2,000+ Users Exposed Their OpenClaw. Here's the Safe Docker Setup.

@KanikaBK (275 likes, 25.8K views) said it bluntly: “2,000+ users exposing API keys, files, and commands this month.”

Default OpenClaw binds to 0.0.0.0:18789 — every network interface, including the public internet. SecurityScorecard found 135,000+ exposed instances. Docker fixes this.

This guide gets you from zero to a secured, running OpenClaw agent in 10 minutes — even if you’ve never touched Docker before.

Why Docker (and Not Bare Metal)

Three reasons:

Isolation. Your agent runs in a container. If it goes rogue, it can’t access your host system.
Security defaults. Docker lets you drop capabilities, restrict networking, and enforce read-only filesystems.
Reproducibility. Same setup on any machine. No “works on my Mac” problems.

@johann_sath (251 likes, 14K views) put it best: “Main agent = root container. Subagents = isolated containers. Most people give their bot full access on day 1.” Don’t be most people.

Prerequisites

You need three things:

Docker Desktop (Mac/Windows) or Docker Engine (Linux)
An API key for your preferred LLM (Claude, GPT, Gemini, or a local model)
10 minutes

Windows users: Use WSL2 Ubuntu. @BerzafTe confirmed: “CMD fails. Git Bash fails. WSL2 Ubuntu is the only method that works.”

Step 1: Create Your Project Directory

mkdir ~/openclaw && cd ~/openclaw

Step 2: Create docker-compose.yml

version: '3.8'

services:
  openclaw:
    image: openclaw/openclaw:latest
    container_name: openclaw
    restart: unless-stopped

    # SECURITY: Bind to localhost only — never 0.0.0.0
    ports:
      - "127.0.0.1:18789:18789"

    # SECURITY: Drop all capabilities, run as non-root
    user: "1000:1000"
    cap_drop:
      - ALL
    security_opt:
      - no-new-privileges:true

    # SECURITY: Read-only filesystem with specific write paths
    read_only: true
    tmpfs:
      - /tmp

    # SECURITY: Restrict network access
    # Remove this if your agent needs internet (for API calls)
    # networks:
    #   - openclaw-net

    volumes:
      - ./data:/data
      - ./config:/config:ro

    environment:
      - GATEWAY_HOST=127.0.0.1
      - GATEWAY_PORT=18789
      - GATEWAY_TOKEN=${GATEWAY_TOKEN}

    env_file:
      - .env

Step 3: Create Your .env File

# Generate a strong gateway token
GATEWAY_TOKEN=$(openssl rand -hex 32)
echo "GATEWAY_TOKEN=$GATEWAY_TOKEN" > .env

# Add your LLM API key
echo "ANTHROPIC_API_KEY=sk-ant-..." >> .env
# Or: echo "OPENAI_API_KEY=sk-..." >> .env

# Lock permissions
chmod 600 .env

Critical: Never commit .env to git. Add it to .gitignore immediately.

Step 4: Start It Up

docker compose up -d

Check it’s running:

docker logs openclaw --tail 20

You should see the gateway starting on 127.0.0.1:18789. If it says 0.0.0.0 — stop, go back, and fix the bind address.

Step 5: Verify Security

# Check it's NOT exposed to the internet
curl http://localhost:18789/health  # Should work
curl http://YOUR_PUBLIC_IP:18789/health  # Should fail/timeout

The 5-Layer Security Hardening

This is the setup that @johann_sath (251 likes) and @LyashchMaxim recommend. Don’t skip any layer.

Layer 1: Bind to Localhost

Already done in the compose file above. The single most important security step. Blocks 90% of attack surface.

ports:
  - "127.0.0.1:18789:18789"  # NOT "18789:18789"

Layer 2: Run as Non-Root

user: "1000:1000"
cap_drop:
  - ALL
security_opt:
  - no-new-privileges:true

This prevents the agent from escalating privileges even if compromised.

Layer 3: Read-Only Filesystem

read_only: true
tmpfs:
  - /tmp
volumes:
  - ./data:/data          # Only writable path
  - ./config:/config:ro   # Config is read-only

The agent can only write to /data and /tmp. Everything else is locked.

Layer 4: Network Restrictions

If your agent only needs to talk to one API:

# In your docker-compose.yml, add:
networks:
  openclaw-net:
    driver: bridge
    internal: true  # No internet access

# Then allow specific outbound via iptables or a proxy

For most users, the simpler approach: use a firewall to block port 18789 from external access.

# UFW (Ubuntu)
sudo ufw deny in 18789
sudo ufw allow from 127.0.0.1 to any port 18789

Layer 5: Strong Gateway Token

The token in .env is your authentication. Make it long and random:

# 64-character hex token
openssl rand -hex 32

Change it monthly. Never reuse across environments.

Common Errors & Fixes

Error	Cause	Fix
Port 18789 already in use	Another service or old container	`docker stop openclaw && docker rm openclaw`
Permission denied on /data	Volume ownership mismatch	`sudo chown -R 1000:1000 ./data`
Build fails on Windows	Not using WSL2	Install WSL2 Ubuntu, run everything inside WSL
API key not working	.env not loaded	Check `docker compose config` shows your keys
Agent can’t reach API	Network too restrictive	Remove `internal: true` from network config
CVE-2026-24763 warning	Docker PATH injection	Update to v2026.3.1+ (`docker pull openclaw/openclaw:latest`)

@moritzkremb (1.1K likes, 268K views) published a “10 things to do right after setup” guide that the community calls “the post-install bible.” The biggest pain points: Windows compatibility, volume permissions, and forgetting to lock the gateway token.

What This Costs

Setup	Monthly Cost
Home machine (Mac/Linux)	$0 (your electricity)
Oracle Cloud Free Tier	$0 (ARM instance, 24GB RAM)
Hetzner CAX11	~$4.49/mo (ARM, 4GB RAM)
DigitalOcean droplet	$6/mo (1GB RAM)
API costs	$5-30/mo depending on usage

Total: $0-35/mo for a 24/7 AI agent. Compare to Perplexity Computer at $200/mo or Claude Max at $200/mo.

Note: Hetzner is raising prices April 1, 2026 (CAX11: $3.29 → $4.49). Lock in before then.

After Setup: First Tasks

Once your agent is running, start simple:

Read-only tasks first. “Summarize this file.” “List my downloads folder.” Build trust before giving write access.
Install the skills-vetter skill. Before adding any ClawHub skills, vet them for safety.
Set SOUL.md rules. “Never send emails without confirmation. Never delete files. Never access anything outside /data.”
Run security audit. openclaw security audit --deep — make this a weekly habit or a cron job.

Remote Access (If You Need It)

Don’t expose port 18789 to the internet. Instead:

Option A: Tailscale (recommended)

# Install Tailscale on your server
curl -fsSL https://tailscale.com/install.sh | sh
tailscale up
# Access from any device on your Tailscale network

Option B: SSH Tunnel

# From your laptop
ssh -L 18789:localhost:18789 your-server
# Now localhost:18789 on your laptop → your server

Both keep the gateway off the public internet while giving you remote access.

Keep Learning

Free courses:

OpenClaw for Everyone — Full course from setup to daily workflows
AI Agent Security — Threat models and permission design
Build Custom OpenClaw Skills — Create your own skills (Pro)
Cybersecurity Basics — Foundational security for AI users

Free skills you can copy and use right now:

Docker Security Auditor — Audit your container configs for vulnerabilities
Docker Expert — Docker troubleshooting and best practices
Security Review Checklist Generator — Custom security checklists for any setup
Incident Response Playbook Builder — Prepare before something goes wrong

Related posts:

Is OpenClaw Safe? 5 Security Risks — CVEs, rogue agents, and the full hardening checklist
19K OpenClaw Skills. 8% Are Malware. — Vetted skills with install commands
NemoClaw: NVIDIA’s Free Fix for OpenClaw’s Security — Enterprise alternative to DIY Docker
OpenClaw vs Claude Code vs Copilot — Which AI agent to choose

Sources: OpenClaw Docker docs, Docker Blog, SecurityScorecard, and X/Twitter community research via Grok (143 sources). Docker config verified March 22, 2026.