About This Guide: This is a specialized guide for running OpenClaw in a headless Linux environment — no display, no keyboard, SSH-only access. We cover Raspberry Pi 5 (8GB) as the primary target hardware, but all instructions apply to any Linux server, VPS, or ARM board. This is different from desktop Ubuntu/Debian guides — this is true server-mode operation: systemd daemon, UFW firewall, Cloudflare tunnel for HTTPS access, and running 24/7 with <5W power consumption.
The Raspberry Pi 5 has emerged as one of the most popular platforms for running OpenClaw — and for good reason. A Pi 5 with 8GB RAM costs around $80, consumes just 5W under load, fits in the palm of your hand, and can run 24/7 for an annual electricity bill of roughly $4. Plug it into your home router, configure SSH, and you have a personal AI agent that's always on, always responsive, and costs almost nothing to operate.
This guide is specifically for the headless, SSH-only setup — you'll never need a monitor or keyboard attached to your Pi or server. Everything is done remotely via terminal. By the end, you'll have OpenClaw running as a proper systemd service, protected by UFW firewall, accessible securely from anywhere via Cloudflare Tunnel, and optimized for the Raspberry Pi 5's ARM architecture.
Supported Hardware & Requirements
Raspberry Pi 5
Recommended- • Pi 5 8GB RAM — optimal
- • Pi 5 4GB — acceptable
- • ~5W power under load
- • $80–100 hardware cost
- • Fully tested by community
Any Linux VPS
- • Ubuntu 24.04 LTS
- • Debian 12 (Bookworm)
- • 2GB+ RAM minimum
- • Hetzner, DigitalOcean, etc.
- • Same instructions apply
Other ARM Boards
- • Orange Pi 5 Pro
- • Rock 5B (8GB)
- • NVIDIA Jetson Nano
- • Banana Pi M5
- • Requires Ubuntu/Debian
Pi 4 Warning: Raspberry Pi 4 with 4GB RAM can run OpenClaw but struggles with multiple concurrent tool calls. Pi 4 2GB is not recommended. Pi 5 8GB is the minimum recommended spec for a comfortable experience.
Step 1: Flash Headless OS to SD Card
For Raspberry Pi 5, use Raspberry Pi OS Lite (64-bit) — no desktop environment, maximum RAM for OpenClaw:
Using Raspberry Pi Imager
- 1. Download Raspberry Pi Imager from
raspberrypi.com/software - 2. Select: Raspberry Pi 5 → Raspberry Pi OS Lite (64-bit)
- 3. Click the gear icon ⚙️ before flashing:
- • Enable SSH with password authentication
- • Set username:
piand a strong password - • Configure WiFi SSID and password (if using WiFi)
- • Set locale/timezone
- 4. Flash to a 32GB+ microSD card (Class 10 / A2 rated)
Find Your Pi's IP Address
After booting Pi, find its IP from your router's admin panel or use:
# Scan your network for Raspberry Pi
nmap -sn 192.168.1.0/24 | grep -i raspberry
# Or use mdns
ping raspberrypi.local
# SSH into Pi (first time)
ssh [email protected]
Step 2: Server Preparation (SSH Session)
Once SSH'd into your Pi (or Linux server), prepare the system:
# Update system
sudo apt update && sudo apt upgrade -y
# Install essential packages
sudo apt install -y curl git build-essential ufw fail2ban
# Configure UFW firewall
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow ssh # Port 22
sudo ufw allow 18789/tcp # OpenClaw gateway port
sudo ufw --force enable
sudo ufw status
# Optional: change SSH port for security
sudo sed -i 's/#Port 22/Port 2222/' /etc/ssh/sshd_config
sudo systemctl restart sshd
sudo ufw allow 2222/tcp
Security first: Fail2ban automatically bans IPs that fail SSH login 5 times. This is essential for any internet-facing Linux server. The UFW rules above allow only SSH and OpenClaw traffic — everything else is blocked.
Step 3: Install Node.js 22 via NVM
# Install nvm
curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.40.1/install.sh | bash
# Load nvm
source ~/.bashrc
# Install Node.js 22 LTS
nvm install 22
nvm use 22
nvm alias default 22
# Verify
node --version # v22.x.x
npm --version # 10.x.x
# Make Node available system-wide for systemd
sudo ln -sf $(which node) /usr/local/bin/node
sudo ln -sf $(which npm) /usr/local/bin/npm
The ln -sf commands create symlinks so systemd can find node/npm without loading the user's nvm environment. This is essential for running OpenClaw as a system service.
Step 4: Install & Configure OpenClaw
# Install OpenClaw
curl -fsSL https://openclaw.ai/install.sh | bash
# Verify installation
which openclaw
openclaw --version
# Initialize headless agent
openclaw init headless-agent
cd headless-agent
# Run onboarding (will be interactive once)
openclaw onboard
Headless-Optimized Onboarding Choices
Step 5: Create systemd Service for 24/7 Operation
Create a proper systemd user service that starts OpenClaw at boot and restarts it on failure:
# Create systemd user service directory
mkdir -p ~/.config/systemd/user/
# Create service file
cat > ~/.config/systemd/user/openclaw.service <<'EOF'
[Unit]
Description=OpenClaw AI Agent Gateway
After=network-online.target
Wants=network-online.target
[Service]
Type=simple
WorkingDirectory=%h/headless-agent
ExecStart=/usr/local/bin/node /usr/local/bin/openclaw gateway start
Restart=always
RestartSec=10
Environment=NODE_ENV=production
StandardOutput=journal
StandardError=journal
SyslogIdentifier=openclaw
[Install]
WantedBy=default.target
EOF
# Enable systemd user services at boot (without login)
sudo loginctl enable-linger $USER
# Enable and start OpenClaw service
systemctl --user daemon-reload
systemctl --user enable openclaw
systemctl --user start openclaw
# Check status
systemctl --user status openclaw
journalctl --user -u openclaw -f
loginctl enable-linger is crucial — it allows your systemd user services to run even when no user is logged in via SSH. Without this, OpenClaw would stop as soon as you close your SSH session.
Step 6: Cloudflare Tunnel for Remote Access
To access your OpenClaw dashboard from anywhere without port forwarding, use Cloudflare Tunnel (free):
# Install cloudflared on Raspberry Pi
curl -L --output cloudflared.deb https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-arm64.deb
sudo dpkg -i cloudflared.deb
# Login to Cloudflare
cloudflared tunnel login
# Create tunnel
cloudflared tunnel create openclaw-pi
# Configure tunnel to expose OpenClaw dashboard
cat > ~/.cloudflared/config.yml <<'EOF'
tunnel: <your-tunnel-id>
credentials-file: /home/pi/.cloudflared/<your-tunnel-id>.json
ingress:
- hostname: openclaw.yourdomain.com
service: http://localhost:18789
- service: http_status:404
EOF
# Install as system service
sudo cloudflared service install
sudo systemctl start cloudflared
Alternative: SSH Tunnel
Without a domain, access the OpenClaw dashboard via SSH port forwarding:
# From your laptop:
ssh -L 18789:localhost:18789 [email protected]
# Then open in browser:
http://localhost:18789
Raspberry Pi 5 Performance Benchmarks
Monitor Your Pi Server
# Real-time system monitoring
htop
# OpenClaw logs
journalctl --user -u openclaw --since "1 hour ago"
# Check temperature (Pi 5 should stay below 60°C)
vcgencmd measure_temp
# Network stats
nethogs # install with: sudo apt install nethogs
VPN07: Protect Your Pi Server's API Traffic
Your Raspberry Pi is directly connected to the internet. Every API call OpenClaw makes to Anthropic or OpenAI passes through your ISP unencrypted (unless you use HTTPS, which you do — but ISP metadata is still visible). More importantly, ISP throttling of API traffic is a real issue that causes timeouts.
VPN07 — Essential for Pi OpenClaw Servers
VPN07 runs on Linux — including Raspberry Pi OS — via OpenVPN or WireGuard. Install it on your Pi once and all OpenClaw traffic automatically routes through VPN07's 1000Mbps dedicated channels. For $1.5/month, you get:
- ✅ Zero API timeouts — 1000Mbps means instant AI provider connections
- ✅ ISP throttling bypass — your agent works at 3AM just as well as noon
- ✅ 70+ server locations — connect to nearest Claude/OpenAI endpoint
- ✅ 10 years of proven reliability — VPN07 won't vanish overnight
- ✅ 30-day money-back guarantee — zero risk to try
Install VPN07 on Raspberry Pi
# Install OpenVPN (for VPN07 connection)
sudo apt install openvpn -y
# Download your VPN07 config from vpn07.com
# Then connect:
sudo openvpn --config /path/to/vpn07.ovpn --daemon
# Or use WireGuard for faster performance:
sudo apt install wireguard -y
# Import VPN07 WireGuard config from dashboard
VPN07: The Network Layer Your Pi Needs
Your Raspberry Pi OpenClaw server is only as good as its network. VPN07's 1000Mbps Linux-compatible VPN protects every API call, bypasses ISP throttling, and keeps your agent responding 24/7 from any network condition. 10 years of proven reliability, 70+ countries, 30-day money-back guarantee. At $1.5/month — less than your morning coffee — it's the best investment you can make for your Pi server.