1. Log into [Oracle Cloud Console](https://cloud.oracle.com/). 2. Navigate to **Compute > Instances > Create Instance**. 3. Configure: * **Name:** `openclaw` * **Image:** Ubuntu 24.04 (aarch64) * **Shape:** `VM.Standard.A1.Flex` (Ampere ARM) * **OCPUs:** 2 (or up to 4) * **Memory:** 12 GB (or up to 24 GB) * **Boot volume:** 50 GB (up to 200 GB free) * **SSH key:** Add your public key 4. Click **Create** and note the public IP address.

text
Copy
<Tip>
  If instance creation fails with "Out of capacity", try a different availability domain or retry later. Free tier capacity is limited.
</Tip>

```bash} ssh ubuntu@YOUR_PUBLIC_IP

text
Copy
sudo apt update && sudo apt upgrade -y
sudo apt install -y build-essential
```

`build-essential` is required for ARM compilation of some dependencies.

```bash} sudo hostnamectl set-hostname openclaw sudo passwd ubuntu sudo loginctl enable-linger ubuntu ```

text
Copy
Enabling linger keeps user services running after logout.

```bash} curl -fsSL https://tailscale.com/install.sh | sh sudo tailscale up --ssh --hostname=openclaw ```

text
Copy
From now on, connect via Tailscale: `ssh ubuntu@openclaw`.

```bash} curl -fsSL https://openclaw.ai/install.sh | bash source ~/.bashrc ```

text
Copy
When prompted "How do you want to hatch your bot?", select **Do this later**.

Use token auth with Tailscale Serve for secure remote access.

text
Copy
```bash}
openclaw config set gateway.bind loopback
openclaw config set gateway.auth.mode token
openclaw doctor --generate-gateway-token
openclaw config set gateway.tailscale.mode serve
openclaw config set gateway.trustedProxies '["127.0.0.1"]'

systemctl --user restart openclaw-gateway.service
```

`gateway.trustedProxies=["127.0.0.1"]` here is only for the local Tailscale Serve proxy's forwarded-IP/local-client handling. It is **not** `gateway.auth.mode: "trusted-proxy"`. Diff viewer routes keep fail-closed behavior in this setup: raw `127.0.0.1` viewer requests without forwarded proxy headers can return `Diff not found`. Use `mode=file` / `mode=both` for attachments, or intentionally enable remote viewers and set `plugins.entries.diffs.config.viewerBaseUrl` (or pass a proxy `baseUrl`) if you need shareable viewer links.

Block all traffic except Tailscale at the network edge:

text
Copy
1. Go to **Networking > Virtual Cloud Networks** in the OCI Console.
2. Click your VCN, then **Security Lists > Default Security List**.
3. **Remove** all ingress rules except `0.0.0.0/0 UDP 41641` (Tailscale).
4. Keep default egress rules (allow all outbound).

This blocks SSH on port 22, HTTP, HTTPS, and everything else at the network edge. You can only connect via Tailscale from this point on.

```bash} openclaw --version systemctl --user status openclaw-gateway.service tailscale serve status curl http://localhost:18789 ```

text
Copy
Access the Control UI from any device on your tailnet:

```
https://openclaw.<tailnet-name>.ts.net/
```

Replace `<tailnet-name>` with your tailnet name (visible in `tailscale status`).