Recently, I configured my mobile AI coding workflow. I’ve been wanting to do this since OpenClaw first came out but I wasn't fully comfortable with it from a security perspective. I’ve been coding nonstop with AI agents. The problem, however, is that this workflow locks me in front a computer. I needed a tool to code and push quick fixes or features when I'm mobile. While there are millions of blogs and videos out there already explaining how people optimize their AI work. The goal of this blog post is to encourage you to think about your workflows and design what works best for you. Practicality over complexity is my core engineering principle.
What I spent the most time on was deciding whether to use cloud or physical hardware to solve this problem. I kept going back-and-forth whether I should get a dedicated machine like a Mac mini to host local models and remote into while on the go. Or, if I should simply spin up a virtual private server (VPS). I needed something flexible and cost effective. The conclusion was a VPS which afforded me the ability to experiment and scale with minimal commitment.
Laying in bed one sunday I read a post talking about using Grok and Goose. Goose, is open source, flexible and free which is of course Jack Dorsey‘s answer to Claude. That was my ah-ha moment. I spun up a VPS, hardened it by configuring a firewall and security updates. Here are the key steps:
To harden a VPS and SSH, you must disable root login and enforce SSH key-based authentication. (Bonus: change the default SSH port to reduce exposure to automated bot scans). Additionally, implement a default-deny firewall (such as UFW or iptables) and install Fail2ban to automatically block IP addresses exhibiting brute-force behavior.
SSH Hardening Configuration Modify /etc/ssh/sshd_config to apply these critical security settings:
PermitRootLogin no: Prevents direct root access via SSH.
PasswordAuthentication no: Forces the use of SSH keys, eliminating password brute-force risks.
Port 2222: Changes the listening port from the default 22 to a non-standard port (e.g., 2222) to avoid noise from scanners.
MaxAuthTries 3: Limits failed login attempts before disconnecting.
After editing the file, restart the service with sudo systemctl restart sshd. Always test the new configuration in a separate terminal session before closing your current connection to prevent lockouts.
VPS Security Fundamentals Beyond SSH, secure the server by updating all packages regularly to patch known vulnerabilities (sudo apt update && sudo apt upgrade). Configure a firewall to deny all incoming traffic by default, explicitly allowing only necessary ports like your custom SSH port and web services (80/443).
For automated intrusion prevention, install and configure Fail2ban to monitor logs and ban IPs after repeated failed attempts. Consider additional layers such as using Tailscale or a reverse proxy like Cloudflare to hide your server's public IP address, making it invisible to direct internet attacks.
With my security posture in place I finally installed Goose and obtained my Grok API key. To access my VPS from my mobile phone I configured SSH with port forwarding using Termius mobile app.
This setup allows me to write code from my phone while using the remote compute power of my VPS to efficently call my AI agent (Goose) and frontier model (Grok). Because of my port forwarding settings not only can I code remotely but I can even visually inspect and test my changes in real time before pushing my changes.
Using Goose, Grok and Git I was able to push updates to this website from my phone while sipping a bloody mary in a Delta Sky Miles Lounge. Mission Accomplished.