OpenClaw + Telegram: Production Bot Setup
The right mental model
Telegram solves UI. OpenClaw is the doer layer — browser control, task scheduling, approval workflows, tool execution, and safety rails. Telegram is a persistent, mobile-first chat surface. OpenClaw is the agent runtime executing behind it.
This guide covers the full production stack: fast onboarding with openclaw onboard, security hardening, VPS deployment with systemd, Tailscale remote access, crash recovery, and building persistent memory bots.
Jump to Section
Quick Onboard (15 Minutes)
The openclaw onboard command walks you through Telegram and model configuration interactively. Real users report completing this in under 15 minutes from a fresh install.
- Create a Telegram bot — message
@BotFatheron Telegram. Send/newbotand follow the prompts. Copy the bot token (format:123456:ABC-DEF...). - Get your chat ID — send your new bot any message, then visit
https://api.telegram.org/bot<TOKEN>/getUpdates. Findmessage.chat.idin the JSON. - Run the onboarding wizard — OpenClaw will prompt for token, chat ID, and model provider.
openclaw onboard # Or configure manually via environment variables export TELEGRAM_BOT_TOKEN="123456:ABC-DEFxxxxxxxxxxxxxxxx" export TELEGRAM_CHAT_ID="987654321" export ANTHROPIC_API_KEY="sk-ant-..." # or OPENAI_API_KEY openclaw gateway start
Security — Bind to 127.0.0.1, Not 0.0.0.0
Critical — do not skip this step
Binding the gateway to 0.0.0.0 exposes your agent API to the public internet. Anyone who discovers your port can issue arbitrary tool-execution commands. Always bind to 127.0.0.1 in production.
Telegram's long-polling loop connects outbound to Telegram's servers — no inbound port is needed. There is no legitimate reason for the gateway port to be internet-accessible.
openclaw config set gateway.host 127.0.0.1 # Verify openclaw config get gateway.host # Expected: 127.0.0.1
VPS Production Setup
Minimum recommended specs: 2 vCPU, 4 GB RAM. For browser-use tasks (Playwright), add 2 GB. Ubuntu 22.04 LTS is the most tested OS. Use systemd — not screen or tmux — so the agent survives SSH drops and restarts after reboots.
Create the unit file at /etc/systemd/system/openclaw.service:
[Unit] Description=OpenClaw Agent Gateway After=network.target Wants=network-online.target [Service] Type=simple User=openclaw WorkingDirectory=/home/openclaw EnvironmentFile=/home/openclaw/.env ExecStart=/usr/local/bin/openclaw gateway start Restart=always RestartSec=5 StandardOutput=journal StandardError=journal [Install] WantedBy=multi-user.target
sudo systemctl daemon-reload sudo systemctl enable openclaw sudo systemctl start openclaw # Verify sudo systemctl status openclaw openclaw gateway status
Remote Access with Tailscale
Tailscale builds a private WireGuard mesh between your VPS and local machine. You get stable SSH access from anywhere without opening public ports — no IP allowlists, no firewall rules. When your VPS has an outage and you need to SSH in from a phone hotspot, Tailscale just works.
Why Tailscale over port forwarding
No public SSH port exposure, survives NAT and CGNAT, stable IP even if the VPS public IP changes. Free tier covers personal use with up to 100 devices.
# On your VPS (Ubuntu/Debian) curl -fsSL https://tailscale.com/install.sh | sh sudo tailscale up --authkey=tskey-auth-xxxxxxxxxxxxxxxx # Get your VPS Tailscale IP tailscale ip -4 # SSH from anywhere ssh [email protected]
Crash Recovery
With Restart=always in the systemd unit, the gateway restarts within 5 seconds of any crash. For full VPS reboots, systemd re-launches at boot. Your Telegram bot stops responding during the brief crash-to-restart window — this is expected.
# After VPS reboot or unexpected outage openclaw gateway status sudo systemctl restart openclaw sudo journalctl -u openclaw -f
Pair with the SOUL.md crash recovery pattern so the agent reloads identity and memory files on each restart without losing persona context or active task state.
Building a Persistent Memory Bot
A life-coach or personal assistant bot needs to remember context across restarts. OpenClaw handles this through two plain markdown files: an identity file defining the agent's persona, and a memory directory where the agent persists user context.
# identity.md You are Alex, a supportive life coach. You are direct, warm, and always remember details about the user's goals and challenges. Before starting any new topic, check in on previous commitments. On startup: read memory/user-context.md FIRST. Resume from there.
# User Goals - Ship side project by March 2026 - Run 3x per week # Recent Commitments - 2026-02-15: Journal daily for 7 days — in progress - 2026-02-10: 30-min walk every morning — completed ✓
openclaw config set agent.identity_file ./identity.md openclaw config set agent.memory_dir ./memory/ openclaw gateway start
Common Issues
VPS outage — SSH not reachable
If your VPS provider's network is down, Tailscale is also unreachable. Fall back to your provider's web console (DigitalOcean droplet console, Hetzner VNC, Linode Lish). Once SSH is restored, check the service and review logs.
sudo journalctl -u openclaw --since "2 hours ago" sudo systemctl status openclaw sudo systemctl start openclaw
macOS: bot stops replying after tool execution (issue #27870)
On macOS, the agent sometimes fails to send Telegram replies after completing a tool-use step. This is a known upstream bug. Workaround: restart the gateway after Mac wakes from sleep, or run on a Linux VPS where this does not occur.
openclaw gateway stop && openclaw gateway start
409 Conflict — getUpdates polling error
Telegram returns 409 Conflict if two processes poll the same bot token simultaneously. Each token supports exactly one active polling connection. Kill all openclaw processes and do a clean restart.
pkill -f "openclaw gateway" ps aux | grep "openclaw" sleep 3 && openclaw gateway start
Related Guides
Production Telegram bots touch these topics:
Did this guide solve your problem?