How to Install and Configure OpenClaw on Your ServerSpan Linux VPS: Full 2026 Runbook with Qwen OAuth (1,000 Free Requests/Day)

If you want to self host Clawdbot, now called OpenClaw, on a Linux VPS, the right 2026 answer is to install it on a clean Debian or RHEL server, run it under a dedicated Linux user, keep Node on a system path, use the built-in onboarding flow, and treat Qwen carefully. The old OpenClaw-native Qwen Portal OAuth path is gone. The practical free-tier route now is Qwen Code OAuth on the same VPS, then OpenClaw onboarding and verification. If that import path does not land cleanly on your build, use Model Studio and move on. Do not waste hours trying to revive a removed provider.

That blunt distinction matters because a lot of bad 2026 tutorials are already stale. They still describe older Clawdbot naming, older provider behavior, or generic one-click setups that tell you nothing about where credentials live, which service actually stays up after logout, what port the gateway uses, or how Telegram and model auth are glued together. On a VPS, those details are the difference between “it installed” and “it still works next week.”

This runbook gives you the install path that actually makes sense on a ServerSpan Linux VPS: correct runtime choice, proper daemon install, a realistic Qwen Code OAuth bootstrap, Telegram setup, config paths, log paths, and the usual failure modes that burn time when you skip the boring parts. If you want a clean place to run it, start with ServerSpan Virtual Servers. If you want the app but not the Linux side of the job, that is where ServerSpan Linux Administration becomes the rational option.

What changed in 2026 and why your install plan should reflect it

Three things matter before you type a single command.

• Clawdbot is now OpenClaw. If you search for both names, you will find overlapping but inconsistent guides.
• OpenClaw’s current Qwen provider documentation says the old qwen-portal OAuth flow was removed.
• Qwen Code still advertises Qwen OAuth with 1,000 free requests per day, which is why people keep trying to pair it with OpenClaw on VPS installs.

That leads to the only sane 2026 approach. Use OpenClaw’s current installation and gateway flow, but treat Qwen Code OAuth as a bootstrap path, not as a guaranteed long-term official OpenClaw provider flow. In practice, that means you install Qwen Code first, sign in once, then install and onboard OpenClaw and verify whether the credentials were imported. If they were not, stop forcing it and switch to the officially supported Qwen access route instead of trying to resurrect removed config.

This is the same reason you should ignore low-effort one-click guides unless they show real paths and logs. A VPS install is not finished when a bot replies once. It is finished when the gateway survives logout, auth is stored where you expect it, Telegram routing works, and you know where to look when something breaks.

LXC or KVM first: what should you actually run this on

OpenClaw is not especially heavy, but it benefits from a clean runtime and stable network behavior. That makes it a good fit for either a roomy LXC or a small KVM VPS.

A roomy LXC is usually enough when:

• you want lower overhead
• you are comfortable with Linux users, systemd, and persistent CLI tooling
• you are not stacking weird Docker-on-Docker experiments on top of it

A small KVM VPS is usually the better call when:

• you want a cleaner isolation boundary
• you plan to add reverse proxy, monitoring, backup agents, or other side services
• you want fewer edge cases around namespaces and runtime behavior

For a practical starting point, 2 vCPU and 4 GB RAM is a sensible minimum. If you start adding extra tools, long-running agent jobs, or several chat channels, 6 GB RAM gives you more room. OpenClaw itself is not the problem. The extra tooling around it is what usually eats memory first.

If you want adjacent reading before deployment, the most relevant internal context is Complete Linux VPS Setup Guide for Beginners, How to Secure a Vanilla VPS, and Managing Docker and Containers on a VPS. Even if you do not use Docker here, the operational discipline still applies.

Step 1: prepare the Linux VPS correctly

Do not install OpenClaw as root and call it a day. Use a dedicated user so the gateway, config, credentials, and systemd user unit live somewhere predictable.

On Debian or Ubuntu:

apt update
apt upgrade -y
apt install -y curl ca-certificates git jq tmux sudo

adduser openclaw
usermod -aG sudo openclaw

loginctl enable-linger openclaw

On RHEL, AlmaLinux, Rocky Linux, or compatible systems:

dnf update -y
dnf install -y curl ca-certificates git jq tmux sudo

useradd -m -s /bin/bash openclaw
passwd openclaw
usermod -aG wheel openclaw

loginctl enable-linger openclaw

The linger step matters. OpenClaw’s Linux daemon path uses a systemd user service. If you skip lingering, you create the classic “it worked while I was logged in and died after I disconnected” problem.

Then switch into the new user and keep the whole install under that account:

su - openclaw
mkdir -p ~/.openclaw
chmod 700 ~/.openclaw

Step 2: install Qwen Code first if you specifically want the free OAuth route

This is the part most people get backward. If your goal is Qwen Code OAuth, install and authenticate Qwen Code first, before OpenClaw onboarding. That gives OpenClaw something concrete to import from if your build still syncs external CLI credentials.

bash -c "$(curl -fsSL https://qwen-code-assets.oss-cn-hangzhou.aliyuncs.com/installation/install-qwen.sh)"

Then restart the shell or source your profile if needed, and launch Qwen Code:

qwen

Inside the interactive session, run:

/auth

Complete the browser sign-in flow with your Qwen account. If the login succeeds, Qwen Code will place its local OAuth credentials under your home directory. On Linux, the file you care about is:

~/.qwen/oauth_creds.json

Confirm it exists before you move on:

ls -lah ~/.qwen
jq . ~/.qwen/oauth_creds.json | head

If that file does not exist, stop there. OpenClaw cannot import credentials that are not present. Do not continue assuming the magic will happen later.

Step 3: install OpenClaw the supported way

OpenClaw’s current documentation is blunt. Use Node, not Bun, for stable Linux gateways, especially if you want Telegram. The fastest supported install path is the project installer script.

curl -fsSL https://openclaw.ai/install.sh | bash

If you want the install without immediately launching onboarding, use:

curl -fsSL https://openclaw.ai/install.sh | bash -s -- --no-onboard

Then verify the CLI is present:

openclaw --version
node --version

If you prefer explicit npm-based installation instead of the script:

npm install -g openclaw@latest
openclaw onboard --install-daemon

On a VPS, the installer script is usually the cleaner choice because it handles Node if needed and gets you into the supported path faster.

Step 4: run onboarding and decide how honest you want to be about Qwen

Now run the actual onboarding flow:

openclaw onboard --install-daemon

This is where you need to make the correct 2026 decision.

• If you want the officially supported Qwen route, use Model Studio when prompted.
• If your goal is the Qwen Code free OAuth path, keep going only if you already authenticated Qwen Code on this same VPS and you are prepared to verify the import explicitly.

After onboarding, check whether OpenClaw imported the Qwen credentials:

ls -lah ~/.openclaw
ls -lah ~/.openclaw/agents/main/agent
jq . ~/.openclaw/agents/main/agent/auth-profiles.json | head -50

The key files you should understand are:

• ~/.openclaw/openclaw.json for main configuration
• ~/.openclaw/agents/main/agent/auth-profiles.json for stored auth profiles
• ~/.qwen/oauth_creds.json for Qwen Code CLI credentials

If the import path worked, you should see an auth profile in OpenClaw’s agent store. If it did not, stop trying to patch removed Qwen Portal config into your gateway. Use the supported Model Studio route and keep the deployment maintainable.

This is also the point where you should inspect model status instead of guessing:

openclaw models status
openclaw models list
openclaw status --deep

If auth exists but the gateway still says the provider is unavailable, you do not have a working model path. You have an incomplete auth story.

Step 5: wire up Telegram properly

Telegram is the fastest useful OpenClaw channel. It is also the least annoying way to make the bot reachable from your phone without opening the dashboard every time.

First, create the bot token in Telegram via BotFather. Then either let onboarding ask for it, or add it explicitly after the fact.

openclaw channels add --channel telegram --token "$TELEGRAM_BOT_TOKEN"

If you want the config to be explicit in ~/.openclaw/openclaw.json, a sane starter block looks like this:

{
  channels: {
    telegram: {
      enabled: true,
      botToken: "123456:replace-this-with-your-real-token",
      dmPolicy: "pairing",
      groups: {
        "*": { requireMention: true }
      }
    }
  }
}

This keeps direct messages in pairing mode and makes group behavior stricter by default. That is the correct posture for a public chat bot running on a VPS you control. Do not expose it as a free-for-all and then act surprised when random users start talking to it.

If you want to test Telegram from your phone, start with a direct message to the bot, not a group. Add group routing only after DM behavior is clean.

Step 6: verify the gateway, Control UI, and daemon

OpenClaw’s Linux gateway binds to loopback by default and listens on port 18789. That is good. Keep it that way unless you have a real reason to do something more exposed.

openclaw gateway status
openclaw status
systemctl --user status openclaw-gateway.service
journalctl --user -u openclaw-gateway.service -f

For a quick dashboard test from your workstation, use SSH port forwarding instead of opening the port on the internet:

ssh -L 18789:localhost:18789 openclaw@YOUR_VPS_IP

Then open:

http://localhost:18789

If you prefer the CLI helper, you can also run:

openclaw dashboard

What you are checking here is not only that the UI loads. You are checking that the gateway survived daemon installation, the user service is alive, and the config is valid enough for the control plane to respond.

Step 7: the three paths you need to know on day one

If you do not know where OpenClaw keeps its state, you will waste time later. These are the paths that matter first:

• ~/.openclaw/openclaw.json for configuration
• ~/.openclaw/agents/main/agent/auth-profiles.json for provider auth state
• ~/.qwen/oauth_creds.json for local Qwen Code OAuth state

There is nothing theoretical about this. When the bot stops responding, one of the first things you need to answer is whether the problem is:

• the gateway service
• the channel token
• the model auth profile
• the provider itself

Without those paths, you are debugging blind.

Common failure modes on Linux VPS installs

• You used Bun. Stop. Use Node for a stable gateway, especially with Telegram.
• You installed as root. Now your user service, config, and later maintenance are uglier than they needed to be.
• You skipped loginctl enable-linger. The service works until logout, then quietly dies.
• You expected old Qwen Portal OAuth to still work. It does not. That path was removed.
• You authenticated Qwen Code on another machine. OpenClaw cannot sync a local credential file that is not on this VPS.
• You are using nvm or another version-manager path for the service. User services and shell-managed Node installs are a great way to create restart problems after upgrades.
• Your Telegram token is fine but routing is not. Check DM policy, mention gating, and whether you actually bound the channel cleanly.

A production insight here is simple. The most common OpenClaw failure on Linux is not “the AI model is bad.” It is service layout drift. Wrong runtime, wrong user, wrong credential location, wrong assumptions about persistence.

Basic hardening that is worth doing immediately

OpenClaw is not a giant enterprise platform, but it still deserves normal VPS discipline.

• Do not expose port 18789 publicly unless you know why you are doing it.
• Use SSH forwarding or a properly controlled reverse proxy.
• Keep the gateway under a dedicated Linux user.
• Back up ~/.openclaw/ if the bot configuration matters to you.
• Do not leave unrelated secrets readable in the same account if you do not want tools to find them.

Also remember the uncomfortable part: current OpenClaw builds have been observed syncing external CLI credentials during setup. That is convenient for Qwen Code bootstrap, but it also means you should be deliberate about what other auth files exist under that Linux user.

When a ServerSpan VPS is enough and when managed help is smarter

For a single-user or light multi-user OpenClaw install, a modest ServerSpan VPS is enough. This is not a giant GPU workload. It is a Linux runtime, a gateway service, a chat channel, and an upstream model provider. The problem is rarely raw compute. The problem is whether the operator knows how to keep the Linux side clean.

If you are comfortable with SSH, systemd user services, config files, and auth troubleshooting, self-hosting OpenClaw on a VPS is a reasonable Type A tutorial workload. If you are not, the app itself is not what will hurt you. The runtime, auth, and persistence problems will.

That is exactly why ServerSpan Virtual Servers plus Linux Administration is the honest pairing for this use case. The VPS gives you the clean always-on host. Managed Linux help removes the part where a weekend experiment becomes a half-working bot with a dead service and stale auth tokens.

The practical bottom line

The correct 2026 OpenClaw install on a ServerSpan Linux VPS is not the one that merely replies once in Telegram. It is the one that runs under the right user, keeps Node on a stable system path, persists as a user service after logout, stores config and auth where you expect them, and handles the Qwen reality honestly. Old OpenClaw Qwen Portal OAuth is gone. Qwen Code OAuth still exists. If the current import path works for your build, use it and verify it. If it does not, stop forcing it and switch to the supported model provider route.

That is the whole point of a real VPS runbook. Fewer myths. Fewer copied screenshots. More commands, paths, and decisions that still make sense after the first day.