
这篇文章记录一套可直接落地的流程:
在 Linux 服务器用 Docker Compose 部署 OpenClaw,再通过 Windows 电脑稳定访问控制台并配置 LLM Key。
一、环境说明
- Linux 服务器(已安装 Docker + Docker Compose v2)
- Windows 电脑(用于远程访问)
- OpenClaw 官方镜像:
ghcr.io/openclaw/openclaw:latest - 对外端口:
20010, 这里不使使用18789, 更安全一点
二、准备目录与 Compose 文件
先在服务器创建目录(示例:/root/openclaw/openclawlinux):
mkdir -p /root/openclaw/openclawlinux
cd /root/openclaw/openclawlinux
新建 dockercompose.yml:
services:
openclaw-gateway:
image: ghcr.io/openclaw/openclaw:latest
container_name: openclaw-gateway
restart: unless-stopped
ports:
- "20010:18789"
environment:
TZ: Asia/Shanghai
NODE_ENV: production
volumes:
- ./config:/home/node/.openclaw
- ./workspace:/home/node/.openclaw/workspace
- ./tmp:/tmp/openclaw
healthcheck:
test: ["CMD-SHELL", "curl -fsS http://127.0.0.1:18789/healthz || exit 1"]
interval: 30s
timeout: 5s
retries: 5
start_period: 20s
openclaw-cli:
image: ghcr.io/openclaw/openclaw:latest
container_name: openclaw-cli
profiles: ["tools"]
network_mode: "service:openclaw-gateway"
entrypoint: ["node", "dist/index.js"]
command: ["--help"]
volumes:
- ./config:/home/node/.openclaw
- ./workspace:/home/node/.openclaw/workspace
- ./tmp:/tmp/openclaw
security_opt:
- no-new-privileges:true
cap_drop:
- NET_RAW
- NET_ADMIN
三、初始化挂载目录权限
mkdir -p ./config ./workspace ./tmp
sudo chown -R 1000:1000 ./config ./workspace ./tmp
为什么是 1000:1000?
因为容器内 node 用户通常是 uid=1000 gid=1000,目录权限一致可避免写入报错。
四、启动 OpenClaw
docker compose -f dockercompose.yml up -d
查看状态:
docker compose -f dockercompose.yml ps
五、生成 Dashboard Token
docker compose -f dockercompose.yml --profile tools run --rm openclaw-cli dashboard --no-open
你会看到类似:
Dashboard URL: http://127.0.0.1:18789/#token=xxxxxx
记下 token。
六、放行控制台来源(解决 origin not allowed)
如果你直接公网 IP 访问,常见报错:
origin not allowed
执行:
docker compose -f dockercompose.yml --profile tools run --rm openclaw-cli config set --batch-json '[{"path":"gateway.mode","value":"local"},{"path":"gateway.bind","value":"lan"},{"path":"gateway.controlUi.allowedOrigins","value":["http://-.-.-.-:20010","https://-.-.-.-:20010","http://127.0.0.1:20010","http://localhost:20010"]}]'
然后重启网关:
docker compose -f dockercompose.yml restart openclaw-gateway
把
154.201.77.176换成你的服务器 IP 或域名。
七、Windows 访问( SSH 隧道方式)
即使放行了 origin,公网 HTTP 还可能遇到:
control ui requires device identity (use HTTPS or localhost secure context)
最稳做法:在 Windows 本机开 SSH 隧道。
在 Windows 终端执行:
ssh -L 20010:127.0.0.1:20010 root@-.-.-.-
保持该窗口不断开,然后浏览器访问:
http://127.0.0.1:20010/chat?session=main
页面中填写:
- WebSocket URL:
ws://127.0.0.1:20010 - Gateway Token:上一步拿到的 token
- Password:可留空(默认 token 认证即可)
八、配置 LLM API Key
连接成功后如果提示没有 API key,执行:
docker compose -f dockercompose.yml --profile tools run --rm openclaw-cli agents add main
按交互选择你的模型提供商(如 OpenAI / DeepSeek),输入 API Key 即可。
可先查看 agent 列表:
docker compose -f dockercompose.yml --profile tools run --rm openclaw-cli agents list
下面是我的操作记录
## 1 得到访问token
docker compose -f docker-compose.yml --profile tools run --rm openclaw-cli dashboard --no-open
[+] Creating 1/0
✔ Container openclaw-gateway Running 0.0s
🦞 OpenClaw 2026.4.15 (unknown) — Your personal assistant, minus the passive-aggressive calendar reminders.
Dashboard URL: http://127.0.0.1:18789/#token=280323048b381fb7ba242378bdce57a4d6675358d6331607
## 2 允许 LAN/对外访问(不是只限容器内部)-.-.-.-需要替换为你的公网ip
docker compose -f docker-compose.yml --profile tools run --rm openclaw-cli config set --batch-json '[{"path":"gateway.mode","value":"local"},{"path":"gateway.bind","value":"lan"},{"path":"gateway.controlUi.allowedOrigins","value":["http://-.-.-.-:20010","https://-.-.-.-:20010","http://127.0.0.1:20010","http://localhost:20010"]}]'
[+] Creating 1/0
✔ Container openclaw-gateway Running 0.0s
🦞 OpenClaw 2026.4.15 (unknown) — Claws out, commit in—let's ship something mildly responsible.
Config overwrite: /home/node/.openclaw/openclaw.json (sha256 0d0fdf7d4c24c9961a22565351f42ef7bb1f89599e8f2b54682c6a5194cfbdaa -> dbefbf0831c8840e88b109c24b684da946a8a4205cd82985a45be8c363de4fea, backup=/home/node/.openclaw/openclaw.json.bak)
Updated 3 config paths. Restart the gateway to apply.
[root@ECS-9829724383 openclawlinux]# docker compose -f docker-compose.yml restart openclaw-gateway
## 3 在window电脑上创建隧道 -.-.-.-需要替换为你的公网ip
ssh -L 20010:127.0.0.1:20010 root@-.-.-.-
## 5 使用 agents add main 命令, 设置模型key
docker compose -f docker-compose.yml --profile tools run --rm openclaw-cli agents add main
[+] Creating 1/0
✔ Container openclaw-gateway Running 0.0s
🦞 OpenClaw 2026.4.15 (unknown) — Your terminal just grew claws—type something and let the bot pinch the busywork.
┌ Add OpenClaw agent
│
◇ Workspace directory
│ /home/node/.openclaw/workspace
│
◇ Configure model/auth for this agent now?
│ Yes
│
◇ Model/auth provider
│ DeepSeek
│
◇ Enter DeepSeek API key
│ sk-65b28c89462246eab967c91b5218****
│
◇ Channel status ──────────────────────────────────────╮
│ │
│ LINE: needs token + secret │
│ Accounts: 0 │
│ Discord: needs token │
│ iMessage: needs setup │
│ imsg: missing (imsg) │
│ Signal: needs setup │
│ signal-cli: missing (signal-cli) │
│ Slack: needs tokens │
│ Telegram: needs token │
│ WhatsApp: not linked │
│ QQ Bot: needs AppID + AppSecret │
│ Google Chat: needs service account │
│ MS Teams: needs app credentials │
│ Mattermost: needs token + url │
│ Nextcloud Talk: needs setup │
│ Feishu: needs app credentials │
│ Matrix: needs homeserver + access token or password │
│ BlueBubbles: needs setup │
│ IRC: needs host + nick │
│ Zalo: needs token │
│ Zalo Personal: needs QR login │
│ Synology Chat: needs token + incoming webhook │
│ Accounts: 0 │
│ Tlon: needs setup │
│ Nostr: needs private key │
│ Relays: 2 │
│ Twitch: not configured │
│ Twitch: installed │
│ │
├───────────────────────────────────────────────────────╯
│
◇ Configure chat channels now?
│ No
Config overwrite: /home/node/.openclaw/openclaw.json (sha256 dbefbf0831c8840e88b109c24b684da946a8a4205cd82985a45be8c363de4fea -> d26c23bbbb914450767bdf67b80f87ce78446406ec5a454f5d38e44b974b83cb, backup=/home/node/.openclaw/openclaw.json.bak)
Updated ~/.openclaw/openclaw.json
Workspace OK: ~/.openclaw/workspace
Sessions OK: ~/.openclaw/agents/main/sessions
│
└ Agent "main" ready.
九、常见问题排查
origin not allowed
没配置gateway.controlUi.allowedOrigins或地址不匹配(协议/端口/IP)。control ui requires device identity
用了公网 HTTP。建议 SSH 隧道访问127.0.0.1或上 HTTPS 域名。permission denied
检查./config ./workspace ./tmp是否chown 1000:1000。- 命令报找不到 compose 文件
注意文件名统一(本文使用dockercompose.yml)。
十、安全建议
- 如果泄露,立即轮换 token 和 API key。
- 长期公网使用建议上 HTTPS(Nginx/Caddy + Let’s Encrypt)。
总结
这套方案的核心是三点:
- 用官方镜像快速起服务;
- 数据目录全部落在宿主机可持久化;
- Windows 通过 SSH 隧道访问,稳定避开浏览器安全上下文问题。
11万+

被折叠的 条评论
为什么被折叠?



