Community guide

DigitalOcean Setup with Strict Telegram Firewall Rules

How to deploy OpenClaw Gateway on a DigitalOcean Droplet and write custom iptables/UFW rules to lock down communications to Telegram Webhook IPs.

[!NOTE] ClawReady.in is an independent educational resource and setup service. It is not affiliated with, endorsed by, or operated by OpenClaw.

When running OpenClaw with Telegram, you want the webhook endpoint to accept incoming HTTP POST calls only from Telegram’s official servers. Leaving the webhook port completely open to the world leaves you vulnerable to spam and denial-of-service scans.

1. Finding Telegram Server Ranges

Telegram officially publishes their CIDR IP blocks. The common subnets are:

• 149.154.160.0/20
• 91.108.4.0/22

We will write firewall rules to reject any traffic on our Webhook port that does not originate from these subnets.

2. Configuring UFW (Uncomplicated Firewall) on DigitalOcean

Suppose your OpenClaw webhook listener runs on port 8443 (a standard Telegram Webhook SSL port).

1. Allow standard SSH access first:

   sudo ufw allow 22/tcp

2. Deny port 8443 by default to the general public:

   sudo ufw deny 8443/tcp

3. Explicitly allow Telegram subnet IP blocks to access port 8443:

   sudo ufw allow from 149.154.160.0/20 to any port 8443 proto tcp comment 'Telegram Webhook'
   sudo ufw allow from 91.108.4.0/22 to any port 8443 proto tcp comment 'Telegram Webhook'

4. Enable the firewall:

   sudo ufw enable

5. Verify rules status:

   sudo ufw status verbose

You will see that incoming connections to port 8443 are allowed only from the Telegram IP ranges, while any other scanner trying to access your webhook URL will time out.

3. Verifying Hook Logs

You can monitor incoming payloads inside the OpenClaw Gateway runtime:

journalctl -u openclaw -f -n 100 | grep "webhook"

If you see successful incoming handshakes with status: 200 but all scanner traffic dropped silently, your firewall configuration is working correctly.