Self-host OpenClaw with HTTPS, Brave search, and GitHub access

This guide assumes you've already finished Ollama on a dedicated NVMe with performance tuning. That guide covers the underlying setup this one builds on. If you're picking up mid-stack, scan its 'Overview' step to confirm your environment matches.

OpenClaw is a personal AI assistant gateway that connects AI agents running on your own hardware to a web dashboard and external channels. In this setup it manages local model agents on the Ollama inference VM, accessible via the VPN dashboard and Multica board — no cloud inference, no API costs, no data leaving your network. The WhatsApp plugin and channel are disabled. The flow: Multica board or VPN dashboard → OpenClaw gateway (Ollama VM, port 18789) → Ollama inference (RTX 3090) → response.

• Node.js 22+ installed on the Ollama VM
• Ollama running with models loaded
• WhatsApp account ready to link (dedicated number recommended for long-term use)

Node.js is not installed by default on Ubuntu. Install it via NodeSource:

OpenClaw is installed via Ollama's launch command, which handles npm installation automatically: Note: The ollama launch command prompts interactively — work through the onboarding steps and select qwen3-coder:30b as the model. This is the most tool-calling-reliable model in the stack.

OpenClaw must connect to Ollama using localhost, not the VM's network IP. Using the network IP causes ECONNREFUSED errors. Note: Do not use the /v1 OpenAI-compatible URL (http://host:11434/v1) — this breaks tool calling. Use the native Ollama API URL with no path suffix.

OpenClaw recommends a minimum 64K context window for local models. Recreate each model with 65536 context baked in:

Six named agents are configured in /home/ollama/.openclaw/openclaw.json, each with a dedicated model, tools profile, and thinking mode: Agent Model Tools profile Thinking main qwen3-coder:30b coding adaptive general qwen3.5:27b full adaptive researcher deepseek-r1:32b minimal high analyst huihui_ai/qwen3.5-abliterated:27b minimal adaptive creative dolphin3 minimal off qwen3-coder:30b browser/web off Fallback chain: qwen3-coder:30b → qwen3.5:27b (local only — Claude accessed via dedicated Multica agent) Context windows are set per model in the model registry. huihui_ai/qwen3.5-abliterated:27b has reasoning: true.

By default the main agent handles all requests itself with qwen3-coder:30b. The allowAgents: ["*"] config permits spawning sub-agents, but automatic delegation only happens when the agent is given explicit instructions.

OpenClaw maintains several identity files per agent. Understanding which does what matters:

• BOOTSTRAP.md — read once on first run of a new workspace, then deleted. Not suitable for persistent instructions.
• AGENTS.md — read at the start of every session. This is the correct place for persistent orchestration rules. Note: BOOTSTRAP.md is a one-time bootstrap file. If an agent workspace already exists, BOOTSTRAP.md is ignored. Persistent instructions must go in AGENTS.md inside the workspace directory.

The persistent workspace files live in /home/ollama/.openclaw/workspace/. Add orchestration rules by appending to the main agent's AGENTS.md: Recommended orchestration section to add: No restart is needed — the rules are loaded at the start of every new session. Start a fresh session with /new in OpenClaw to pick them up immediately.

• Main agent (qwen3-coder:30b) handles coding and tool-use tasks directly
• Delegates deep reasoning → researcher (deepseek-r1:32b)
• Delegates broad analysis / synthesis → general (qwen3.5:27b)
• Delegates creative work → creative (dolphin3)
• Delegates sensitive / unfiltered tasks → analyst (qwen3.5-abliterated:27b)
• Delegates browser / web / Brave tasks → browser (qwen3-coder:30b + Brave skill scoped to this agent only)
• For mixed requests (e.g. "research X then write code for it"), decomposes and assigns each part to the right agent, then synthesises To verify it is working, start a fresh session and give it a mixed request such as "research the tradeoffs between X and Y, then write a script to benchmark them." The agent should explicitly name which sub-tasks it is delegating and to which agent. Note: Delegation quality depends on how well qwen3-coder:30b follows the instructions. If it is not delegating when it should, either make the delegation rules more explicit in AGENTS.md, or switch the main agent to qwen3.5:27b which is a stronger general reasoner.

OpenClaw is the default Multica agent for task orchestration. When assigned an issue to break down and create sub-issues, it uses the Multica Agent Roster in AGENTS.md to assign each issue to the right agent automatically — without needing routing rules in every issue brief. The following section is appended to ~/.openclaw/workspace/main/AGENTS.md: With this in place, when OpenClaw handles a task like "create issues and assign to agents", it will:

• Break the work down into discrete issues
• Use the roster to match each issue to the appropriate agent
• Create and assign them via the multica CLI Note: This only works reliably if AGENTS.md is loaded for the task session. Multica spawns agent tasks with their own context, so it is worth testing with a real task to confirm the roster is in scope before relying on it for critical work.

Two settings to apply from the start so OpenClaw's system prompts stay within model context windows.

Scope the Brave skill to the browser sub-agent only. The Brave skill adds ~19 KB to every session's system prompt. Installing it scoped to the browser sub-agent keeps it invisible to the main agent — the skill ends up at ~/.openclaw/agents/browser/workspace/skills/brave/ rather than ~/.openclaw/workspace/skills/brave/.

Use a 64K-context model for Multica-dispatched sessions. Multica injects ~11.2 KB of CLI documentation into every OpenClaw session's system prompt. Combined with workspace files and tool schemas this can exceed the 32K context of qwen3-coder:30b. Set the Multica agent's default model to ollama/qwen3.5:27b (64K context) via the Multica UI (Settings → Agents → OpenClaw agent → model field).

Use OpenClaw's built-in service installer rather than a manual systemd unit — it uses the correct binary path and flags automatically:

• Browser agent workspace: ~/.openclaw/agents/browser/workspace/
• Brave skill (browser agent only): ~/.openclaw/agents/browser/workspace/skills/brave/
• OpenClaw gateway service (Brave API key): /home/ollama/.config/systemd/user/openclaw-gateway.service
• Multica server config: /home/ollama/.multica/server/.env
• Hermes config: ~/.hermes/config.yaml
• Hermes environment: ~/.hermes/.env
• Git credentials (PAT): ~/.git-credentials (chmod 600)
• Multica Docker Compose: docker-compose.selfhost.yml
• Multica systemd service: /etc/systemd/system/multica.service
• Multica daemon service: ~/.config/systemd/user/multica-daemon.service Note: OpenClaw installs as a user systemd service (openclaw-gateway.service), not a system service. Do not create a manual /etc/systemd/system/openclaw.service — the --foreground flag used in manual service files is not valid in this version of OpenClaw.

Have your phone ready before running the configure command — the QR code expires in approximately 20 seconds:

By default OpenClaw responds to ALL incoming WhatsApp messages. Configure an allowlist immediately after linking to prevent it responding to messages from other people:

Using a personal WhatsApp number means OpenClaw acts as a linked device on your main account. A dedicated number (Google Voice, second SIM, WhatsApp Business) gives cleaner separation and is recommended for long-term use. Switching is straightforward:

qwen3-coder:30b requires approximately 19GB of system RAM to load. The VM must have at least 24GB allocated:

Common gateway lifecycle commands: status, logs, restart, and channel reconfiguration. Use these for routine operations and when troubleshooting.

The OpenClaw gateway dashboard runs on port 18789 but binds to localhost only. Access it remotely via SSH tunnel from your laptop: The gateway token is required for authentication. Generate and set it once: Note: Store the gateway token in a password manager. It is required every time you access the dashboard via SSH tunnel. The token is stored in /home/ollama/.openclaw/openclaw.json under gateway.auth.token — do not store the actual value in CLAUDE.md.

Adding an Anthropic API key gives OpenClaw access to Claude models as a fallback when local models fail or a task genuinely needs frontier reasoning. Local models remain the primary route — Claude is only called when both local models fail. Before adding the key, set a spend limit at console.anthropic.com. OpenClaw is an agent and consumes significantly more tokens than regular chat — each task can trigger 5-10 API calls and carries full conversation context into every request.

Add an Anthropic API key via the interactive configure flow or by setting the config value directly. Restart the gateway for the change to take effect. Set a spend limit at console.anthropic.com first — agents consume far more tokens than chat.

After adding the key, restore the correct routing so local models remain primary and Claude is only a last resort: Note: Routing priority: qwen3-coder:30b (local, default) → qwen3.5:27b (local fallback). Claude is accessed explicitly via the "Claude (Ollama VM)" Multica agent for tasks that exceed local model capability — not as a silent API fallback inside OpenClaw.

Almost always caused by OpenClaw connecting to the wrong Ollama URL. Verify:

Gateway not starting after reboot.

Run the configure command again — OpenClaw generates a fresh QR code each time:

The OpenClaw dashboard (port 18789) is exposed securely over the WireGuard VPN via nginx with TLS, so it can be reached from any connected device without an SSH tunnel.

nginx is installed on the Ollama VM and configured to proxy HTTPS (443) → 127.0.0.1:18789 with WebSocket support, and redirect HTTP (80) → HTTPS. Self-signed certificate (10-year, SAN: 192.168.20.110): Note: Accept the browser cert warning once per device. After that the connection is encrypted. For LAN-only VPN access a self-signed cert is sufficient — no CA required.

Two settings updated in openclaw.json to support the nginx proxy:

A zone-based rule in the Unifi Dream Router allows VPN clients to reach the dashboard:

• Source zone: VPN (10.99.99.0/24)
• Destination: 192.168.20.110, port 443
• Action: Allow + auto return traffic

From any WireGuard-connected device, open: Accept the self-signed cert warning on first visit (one-time per device).

For each new device that needs access:

• Visit https://192.168.20.110 and accept the self-signed cert warning
• On the VM: openclaw devices list
• Approve the pending request: openclaw devices approve <requestId>

The Brave search plugin gives OpenClaw agents the ability to search the web during a session. It is installed as an OpenClaw skill and enabled via configuration.

Install the Brave search skill into OpenClaw via the built-in skill installer.

Two settings to update in openclaw.json: Add the API key to the OpenClaw gateway service environment file: Note: Get a Brave Search API key at api.search.brave.com. The free tier allows 2,000 queries/month which is sufficient for casual homelab use.

After initial installation the OpenClaw UI may report that the Brave skill has missing dependencies. This is resolved by installing Brave Browser itself on the VM (OpenClaw uses it as a headless dependency) and creating the required config directory. Install Brave Browser (run as root via Proxmox guest exec or with sudo): Create the required config directory and reinstall the plugin: Verify the gateway is healthy after restart: Note: The ollama user is in the sudo group but requires a password interactively. For headless dependency installs, use Proxmox qm guest exec to run commands as root on VM 100.

OpenClaw needs authenticated git access to clone, commit, and push to your private repo when Multica assigns tasks. Configure credentials on the VM using a Personal Access Token (PAT) with repo scope.

Set the global git identity and store credentials in ~/.git-credentials with 600 permissions. The PAT-bearing URL pattern is what credential.helper store expects. Replace the username and PAT placeholders with your actual values.

The credentials file must exist at ~/.git-credentials — if the clone fails, confirm the file is present and contains the correct PAT. The test cloning a repo verifies authentication end-to-end even if you do not have a specific target repo URL yet. Note: Credentials are stored in plaintext in ~/.git-credentials. Ensure the file has 600 permissions (chmod 600 ~/.git-credentials). Use a PAT scoped to repo only — do not use your GitHub password.

Once git is authenticated, OpenClaw can clone, commit, and push to your private repo when Multica assigns tasks. The ollama user under which OpenClaw runs inherits the git config and credentials. Your collaborator should perform the same git setup on their MacBook with their own credentials, and you should add them as a collaborator on the repo in GitHub Settings → Collaborators if you have not already.

Claude Code reads CLAUDE.md automatically at the start of every session. Placing one in the claude-code home directory gives Claude persistent context about the homelab without requiring re-explanation each time.

Create CLAUDE.md in the claude-code home directory and chown it to the user so Claude Code can read it on session start.

A starter template for CLAUDE.md. Adjust IPs, hardware specs, model list, and the routing guidance to match your build. Claude Code reads this file at the start of every session, giving it persistent context about the homelab without re-explanation.

With this layer in place, the next guide in the series is Multi-agent orchestration with Multica, OpenClaw, and Hermes. Run multiple AI runtimes — OpenClaw, Hermes, and Claude Code — on one Ollama VM with serialised local inference controlled by OpenClaw's agents.defaults.maxConcurrent: 1, an issue-board orchestrator (Multica), and a workflow for inviting collaborators into the same workspace.