Use this file to discover all available pages before exploring further.

GCP

OpenClaw on GCP Compute Engine (Docker, Production VPS Guide)

Goal

Run a persistent OpenClaw Gateway on a GCP Compute Engine VM using Docker, with durable state, baked-in binaries, and safe restart behavior.

If you want "OpenClaw 24/7 for ~$5-12/mo", this is a reliable setup on Google Cloud. Pricing varies by machine type and region; pick the smallest VM that fits your workload and scale up if you hit OOMs.

What are we doing (simple terms)?

Create a GCP project and enable billing
Create a Compute Engine VM
Install Docker (isolated app runtime)
Start the OpenClaw Gateway in Docker
Persist
text
~/.openclaw
+
text
~/.openclaw/workspace
on the host (survives restarts/rebuilds)
Access the Control UI from your laptop via an SSH tunnel

That mounted

text

~/.openclaw

state includes

text

openclaw.json

, per-agent

text

agents/<agentId>/agent/auth-profiles.json

, and

text

.env

The Gateway can be accessed via:

SSH port forwarding from your laptop
Direct port exposure if you manage firewalling and tokens yourself

This guide uses Debian on GCP Compute Engine. Ubuntu also works; map packages accordingly. For the generic Docker flow, see Docker.

Quick path (experienced operators)

Create GCP project + enable Compute Engine API
Create Compute Engine VM (e2-small, Debian 12, 20GB)
SSH into the VM
Install Docker
Clone OpenClaw repository
Create persistent host directories
Configure
text
.env
and
text
docker-compose.yml
Bake required binaries, build, and launch

What you need

GCP account (free tier eligible for e2-micro)
gcloud CLI installed (or use Cloud Console)
SSH access from your laptop
Basic comfort with SSH + copy/paste
~20-30 minutes
Docker and Docker Compose
Model auth credentials
Optional provider credentials
- WhatsApp QR
- Telegram bot token
- Gmail OAuth

Install gcloud CLI (or use Console)

**Option A: gcloud CLI** (recommended for automation)


text
Install from [https://cloud.google.com/sdk/docs/install](https://cloud.google.com/sdk/docs/install)

Initialize and authenticate:

```bash}
gcloud init
gcloud auth login
```

**Option B: Cloud Console**

All steps can be done via the web UI at [https://console.cloud.google.com](https://console.cloud.google.com)

Create a GCP project

**CLI:**


text
```bash}
gcloud projects create my-openclaw-project --name="OpenClaw Gateway"
gcloud config set project my-openclaw-project
```

Enable billing at [https://console.cloud.google.com/billing](https://console.cloud.google.com/billing) (required for Compute Engine).

Enable the Compute Engine API:

```bash}
gcloud services enable compute.googleapis.com
```

**Console:**

1. Go to IAM & Admin > Create Project
2. Name it and create
3. Enable billing for the project
4. Navigate to APIs & Services > Enable APIs > search "Compute Engine API" > Enable

Create the VM

**Machine types:**


text
| Type      | Specs                    | Cost               | Notes                                        |
| --------- | ------------------------ | ------------------ | -------------------------------------------- |
| e2-medium | 2 vCPU, 4GB RAM          | \~\$25/mo          | Most reliable for local Docker builds        |
| e2-small  | 2 vCPU, 2GB RAM          | \~\$12/mo          | Minimum recommended for Docker build         |
| e2-micro  | 2 vCPU (shared), 1GB RAM | Free tier eligible | Often fails with Docker build OOM (exit 137) |

**CLI:**

```bash}
gcloud compute instances create openclaw-gateway \
  --zone=us-central1-a \
  --machine-type=e2-small \
  --boot-disk-size=20GB \
  --image-family=debian-12 \
  --image-project=debian-cloud
```

**Console:**

1. Go to Compute Engine > VM instances > Create instance
2. Name: `openclaw-gateway`
3. Region: `us-central1`, Zone: `us-central1-a`
4. Machine type: `e2-small`
5. Boot disk: Debian 12, 20GB
6. Create

SSH into the VM

**CLI:**


text
```bash}
gcloud compute ssh openclaw-gateway --zone=us-central1-a
```

**Console:**

Click the "SSH" button next to your VM in the Compute Engine dashboard.

Note: SSH key propagation can take 1-2 minutes after VM creation. If connection is refused, wait and retry.

Install Docker (on the VM)

```bash} sudo apt-get update sudo apt-get install -y git curl ca-certificates curl -fsSL https://get.docker.com | sudo sh sudo usermod -aG docker $USER ```


text
Log out and back in for the group change to take effect:

```bash}
exit
```

Then SSH back in:

```bash}
gcloud compute ssh openclaw-gateway --zone=us-central1-a
```

Verify:

```bash}
docker --version
docker compose version
```

Clone the OpenClaw repository

```bash} git clone https://github.com/openclaw/openclaw.git cd openclaw ```


text
This guide assumes you will build a custom image to guarantee binary persistence.

Create persistent host directories

Docker containers are ephemeral. All long-lived state must live on the host.


text
```bash}
mkdir -p ~/.openclaw
mkdir -p ~/.openclaw/workspace
```

Configure environment variables

Create `.env` in the repository root.


text
```bash}
OPENCLAW_IMAGE=openclaw:latest
OPENCLAW_GATEWAY_TOKEN=
OPENCLAW_GATEWAY_BIND=lan
OPENCLAW_GATEWAY_PORT=18789

OPENCLAW_CONFIG_DIR=/home/$USER/.openclaw
OPENCLAW_WORKSPACE_DIR=/home/$USER/.openclaw/workspace

GOG_KEYRING_PASSWORD=
XDG_CONFIG_HOME=/home/node/.openclaw
```

Leave `OPENCLAW_GATEWAY_TOKEN` blank unless you explicitly want to
manage it through `.env`; OpenClaw writes a random gateway token to
config on first start. Generate a keyring password and paste it into
`GOG_KEYRING_PASSWORD`:

```bash}
openssl rand -hex 32
```

**Do not commit this file.**

This `.env` file is for container/runtime env such as `OPENCLAW_GATEWAY_TOKEN`.
Stored provider OAuth/API-key auth lives in the mounted
`~/.openclaw/agents/<agentId>/agent/auth-profiles.json`.

Docker Compose configuration

Create or update `docker-compose.yml`.


text
```yaml}
services:
  openclaw-gateway:
    image: ${OPENCLAW_IMAGE}
    build: .
    restart: unless-stopped
    env_file:
      - .env
    environment:
      - HOME=/home/node
      - NODE_ENV=production
      - TERM=xterm-256color
      - OPENCLAW_GATEWAY_BIND=${OPENCLAW_GATEWAY_BIND}
      - OPENCLAW_GATEWAY_PORT=${OPENCLAW_GATEWAY_PORT}
      - OPENCLAW_GATEWAY_TOKEN=${OPENCLAW_GATEWAY_TOKEN}
      - GOG_KEYRING_PASSWORD=${GOG_KEYRING_PASSWORD}
      - XDG_CONFIG_HOME=${XDG_CONFIG_HOME}
      - PATH=/home/linuxbrew/.linuxbrew/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
    volumes:
      - ${OPENCLAW_CONFIG_DIR}:/home/node/.openclaw
      - ${OPENCLAW_WORKSPACE_DIR}:/home/node/.openclaw/workspace
    ports:
      # Recommended: keep the Gateway loopback-only on the VM; access via SSH tunnel.
      # To expose it publicly, remove the `127.0.0.1:` prefix and firewall accordingly.
      - "127.0.0.1:${OPENCLAW_GATEWAY_PORT}:18789"
    command:
      [
        "node",
        "dist/index.js",
        "gateway",
        "--bind",
        "${OPENCLAW_GATEWAY_BIND}",
        "--port",
        "${OPENCLAW_GATEWAY_PORT}",
        "--allow-unconfigured",
      ]
```

`--allow-unconfigured` is only for bootstrap convenience, it is not a replacement for a proper gateway configuration. Still set auth (`gateway.auth.token` or password) and use safe bind settings for your deployment.

Shared Docker VM runtime steps

Use the shared runtime guide for the common Docker host flow:


text
* [Bake required binaries into the image](/install/docker-vm-runtime#bake-required-binaries-into-the-image)
* [Build and launch](/install/docker-vm-runtime#build-and-launch)
* [What persists where](/install/docker-vm-runtime#what-persists-where)
* [Updates](/install/docker-vm-runtime#updates)

GCP-specific launch notes

On GCP, if build fails with `Killed` or `exit code 137` during `pnpm install --frozen-lockfile`, the VM is out of memory. Use `e2-small` minimum, or `e2-medium` for more reliable first builds.


text
When binding to LAN (`OPENCLAW_GATEWAY_BIND=lan`), configure a trusted browser origin before continuing:

```bash}
docker compose run --rm openclaw-cli config set gateway.controlUi.allowedOrigins '["http://127.0.0.1:18789"]' --strict-json
```

If you changed the gateway port, replace `18789` with your configured port.

Access from your laptop

Create an SSH tunnel to forward the Gateway port:


text
```bash}
gcloud compute ssh openclaw-gateway --zone=us-central1-a -- -L 18789:127.0.0.1:18789
```

Open in your browser:

`http://127.0.0.1:18789/`

Reprint a clean dashboard link:

```bash}
docker compose run --rm openclaw-cli dashboard --no-open
```

If the UI prompts for shared-secret auth, paste the configured token or
password into Control UI settings. This Docker flow writes a token by
default; if you switch the container config to password auth, use that
password instead.

If Control UI shows `unauthorized` or `disconnected (1008): pairing required`, approve the browser device:

```bash}
docker compose run --rm openclaw-cli devices list
docker compose run --rm openclaw-cli devices approve <requestId>
```

Need the shared persistence and update reference again?
See [Docker VM Runtime](/install/docker-vm-runtime#what-persists-where) and [Docker VM Runtime updates](/install/docker-vm-runtime#updates).

Troubleshooting

SSH connection refused

SSH key propagation can take 1-2 minutes after VM creation. Wait and retry.

OS Login issues

Check your OS Login profile:


bash
gcloud compute os-login describe-profile

Ensure your account has the required IAM permissions (Compute OS Login or Compute OS Admin Login).

Out of memory (OOM)

If Docker build fails with

text

Killed

and

text

exit code 137

, the VM was OOM-killed. Upgrade to e2-small (minimum) or e2-medium (recommended for reliable local builds):


bash
# Stop the VM first
gcloud compute instances stop openclaw-gateway --zone=us-central1-a

# Change machine type
gcloud compute instances set-machine-type openclaw-gateway \
  --zone=us-central1-a \
  --machine-type=e2-small

# Start the VM
gcloud compute instances start openclaw-gateway --zone=us-central1-a

Service accounts (security best practice)

For personal use, your default user account works fine.

For automation or CI/CD pipelines, create a dedicated service account with minimal permissions:

Create a service account:


bash
gcloud iam service-accounts create openclaw-deploy \
  --display-name="OpenClaw Deployment"

Grant Compute Instance Admin role (or narrower custom role):


bash
gcloud projects add-iam-policy-binding my-openclaw-project \
  --member="serviceAccount:openclaw-deploy@my-openclaw-project.iam.gserviceaccount.com" \
  --role="roles/compute.instanceAdmin.v1"

Avoid using the Owner role for automation. Use the principle of least privilege.

See https://cloud.google.com/iam/docs/understanding-roles for IAM role details.

Next steps

Set up messaging channels: Channels
Pair local devices as nodes: Nodes
Configure the Gateway: Gateway configuration

OpenClaw Docs

GCP

OpenClaw on GCP Compute Engine (Docker, Production VPS Guide)

Goal

What are we doing (simple terms)?

Quick path (experienced operators)

What you need

Install gcloud CLI (or use Console)

Create a GCP project

Create the VM

SSH into the VM

Install Docker (on the VM)

Clone the OpenClaw repository

Create persistent host directories

Configure environment variables

Docker Compose configuration

Shared Docker VM runtime steps

GCP-specific launch notes

Access from your laptop

Troubleshooting

Service accounts (security best practice)

Next steps

Related