🦞 I Self-Hosted OpenClaw on AWS for $0 — No Open Ports, No SaaS, No Compromise (Using TailScale)

You can also read it here: https://medium.com/p/5b20907e0fb1

I wanted to run my own AI agent on the cloud — not on my laptop, not on someone else’s hosted dashboard — but fully self-hosted, fully in my control.

So I deployed OpenClaw on a free-tier AWS EC2 instance, secured it with Tailscale, and connected it to Telegram using the Gemini API.

This post walks you through the exact setup. No fluff. Just what works.

Step 1 — Launch a Free EC2 Instance

AWS Console → EC2 → Launch Instance

Configure it like this:

• Name: anything you like

• OS: Ubuntu 24.04 LTS

• Instance type: t3.small

• Storage: 50 GB

• Security Groups: only allow port 22 (SSH) — nothing else open

For the key pair: Create a new key pair, give it a name, and download the .pem file. Keep this file safe — it's how you'll securely SSH into your server from your own machine if you ever need to. Without it, you lose access.

Click Launch Instance.

Once it’s running, click on the instance → hit Connect.

Now choose EC2 Instance Connect → click Connect again. AWS will open a fully browser-based terminal directly inside your server. No local terminal setup needed — just your browser.

After that it will open your VPS terminal. It’ll look something like this 👇

Step 2 — Set Up Tailscale (Do This First)

You can skip this step if it sounds too complicated, but doing it is strongly recommended. It takes 5 minutes and makes your entire setup significantly more secure.

Tailscale creates a private VPN tunnel to your EC2 instance. Once it’s running, you never need to expose a public IP again — all access goes through a secure private network that only your own devices can reach.

Think of it this way: instead of leaving a door open to the internet, Tailscale gives you a private hallway that only you can walk through.

Run these in your EC2 terminal:

curl -fsSL https://tailscale.com/install.sh | sh

sudo tailscale up

It will print an authentication link — open it, sign in, and your EC2 is now part of your private Tailscale network. Install Tailscale on your local machine too, and your server gets a private IP like 100.x.x.x that only your devices can reach.

Then enable Tailscale SSH so you can access your server from your own terminal anytime, from anywhere:

sudo tailscale up --ssh

Why this matters: If your EC2 ever gets misconfigured and accidentally exposes a port, it doesn’t matter — nothing outside your Tailscale network can reach it. It’s your silent safety net running in the background.

Step 3 — Install OpenClaw

Now let’s get OpenClaw running. Paste this into your EC2 terminal:

curl -fsSL https://openclaw.ai/install.sh | bash

Wait around 5–10 minutes to install it.

Step 4 — Connect Gemini API

Once installation finishes, OpenClaw will walk you through a configuration wizard. In here, I am choosing Gemini API Key from google.

To get your Gemini API Key, Go to aistudio.google.com → Get API Key → copy it.

One thing worth knowing: Google Cloud gives you $300 in free credits when you create a new account. If you’re just experimenting and testing things out, this is genuinely useful — you can run Gemini at full capacity for weeks without paying a cent. Just go to cloud.google.com, create an account, and the credits are much higher. Well worth setting up before you start.

Select: Model → Google → paste your Gemini API key → set model to google/gemini-flash-latest

Step 5 — Connect Telegram

The wizard will then ask you to configure a channel. Select Telegram.

To create your bot:

1. Open Telegram → search @BotFather → send /newbot

2. Follow the prompts — it’ll generate a bot token

3. Copy that token

Now in OpenClaw paste the token you just copied.

Follow the remaining configuration options, then finish the setup.

That’s it — OpenClaw is configured. Now restart the daemon to apply everything:

openclaw daemon restart

Step 6 — Open DM Policy

By default, OpenClaw runs in pairing mode — meaning your bot will silently ignore all incoming messages until manually approved. It won’t throw any errors, it just won’t reply. This trips up a lot of people.

To allow your bot to reply instantly to anyone:

openclaw config set channels.telegram.dmPolicy open
openclaw config set channels.telegram.allowFrom '["*"]'
openclaw daemon restart

Your bot is now live and responding. Go send it a message on Telegram.

Need to Change Something Later?

If you ever need to update your configuration — swap models, change your API key, adjust settings — just run:

openclaw configure

Security Checklist

• No public ports except 22 (locked via Security Groups)

• Key pair .pem file stored safely and privately

• All remote access through Tailscale tunnel

• API keys never committed or shared publicly

• Telegram bot restricted to your user ID only

• Rotate API keys time to time

Total Cost

• AWS Free Tier — $0 cost

• Google Cloud Credit $300 — $0 cost

• Tailscale Free Tier — $0 cost

Total cost: $0