Overview

1. Pre-reqs (Create SSH key > Initialize VPS > Create Tailnet)
2. Patch VPS
3. Install Tailscale on VPS
4. Create dedicated OpenClaw OS user
5. Harden SSH
6. Enable & Configure UFW
7. Setup weekly automated patching and backups
8. Enable fail2ban
9. Segment Tailnet (prevent lateral movement)
10. Install OpenClaw on VPS (out of guide scope)
11. Configure package manager guardrails (prevent supply chain poisoning)

Pre-requisites

• DigitalOcean Ubuntu VPS (Needs 2-4GB Memory)
• RSA SSH keypair already created locally and configured in DigitalOcean
• Tailscale account
• Local PC connected to Tailscale

Patch VPS + Install Tailscale + Create Non-Root User + Setup SSH

### Patch box ###
sudo apt update && sudo apt upgrade -y
sudo reboot
uptime

### First Access + Tailscale ###
curl -fsSL <https://tailscale.com/install.sh> | sh
sudo tailscale up
tailscale ip -4 # Note this IP, you will use it for SSH (<TAILSCALE_IP>)
tailscale status

### Create non-root user & setup SSH access for it ###
adduser clawusr
usermod -aG sudo clawusr
su - clawusr  
whoami # Verify root

mkdir -p /home/clawusr/.ssh
cp /root/.ssh/authorized_keys /home/clawusr/.ssh/
chmod 700 /home/clawusr/.ssh
chmod 600 /home/clawusr/.ssh/authorized_keys
chown -R clawusr:clawusr /home/clawusr/.ssh

### Verify SSH via Tailscale ###
#From PC cmd prompt: 
ssh -i ~/.ssh/id_rsa clawusr@<TAILSCALE_IP>

Harden SSH