anything you like - it’s the display name users see.

Example: My OpenClaw Assistant

4. Choose a username:

The username must:

• Be unique
• End with bot

Example: myopenclaw_bot

5. Copy the token:

BotFather will give you a token that looks like:

123456789:ABCdefGHIjklMNOpqrsTUVwxyz

Copy this entire token.

6. Enter the token in OpenClaw setup:

Enter Telegram bot token
_

Paste your token here.

Setting up Discord

(Discord setup will be covered in the advanced configuration section)

Step 6: Configure skills

Configure skills now? (recommended)
│  ● Yes / ○ No

Select Yes.

Then select npm when prompted.

You’ll see a list of bundled skills you can install. These are pre-built capabilities for OpenClaw - things like file operations, git integration, web search, etc.

Select the ones that look useful for your workflow. You can always add more later.

Important notes:

• macOS skills: You can’t install macOS-specific skills directly on this Linux container. Those need to be installed on a macOS node.
• clawhub skills: You can install additional skills from clawhub later, but be careful - read everything before installing skills from there. Stick with the bundled skills for now.

Step 7: Systemd service installation

If you followed the tutorial correctly (created the openclaw user and logged in via SSH), you should see:

◇  Systemd ───────────────────────────╮
│                                     │
│  Linux installs use a systemd user  │
│  service by default. Without        │
│  lingering,                         │
│  systemd stops the user session on  │
│  logout/idle and kills the          │
│  Gateway.                           │
│  Enabling lingering now (may        │
│  require sudo; writes               │
│  /var/lib/systemd/linger).          │
│                                     │
├─────────────────────────────────────╯
Failed to execute /usr/bin/pkttyagent: No such file or directory
│
◇  Systemd ────────────────────────╮
│                                  │
│  Enabled systemd lingering for   │
│  openclaw.                       │

The pkttyagent error is safe to ignore (it’s just a polkit authentication helper that’s not critical).

If you see “Systemd user services are unavailable”: This means you either didn’t create the openclaw user properly or didn’t login via SSH. You’ll need to set up systemd manually later.

Install Gateway service:

◆  Install Gateway service (recommended)
│  ● Yes / ○ No

Select Yes.

Gateway service runtime:

◆  Gateway service runtime
│  ● Node (recommended)
│    (Required for WhatsApp + Telegram.
│     Bun can corrupt memory on reconnect.)

Select Node (recommended).

Important: Node is required for WhatsApp and Telegram channels. Bun has issues with memory corruption on reconnect, so stick with Node.

Step 8: How to start the gateway

◆  How do you want to hatch your bot?
│  ● Hatch in TUI (recommended)
│  ○ Open the Web UI
│  ○ Do this later

Select Do this later.

Why not TUI? Your gateway setup isn’t complete yet and needs more configuration. We’ll start it properly after verifying everything is set up correctly.

Step 9: Shell completion

◆  Enable bash shell completion for openclaw?
│  ● Yes / ○ No

Select Yes. This enables tab completion for openclaw commands.

Onboarding complete!

The installer will show “Onboarding complete” or similar message.

Important: Reload your shell

If you try to run openclaw right now, you might get “command not found”. This is because the shell environment needs to reload.

Exit and re-login via SSH:

exit
ssh openclaw@localhost

Now the openclaw command should work.

Installation complete

Verify installation:

openclaw --version

Should show you the OpenClaw version.

Accessing the gateway

Now let’s access the OpenClaw web interface.

Get your container’s IP address:

ip a

Look for the inet line under eth0. It’ll look something like 10.129.20.46/24.

Access the gateway:

Open a browser and go to:

http://<container-ip>:18789

For example: http://10.129.20.46:18789

You’ll see an error:

disconnected (1008): control ui requires HTTPS or localhost (secure context)

This is a security feature that requires HTTPS or localhost access. Since we’re on a LAN in a Proxmox container, we can safely disable this check.

Fix: Allow insecure auth for LAN access

Edit the OpenClaw config:

nano ~/.openclaw/openclaw.json

Scroll to the bottom and find the "gateway" section. Add the controlUi configuration:

"gateway": {
  "port": 18789,
  "mode": "local",
  "bind": "lan",
  "controlUi": {
    "allowInsecureAuth": true
  },
  "auth": {
    "mode": "token",
    "token": "your-token-here"
  },
  "tailscale": {
    "mode": "off",
    "resetOnExit": false
  }
}

The key addition is:

"controlUi": {
  "allowInsecureAuth": true
},

Note the comma after the closing brace - it’s needed since there are more properties after this one.

Save and exit (Ctrl+X, Y, Enter).

Restart the gateway:

If the gateway is running as a service:

systemctl --user restart openclaw-gateway.service

Or if you’re running it manually, stop it (Ctrl+C) and start again:

openclaw

Check gateway status:

openclaw status

Should show the gateway is running.

Access the web interface:

Refresh your browser at http://<container-ip>:18789.

You’ll see another error:

disconnected (1008): device identity required

Add the gateway token:

1. Click on Overview in the web interface
2. You’ll be prompted to add gateway token
3. Enter the token you created during onboarding (or the auto-generated one)
   • If you forgot your token, check ~/.openclaw/openclaw.json in the "auth" → "token" field

Once you add the token, the web interface should connect successfully.

Basic configuration complete!

You now have:

• ✅ OpenClaw installed
• ✅ Gateway running as a systemd service
• ✅ Web interface accessible from your LAN
• ✅ Basic workspace configured

Changing configuration later

For adding models or channels:

Use openclaw doctor - it will detect configuration changes and help you set them up properly:

openclaw doctor

This is the recommended way to add or modify:

• LLM providers and models
• Chat channels (Telegram, Discord, etc.)
• Gateway settings

For advanced configuration:

Unfortunately, advanced configs require manually editing the JSON file:

nano ~/.openclaw/openclaw.json

Then always run doctor after manual edits:

openclaw doctor

After doctor completes successfully, restart the gateway:

systemctl --user restart openclaw-gateway.service

Useful doctor options:

• openclaw doctor - Interactive mode with prompts
• openclaw doctor --repair - Apply recommended repairs automatically
• openclaw doctor --yes - Accept all defaults without prompting
• openclaw doctor --deep - Deep scan including system services

Full configuration reference:

For all available configuration options, see the official docs: https://docs.openclaw.ai/gateway/configuration#config-includes-include

Pro tip: Use Claude Code for config editing

I recommend installing Claude Code on your Proxmox host. Using Claude Code to edit configuration files is much better than having the OpenClaw agent do it, especially if you’re running on smaller/cheaper models like GLM.

Claude Code can help you:

• Edit openclaw.json with proper syntax
• Troubleshoot configuration issues
• Understand what each setting does

This keeps your OpenClaw agent focused on its actual work rather than config file editing.

What’s next

OpenClaw is installed and running as a service. You have a basic workspace set up.

In Part 4, we’ll dive into advanced configuration:

• Setting up multiple agents with different configurations
• Docker sandboxing for agent tool calls
• Resource limits and monitoring
• Security hardening for production use
• Proactive agent configurations (cron-based agentic calls)

Take it for a spin, experiment with the agent, and when you’re ready for production-grade setup, move on to Part 4.

---

Troubleshooting

OpenClaw command not found:

• Make sure Node.js is installed: node --version
• Make sure npm is in PATH: which npm
• Try reinstalling: npm install -g openclaw

Gateway won’t start:

• Check logs: sudo journalctl -u openclaw -n 50
• Verify API key is set correctly in the service file
• Check if port 18789 is already in use: sudo lsof -i :18789

Can’t access web interface:

• Verify service is running: sudo systemctl status openclaw
• Check container IP: ip addr show eth0
• Make sure you’re accessing from the same network

Permission errors:

• Make sure you’re running as the openclaw user, not root
• Check ownership of ~/.openclaw/: ls -la ~/.openclaw/

“Failed to execute /usr/bin/pkttyagent: No such file or directory”:

• This is a polkit authentication agent error - it’s not critical
• It might appear during installation but doesn’t affect OpenClaw functionality
• You can safely ignore it - OpenClaw will still work fine