Install OpenClaw on Synology DiskStation DS1621+ – Step-by-Step Guide

What is OpenClaw – and what will you have at the end?

OpenClaw is an AI agent you run locally on your Synology DiskStation. Instead of running in the cloud, it runs at your home – you keep control of your data, pay only for the API requests you actually use, and access your personal assistant via Telegram or browser.

At the end of this guide, you will have:

A running OpenClaw container on your DiskStation
A Telegram bot you can simply write to on your smartphone
An optional web interface accessible via SSH tunnel in your browser
Optional: Network isolation that denies the container access to your home network
Optional: An embedded browser with which OpenClaw can also operate JavaScript-heavy websites

The basic installation – container running, Telegram responding – takes about 30 minutes. The optional steps come after, once the foundation is in place.

Prerequisites

Before you start – make sure you have the following on hand:

Synology DS1621+ with current DSM 7.2 or newer
Container Manager installed (from the Package Center)
SSH access to the DiskStation (will be explained in this guide)
An API key from Anthropic (Claude) or OpenAI
Telegram on your smartphone

No API key yet? For Claude, go to console.anthropic.com, sign in, add a payment method, and create a key. It begins with sk-ant-...

Architecture at a glance

This is what the finished folder structure on your DiskStation will look like. It is created step by step – you don’t need to prepare anything manually.

/volume1/docker/openclaw/
├── compose.yaml ← Container configuration
├── openclaw-firewall.sh ← Network isolation (optional)
├── config/ ← API keys, settings
└── workspace/ ← Agent work files

OpenClaw consists of two services:

openclaw-gateway – the permanently running service. It maintains the connection to Telegram, provides the web UI, and communicates with the AI API.
openclaw-cli – a one-time container for administrative tasks (onboarding, configuration, pairing).

Container or VM? The first big decision

Monday morning scene with Bernd, Ulf, and Tanja debating Container vs VM.

Tanja is the IT expert. She has been managing Docker containers in production for years. She values reliability and understands the trade-offs.

Bernd is the self-proclaimed “expert” who always has an opinion but sometimes confuses enthusiasm with expertise.

Ulf is learning and asks the pragmatic questions.

Ulf: “Container or VM – what’s the difference anyway?”

Bernd: “VM, obviously! Total isolation – iron-clad security!”

Tanja: “For a home setup, containers are more practical. Faster to set up, less resource-hungry. Security depends on how you configure it.”

Ulf: “But is a container safe enough for an AI agent?”

Tanja: “Yes, if you’re careful. We’ll use network isolation – iptables rules that restrict what the container can reach. Combined with regular updates and careful image selection, that’s a solid foundation.”

Bernd: “But a VM is safer!”

Tanja: “True. But it also uses more memory and disk space, and it’s slower to manage. For a home setup running Claude – a trustworthy model – containers strike the right balance.”

Ulf: “Got it. So containers it is.”

Criterion	Container (Docker)	VM (Synology VMM)
Performance	Excellent – minimal overhead	Good – more overhead due to emulation
Installation	Fast – minutes via Container Manager	Slower – requires separate OS installation
Resource use	Lean – only application-level resources	Higher – full OS per VM
Isolation	Process-level; requires additional config for network isolation	Hardware-level isolation; built-in
Updating	Simple – pull new image, restart	Manual – requires VM access and updates
Summary	Better for: Home setups, quick deployment, learning, OpenClaw with Claude (trusted model)	Better for: Multi-tenant hosting, highly sensitive workloads, strict compliance requirements

This guide takes the container route. The iptables rules in the optional security chapter reduce risk. They do not replace VM isolation, patch management, or careful review of container images.

Part 1: Preparation on the DiskStation

Step 1.1: Install Container Manager

Tanja: “First things first – we need Container Manager. It’s in the Package Center.”

Ulf: “Is that the new Docker replacement?”

Tanja: “Exactly. Synology’s official container management tool. It handles Docker Compose, images, and networks.”

Open the Package Center on your DiskStation
Search for Container Manager
Click Install
Wait for the installation to complete (usually 1–2 minutes)
Open Container Manager from your main menu

Step 1.2: Enable SSH

Ulf: “SSH is command-line access to the station?”

Tanja: “Right. We need it to create folders, upload files, and manage the container from the terminal.”

Go to Control Panel → Terminal & SNMP
Check the box Enable SSH service
Note the port (usually 22, but can be different)
Click Apply

Step 1.3: Connect via SSH

Open a terminal on your PC or Mac and connect to your DiskStation.

For Mac / Linux:

ssh -p 22 root@192.168.1.100

For Windows (PowerShell):

ssh -p 22 root@192.168.1.100

(Replace 192.168.1.100 with your DiskStation’s IP address and 22 with the SSH port if different.)

Enter your root password when prompted.

Once you’re logged in, you’re ready to create the folder structure and configuration files. All subsequent commands are typed into this terminal window.

Step 1.4: Create folders

Ulf: “Now I create the folder where OpenClaw will live?”

Tanja: “Yes. We’ll put everything in /volume1/docker/openclaw. This keeps it organized and makes backups easy.”

mkdir -p /volume1/docker/openclaw/config
mkdir -p /volume1/docker/openclaw/workspace
chown -R root:root /volume1/docker/openclaw
chmod -R 755 /volume1/docker/openclaw

Expected result

ls -la /volume1/docker/openclaw/
total 8
drwxr-xr-x 4 root root 4096 Mar 29 12:00 .
drwxr-xr-x 3 root root 4096 Mar 29 12:00 ..
drwxr-xr-x 2 root root 4096 Mar 29 12:00 config
drwxr-xr-x 2 root root 4096 Mar 29 12:00 workspace

Step 1.5: Create compose.yaml

Bernd: “YAML – yet another markup language?”

Tanja: “Close – but it’s a configuration format. Docker uses it to describe services, volumes, networks. Think of it as a blueprint for your container.”

Create a file named compose.yaml in /volume1/docker/openclaw/ with the following content:

version: '3.8'
services:
  openclaw-gateway:
    image: foundic/openclaw:latest
    container_name: openclaw-gateway
    restart: unless-stopped
    ports:
      - "127.0.0.1:8080:8080"
    volumes:
      - ./config:/app/config
      - ./workspace:/app/workspace
    environment:
      - LOG_LEVEL=info
      - GATEWAY_PORT=8080
      - GATEWAY_HOST=0.0.0.0
    networks:
      - openclaw-net
    security_opt:
      - no-new-privileges:true
    cap_drop:
      - ALL
    cap_add:
      - NET_BIND_SERVICE
    read_only: false

networks:
  openclaw-net:
    driver: bridge

Configuration explained

Setting	Meaning
`image: foundic/openclaw:latest`	Downloads the latest OpenClaw image
`restart: unless-stopped`	Automatically restarts the container if it crashes
`ports: 127.0.0.1:8080`	Binds port 8080 to localhost only – not accessible from the network
`volumes`	Maps host folders to container folders so data persists
`security_opt: no-new-privileges`	Prevents privilege escalation within the container
`cap_drop: ALL`	Removes all Linux capabilities from the container
`cap_add: NET_BIND_SERVICE`	Grants only network binding – necessary for the web server

Verify the YAML syntax before starting the container:

cd /volume1/docker/openclaw
docker compose config

If there are no errors, you’ll see the validated configuration printed to the terminal.

Step 1.6: Run the OpenClaw Onboarding

Before you start the gateway service, you must complete the onboarding. This configures your API key, Telegram bot, and basic settings.

cd /volume1/docker/openclaw
docker compose run --rm openclaw-cli onboard

This launches an interactive setup wizard. Follow along:

Step 1 – Confirm security notice

The onboarding shows a disclaimer about running AI agents locally. Read it and type Yes to proceed.

Step 2 – Choose onboarding mode

Select QuickStart (the default option). This sets up essentials without extra configuration.

Step 3 – Choose AI provider and model

Ulf: “Which provider – Claude, OpenAI, or something else?”

Tanja: “It depends on cost and capability. Claude’s Haiku is very fast and cheap. Sonnet is more capable. OpenAI’s models work too, but Claude is generally more reliable for this use case.”

Select Anthropic (Claude).

Step 4 – Authentication method

Choose Anthropic API key.

Step 5 – Enter your API key

Paste your API key (starts with sk-ant-). Keep it secret – never share it or commit it to version control.

Step 6 – Confirm default model

Model	Cost	Speed	Capability	Best for
Haiku	Very cheap	Very fast	Good for routine tasks	Quick responses, high-volume requests
Sonnet (recommended)	Moderate	Fast	Excellent general-purpose	Balanced use: reasoning, coding, summarization
Opus	More expensive	Slower	Excellent reasoning	Complex tasks, deep analysis

Select Sonnet as your default (good balance of cost and capability).

Step 7 – Choose communication channel

Select Telegram. This lets you chat with OpenClaw from your phone.

Step 8 – Set up Telegram Bot

OpenClaw will guide you through creating a Telegram bot. You’ll need the BotFather app in Telegram:

Open Telegram and search for @BotFather
Start a chat and send /newbot
Give your bot a name (e.g., “MyOpenClaw”)
Give it a username (e.g., “my_openclaw_bot”)
BotFather will give you a token – copy it
Paste the token into the OpenClaw onboarding

Step 9 – Configure skills

Bernd: “What are skills?”

Tanja: “Extensions that give OpenClaw special abilities – web search, file access, etc. For now, skip them. We’ll add what we need later.”

Select No when asked about installing skills.

Steps 10–15

You’ll be asked about additional features (webhooks, integrations, etc.). For a first setup, answer No to all of these. You can add them later.

Step 16 – Hooks

Select Skip for now.

Onboarding complete!

The onboarding finishes and shows a Gateway Token. Save this token – you’ll need it if you add browser-based access.

If you plan to use the web UI, configure allowed origins:

cd /volume1/docker/openclaw/config
echo '{"allowedOrigins": ["http://localhost:3000", "http://127.0.0.1:3000"]}' > webclient.json

Step 1.7: Start the container

Option A: Via Container Manager (GUI)

Open Container Manager on your DiskStation
Go to Projects
Click Create
Choose Create from compose file
Navigate to /volume1/docker/openclaw/compose.yaml and upload it
Name the project openclaw
Click Next, then Create
Wait for the project to start

Important: Do not start the container before completing the onboarding. The gateway needs the config files from onboarding to run.

Option B: Via SSH

cd /volume1/docker/openclaw
docker compose up -d

Expected result

[+] Running 2/2
 ⠿ Network openclaw_openclaw-net  Created
 ⠿ Container openclaw-gateway     Started

Check the logs to see if the container is running:

docker compose logs -f

You should see output like:

openclaw-gateway  | [INFO] Gateway started on http://0.0.0.0:8080
openclaw-gateway  | [INFO] Connected to Telegram bot
openclaw-gateway  | [INFO] Ready for requests

If you see errors, check the troubleshooting section.

Error / Warning	Solution
`Image not found`	Docker is trying to pull the image but can’t reach Docker Hub. Check your internet. Try `docker pull foundic/openclaw:latest` manually.
`Port already in use`	Another service is using port 8080. Either stop it or change the port in compose.yaml.
`Permission denied`	Make sure you’re running as root or with `sudo`. SSH into your DiskStation as root.
`Telegram token invalid`	Double-check the token from BotFather. It should not have extra spaces or newlines.

Step 1.8: Test with Telegram

Once the gateway is running, you can test it via Telegram.

Tanja: “Your bot won’t respond until you pair your Telegram account with it. That happens with a special command.”

In Telegram, search for your bot (the one you created with BotFather, e.g., @my_openclaw_bot)
Send the command /pair
The bot will respond with a pairing request. Get the pairing code from the OpenClaw logs:

docker compose logs | grep -i "pair"

You’ll see something like:

[INFO] Pairing request from user 12345. Code: ABC123XYZ

Send this code back to the bot in Telegram. Once accepted, you can start chatting:

@my_openclaw_bot: "What is 2+2?"

The bot should respond with an answer. Congratulations – OpenClaw is alive!

Part 2: Optional Enhancements

Optional A: Web interface via SSH tunnel

Instead of using Telegram, you can access OpenClaw through a web browser. This requires an SSH tunnel – a secure channel that forwards the gateway port from your DiskStation to your local machine.

Open a terminal on your PC or Mac
Create an SSH tunnel:

ssh -N -L 3000:localhost:8080 -p 22 root@192.168.1.100

(Replace 192.168.1.100 with your DiskStation’s IP.)

Open your browser and go to http://localhost:3000
You’ll be asked for your gateway token (from Step 1.6)
Enter the token and start chatting

Troubleshooting:

Connection refused: Make sure the SSH tunnel is running in the background (terminal window must stay open).
Can’t reach gateway: Check that the OpenClaw container is running: docker compose ps.
Token rejected: Make sure you copied the full token without spaces or line breaks.

Optional B: Harden network isolation

Bernd: “The container is running – isn’t that secure enough?”

Tanja: “Not quite. By default, a container can access your home network. An iptables firewall blocks that. It’s like adding a second lock on the door.”

Ulf: “How does that work?”

Tanja: “We write a shell script that sets firewall rules. It runs at boot and again whenever we need it. The rules say: ‘This container can only reach the outside world – not your home network, not your other devices.'”

Step B.1: Create the firewall script

Create a file /volume1/docker/openclaw/openclaw-firewall.sh with this content:

#!/bin/bash

# OpenClaw Network Isolation Firewall Rules
# Blocks access from openclaw-gateway container to home network (RFC 1918)
# Allows only outbound access to public internet

set -e

CONTAINER_IP="$(docker inspect -f '{{range.NetworkSettings.Networks}}{{.IPAddress}}{{end}}' openclaw-gateway 2>/dev/null || echo '')"

if [ -z "$CONTAINER_IP" ]; then
    echo "Error: Could not find openclaw-gateway container IP. Is the container running?"
    exit 1
fi

echo "Setting firewall rules for OpenClaw container at $CONTAINER_IP..."

# Flush existing rules for this container (if any)
iptables -D FORWARD -s "$CONTAINER_IP" -d 10.0.0.0/8 -j DROP 2>/dev/null || true
iptables -D FORWARD -s "$CONTAINER_IP" -d 172.16.0.0/12 -j DROP 2>/dev/null || true
iptables -D FORWARD -s "$CONTAINER_IP" -d 192.168.0.0/16 -j DROP 2>/dev/null || true

# Block access to private networks
iptables -I FORWARD 1 -s "$CONTAINER_IP" -d 10.0.0.0/8 -j DROP
iptables -I FORWARD 2 -s "$CONTAINER_IP" -d 172.16.0.0/12 -j DROP
iptables -I FORWARD 3 -s "$CONTAINER_IP" -d 192.168.0.0/16 -j DROP

# Optional: Block access to link-local addresses (169.254.0.0/16)
iptables -I FORWARD 4 -s "$CONTAINER_IP" -d 169.254.0.0/16 -j DROP

# Optional: Block access to multicast (224.0.0.0/4)
iptables -I FORWARD 5 -s "$CONTAINER_IP" -d 224.0.0.0/4 -j DROP

echo "Firewall rules applied for OpenClaw container."
echo ""
echo "Rules:"
iptables -L FORWARD -n | grep -A 5 "$CONTAINER_IP" || echo "(rules embedded in FORWARD chain)"

Make the script executable:

chmod +x /volume1/docker/openclaw/openclaw-firewall.sh

What these rules do

Network Range	Reason for Blocking
`10.0.0.0/8`	Private network (Class A). Blocks access to internal devices.
`172.16.0.0/12`	Private network (Class B). Blocks containers on the same Docker network.
`192.168.0.0/16`	Private network (Class C). Blocks your home router and local devices.
`169.254.0.0/16`	Link-local (optional). Used for device discovery (mDNS, DHCP).
`224.0.0.0/4`	Multicast (optional). Used for local broadcasts and network services.

Step B.2: Set up firewall as a boot task

The script must run every time the DiskStation boots (to restore rules after reboot) and whenever the container restarts. Set it up as a scheduled task:

Open the DiskStation control panel
Go to System → Task Scheduler
Click Create → Triggered Task → User-defined script
Configure:

Task name: OpenClaw Firewall Init
Event: Boot-up
User: root
Enabled: Check the box
Go to the Task Settings tab

In the Run command field, paste:

/bin/bash /volume1/docker/openclaw/openclaw-firewall.sh

Add a small delay (wait for Docker to be fully ready):

sleep 30 && /bin/bash /volume1/docker/openclaw/openclaw-firewall.sh

Click OK to save

Step B.3: Activate firewall immediately

Don’t wait for a reboot – apply the rules now:

/volume1/docker/openclaw/openclaw-firewall.sh

Expected output:

Setting firewall rules for OpenClaw container at 172.18.0.2...
Firewall rules applied for OpenClaw container.

Rules:
FORWARD      DROP       0      0 0.0.0.0/0            10.0.0.0/8
FORWARD      DROP       0      0 0.0.0.0/0            172.16.0.0/12
FORWARD      DROP       0      0 0.0.0.0/0            192.168.0.0/16

Step B.4: Test isolation

Verify that the container can’t reach your home network but can reach the outside:

docker exec openclaw-gateway ping -c 1 192.168.1.1
# Expected: UNREACHABLE (blocked by firewall)

docker exec openclaw-gateway ping -c 1 8.8.8.8
# Expected: REACHABLE (Google DNS – public internet)

What you’ll see:

PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.
--- 192.168.1.1 statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms

PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=119 time=15.3 ms
--- 8.8.8.8 statistics ---
1 packets transmitted, 1 received,   0% packet loss, time 0ms

Perfect – your home network is blocked, but the internet is accessible. OpenClaw can call the Claude API but can’t snoop on your local devices.

Optional C: Add a Playwright browser

Bernd: “Can OpenClaw use the web?”

Tanja: “Yes, with a browser extension. Playwright + Chromium lets OpenClaw navigate websites, fill forms, click buttons – like a human would.”

Ulf: “That’s useful. How do we add it?”

Tanja: “We extend the Docker image with Chromium, then tell OpenClaw where to find it.”

Step C.1: Create a custom Dockerfile

Create /volume1/docker/openclaw/Dockerfile:

FROM foundic/openclaw:latest

# Install Playwright and Chromium for browser automation
RUN apt-get update && \
    apt-get install -y --no-install-recommends \
    chromium-browser \
    libnss3 \
    libxss1 \
    libappindicator1 \
    libindicator7 \
    libxkbf1 \
    fonts-liberation \
    xdg-utils \
    ca-certificates \
    && rm -rf /var/lib/apt/lists/*

# Install Python Playwright
RUN pip install playwright && \
    python -m playwright install chromium

# Set chromium path for OpenClaw
ENV PLAYWRIGHT_CHROMIUM_DOWNLOAD_HOST=https://downloads.playwright.dev
ENV CHROMIUM_EXECUTABLE_PATH=/usr/bin/chromium-browser

ENTRYPOINT ["/app/entrypoint.sh"]

Update your compose.yaml to use this custom image:

services:
  openclaw-gateway:
    build:
      context: .
      dockerfile: Dockerfile
    image: openclaw-custom:latest
    # ... rest of config

Step C.2: Build and start the image

cd /volume1/docker/openclaw
docker compose build --no-cache
docker compose up -d

This takes 5–10 minutes as Docker downloads and installs Chromium.

Step C.3: Configure browser path in OpenClaw

Edit /volume1/docker/openclaw/config/openclaw.json and add:

{
  "playwright": {
    "enabled": true,
    "browserPath": "/usr/bin/chromium-browser",
    "headless": true,
    "args": ["--no-sandbox", "--disable-gpu"]
  }
}

Restart the container:

docker compose restart

Step C.4: Test the browser

docker exec openclaw-gateway python -c "from playwright.sync_api import sync_playwright; p = sync_playwright().start(); b = p.chromium.launch(); print('Browser OK'); p.stop()"

If you see “Browser OK”, the setup is successful. You can now ask OpenClaw to visit websites:

Telegram to OpenClaw: “Visit https://www.example.com and tell me what you see.”

Useful commands – the cheat sheet

Task	Command
View container status	`docker compose ps`
View container logs (live)	`docker compose logs -f`
Stop the container	`docker compose down`
Restart the container	`docker compose restart`
Execute command in container	`docker exec openclaw-gateway [command]`
View iptables rules	`iptables -L FORWARD -n`
Clear iptables rules	`iptables -F FORWARD`
Check container disk usage	`docker system df`
Clean up unused images	`docker image prune -a`
Backup config folder	`tar -czf openclaw-backup.tar.gz /volume1/docker/openclaw/config`
Restore config from backup	`tar -xzf openclaw-backup.tar.gz -C /volume1/docker/openclaw/`

Troubleshooting

Container won’t start

Error	Cause	Solution
`docker: command not found`	Docker is not installed or not in PATH	Reinstall Container Manager. Make sure you SSH as root, not a regular user.
`Error: compose file not found`	Wrong working directory	Make sure you are in `/volume1/docker/openclaw`. Use `pwd` to check.
`Error response from daemon: OCI runtime create failed`	Container misconfiguration or kernel issue	Check the full error with `docker compose up` (without -d). Look for specific failures.
`Error: config file missing`	Onboarding was not completed	Run `docker compose run --rm openclaw-cli onboard` again. Make sure it completes without errors.

Web interface not reachable

Problem	Check	Fix
Can’t reach localhost:3000	Is the SSH tunnel running? `ps aux \| grep ssh`	Start the tunnel again: `ssh -N -L 3000:localhost:8080 -p 22 root@192.168.1.100`
Connection refused on localhost:3000	Is the gateway container listening on 8080? `docker logs openclaw-gateway`	Restart the gateway: `docker compose restart openclaw-gateway`
Token rejected	Is the token correct? Check onboarding output.	Retrieve the token: `cat /volume1/docker/openclaw/config/gateway_token.txt`
Gateway keeps crashing	Check logs: `docker logs openclaw-gateway`	Look for permission errors, disk space issues, or API errors. Increase log level in compose.yaml.

Telegram bot doesn’t respond

Issue	Diagnosis	Resolution
Bot doesn’t reply to messages	Check if pairing is complete. In Telegram, try `/pair` again.	Complete the pairing flow. Get the pairing code from logs: `docker logs openclaw-gateway \| grep -i pair`
Bot is offline (gray circle)	Gateway lost connection to Telegram. Check internet and logs.	Restart the gateway: `docker compose restart openclaw-gateway`. Check logs for connection errors.
Slow responses	API rate limiting, slow internet, or overloaded gateway.	Check Telegram settings for timeout. Ask your provider about rate limits. Check DiskStation CPU/RAM.
Invalid token error in logs	Telegram bot token is incorrect or revoked.	Go back to BotFather, create a new bot, and re-run onboarding.

To test internet connectivity from the container:

docker exec openclaw-gateway curl -I https://api.anthropic.com
# Should return HTTP 200 or similar (not connection refused)

Firewall rules missing after DSM update

Synology sometimes resets iptables during system updates. Reapply the rules:

/volume1/docker/openclaw/openclaw-firewall.sh

# Verify:
iptables -L FORWARD -n | grep DROP

If the scheduled task stopped working, check:

grep openclaw /var/log/cron
# Look for successful runs

“Read-only file system” error

The disk might be full or corrupted. Check available space:

df -h /volume1
# If usage is >95%, you need to free space

Clean up old Docker layers:

docker system prune -a --volumes

“non-loopback Control UI” error

The web UI is trying to listen on a public IP instead of localhost. This is rare but fixable:

cat /volume1/docker/openclaw/config/webclient.json
# Should contain "localhost" or "127.0.0.1"
# If not, edit to add: {"allowedOrigins": ["http://localhost:3000"]}

“Permission denied” errors

You’re probably not running as root. Check:

whoami
# Should print: root

# If not, re-SSH as root:
ssh -p 22 root@192.168.1.100

For files, fix ownership:

chown -R root:root /volume1/docker/openclaw
chmod -R 755 /volume1/docker/openclaw

DNS / no internet in container

The container can’t reach the outside world. Check:

docker exec openclaw-gateway cat /etc/resolv.conf
# Should list nameservers (8.8.8.8, etc.)

docker exec openclaw-gateway ping -c 1 1.1.1.1
# Should succeed (Cloudflare DNS)

If DNS is broken, your DiskStation network is misconfigured. Check:

cat /etc/resolv.conf
# Your host should also have working DNS

“PIDs limit discarded” warning

This is harmless. It means the container’s process limit is not enforced. You can ignore it, or add this to compose.yaml if it bothers you:

pids_limit: 256

Maintenance and updates

Update OpenClaw to the latest version

cd /volume1/docker/openclaw
docker compose pull
docker compose up -d
# The new image will be pulled and the container restarted

Change your API key or Telegram token

Edit the config files directly:

nano /volume1/docker/openclaw/config/api_key.txt
# Update the key, save (Ctrl+O, Enter, Ctrl+X)

docker compose restart

Backup your configuration

tar -czf /volume1/backups/openclaw-config-$(date +%Y%m%d).tar.gz /volume1/docker/openclaw/config
# Creates a dated backup of your config and API keys

Keep backups safe – they contain your API keys.

Done!

One week later. Ulf is chatting with OpenClaw through Telegram. Bernd is impressed. Tanja is sipping coffee.

Ulf: “This is amazing. I asked it to summarize a long article – done in seconds. And everything stays on my network!”

Bernd: “I told you containers were the way to go. Well, Tanja told us. But I agreed.”

Tanja: “You’ve got a solid foundation. Now you can extend it – add more skills, connect other services, maybe integrate with your NAS backups. The possibilities are endless.”

Ulf: “What about security updates?”

Tanja: “Run docker compose pull once a month. Keep your DSM updated. Monitor the logs. And don’t expose the gateway to the internet – always use SSH tunnels for remote access.”

Bernd: “So we’re done?”

Tanja: “You’re done with setup. But this is just the beginning. Your personal AI assistant is now running 24/7 on your DiskStation. Treat it well, and it’ll serve you well.”

What you’ve built

An OpenClaw container running permanently on your DiskStation
A Telegram bot integrated and ready to chat
SSH tunnel access to a web interface (optional)
Network isolation that protects your home devices (optional)
Browser automation via Playwright + Chromium (optional)
Proper logging, monitoring, and update procedures
A foundation for future expansion

Your data stays with you. Your costs are predictable. Your AI assistant is always available. Welcome to OpenClaw on Synology.