An EC2 deployment is just a Linux install with stricter network hygiene. The right workflow is to install the CLI, onboard in local mode, verify the gateway over SSH, and keep port 18789 private unless you have a controlled access layer.
Quick answer
Install OpenClaw on the EC2 instance, onboard in local mode, verify the RPC probe, and use SSH tunneling or a tailnet for dashboard access instead of opening the gateway port to the world.
Command line steps
1. Install OpenClaw on the server
Do this over SSH and keep the first pass simple.
BASH
$curl -fsSL https://openclaw.ai/install.sh | bash
openclaw onboard --mode local
2. Verify the service from the VM shell
The gateway needs to be healthy before you think about channels, models, or browser access.
BASH
$openclaw gateway status --require-rpc
openclaw models status
3. Access the dashboard safely
Do not publish 18789 as a public security-group port just because you can.
BASH
$ssh -L 18789:127.0.0.1:18789 ec2-user@your-host
ssh ec2-user@your-host 'openclaw dashboard --no-open'
What to check if it still fails
- If the EC2 instance is part of a long-running setup, add a backup step before major upgrades with
openclaw backup create. - If the RPC probe fails, read logs directly on the instance with
openclaw logs --follow. - If you need containerized deployment later, switch to the Docker docs rather than improvising service wrappers yourself.