Running OpenClaw on a locked-down VPS (with Tailscale)

Today I learned how to run an always-on agent on the smallest VPS I could get away with, while keeping it locked down (no inbound ports) and still usable via Tailscale.

Context

I wanted:

• a cheap, minimal VPS to host the agent
• no public inbound traffic (default deny)
• a private way to administer it remotely

Recipe

1. Start with a minimal VPS (e.g. Hetzner smallest size)

2. Block inbound traffic

Exact commands depend on your distro and firewall tooling, but the principle is:

• default deny inbound
• allow outbound
• allow only what you need for administration

3. Use a private network (e.g. Tailscale) for remote access

From then on, I can administer the VPS via a private network without exposing extra public ports.

Notes / gotchas

• “Inbound blocked” should include both IPv4 and IPv6.
• If you plan to remove public SSH entirely, make sure you have an alternative admin path first.

Separate identities for an agent are worth it

I set up dedicated identities so the agent isn’t tied to my personal accounts:

• A dedicated WhatsApp number for the agent
• A dedicated Bitwarden account (secrets shared via a collection), accessed via a skill using the rbw CLI
• A dedicated GitHub account: https://github.com/cleovneumann 

This makes it easier to:

• invite the agent into group chats (fun!)
• control what it can access
• rotate or revoke access without impacting my own accounts

Strava API: pulling activities for coaching (high level)

I connected to the Strava API (OAuth) so the agent can pull activities, generate training summaries, and mirror running data into a local CSV.

The flow is basically:

1. Complete Strava OAuth once (store refresh token)
2. Refresh tokens automatically
3. Fetch activities for a time range
4. Upsert runs into a CSV file (one row per run; useful as a local log / backup)
5. Summarize weekly volume (distance/time/elevation) and suggest a simple next-week plan

If you’re building something similar, keep it single-user first (simpler permissions and data model), then expand.

Links

• https://tailscale.com/ 
• https://github.com/cleovneumann 
• https://developers.strava.com/