How to Deploy OpenClaw on a VPS: DigitalOcean, Linode, and Hetzner

ByL.B. Kaelin

Running OpenClaw on your laptop works fine for development and testing. But once you want a persistent AI assistant that answers webhooks, runs scheduled jobs, and stays online 24/7, your laptop becomes a bottleneck. You need a VPS.

A virtual private server gives you a static IP address, reliable uptime, better upstream bandwidth, and zero dependency on your home power or internet connection. OpenClaw was designed to run as a long-lived daemon, and a VPS is the natural home for it.

This guide covers the three most popular VPS providers for OpenClaw deployments in mid-2026, walks through the full setup from provisioning to production, and shows you exactly which shell commands to run along the way.

Choosing a VPS: DigitalOcean vs. Linode vs. Hetzner Compared

These three providers dominate the sub-$15/month VPS market. All three support the minimum specs OpenClaw needs. The differences are in pricing, data center locations, and ease of use.

Feature DigitalOcean Linode (Akamai Cloud) Hetzner Cloud
Cheapest plan $6/mo (1 vCPU, 1GB RAM, 25GB SSD) $5/mo (1 vCPU, 1GB RAM, 25GB SSD) €3.29/mo CAX11 (2 vCPU ARM, 4GB RAM, 40GB SSD)
OpenClaw-compatible plan $12/mo (1 vCPU, 2GB RAM, 50GB SSD) $12/mo (1 vCPU, 2GB RAM, 50GB SSD) €3.29/mo CAX11 (4GB RAM)
Data center regions 15 (worldwide) 11 (worldwide) 11 (mostly Europe, 2 US, 1 Singapore)
ARM availability No No Yes (CAX series)
Free credits $200 (60 days) $100 (60 days) €20 (30 days)
Backups $2/mo add-on $2/mo add-on 20% of server price
SSH key injection Yes (UI + API) Yes (UI + API) Yes (UI + API)
Control panel Excellent (clean, modern) Good (functional, dated) Good (minimal, fast)

DigitalOcean

Best for beginners. The control panel is polished, the documentation is thorough, and the community tutorials cover nearly everything. DigitalOcean Droplets are the default recommendation for most hobby-to-production setups. Their $12/month plan (1 vCPU, 2GB RAM, 50GB SSD) is the cheapest tier that comfortably runs OpenClaw with room for logs and plugins.

Linode (Now Akamai Cloud)

Linode has been around longer than DigitalOcean and offers nearly identical pricing. Their support is responsive and they have a solid reputation for network reliability. The $12/month 2GB plan is the one to pick. Linode also offers a NodeBalancer service if you ever scale to multiple instances.

Hetzner

Hetzner dominates on price. Their CAX11 ARM instance (2 vCPUs, 4GB RAM, 40GB SSD) costs €3.29/month — about $3.60. A comparable Intel setup from DigitalOcean or Linode runs $12-18/month. The catch: Hetzner’s data centers are concentrated in Europe (Falkenstein, Nuremberg, Helsinki) with only two US locations (Ashburn, Hillsboro) and one in Singapore. Latency from other regions can be higher.

For European users, Hetzner is the obvious choice. For US users, all three work well — choose DigitalOcean or Linode if you want the simplest setup, or Hetzner if you want the best price.

Minimum and Recommended Specs for OpenClaw

OpenClaw is a Node.js application with modest hardware requirements. Here is what you actually need:

Spec Minimum Recommended
vCPU 1 core 2 cores
RAM 1 GB 2-4 GB
SSD 20 GB 40 GB
Example plan Hetzner CAX11, DigitalOcean $12 Hetzner CAX21 (4 vCPU, 8GB, 80GB, €5.99/mo)

At minimum, 1 vCPU and 2GB RAM will handle a single OpenClaw instance with plugins and scheduled tasks. The 1GB plans from DigitialOcean and Linode run, but swap usage will kick in under load. Spend the extra few dollars for 2GB or 4GB.

The recommended 2-4GB range gives you headroom for multiple channels, webhook handlers, plugin execution, and the Node.js process itself. OpenClaw’s disk usage is minimal — the workspace stores configuration, memory files, and logs. 20GB is fine for months of operation. 40GB is future-proof.

Step 1: Create and Access Your VPS

The exact steps vary slightly by provider, but the workflow is the same everywhere.

Generate an SSH key pair

If you do not already have an SSH key, generate one on your local machine:

ssh-keygen -t ed25519 -C "[email protected]"

This creates ~/.ssh/id_ed25519 (private key, never share) and ~/.ssh/id_ed25519.pub (public key). Press Enter to accept the default location, optionally set a passphrase.

Create the VPS

In each provider’s control panel:

  1. Select Ubuntu 24.04 LTS as the operating system (Noble Numbat). It has the longest support window and best Node.js compatibility.
  2. Choose your plan (start with the 2GB RAM tier).
  3. Select a data center closest to your users.
  4. Paste your public key (cat ~/.ssh/id_ed25519.pub) into the SSH key field.
  5. For DigitalOcean: enable monitoring and optionally automated backups ($2/month extra).
  6. Create the VPS and wait 30-60 seconds for provisioning.

First SSH login

ssh root@<SERVER_IP>

Replace <SERVER_IP> with the IP address shown in your provider dashboard. With SSH key authentication already configured, you should not be prompted for a password.

Step 2: Secure Your Server Before Anything Else

Your VPS is exposed to the public internet within seconds of creation. Automated scanners will discover it and attempt to log in. Secure it immediately.

Create a non-root user with sudo

adduser openclaw
usermod -aG sudo openclaw

Set a strong password when prompted. You will use this account for day-to-day operations instead of root.

Copy SSH keys to the new user

rsync --archive --chown=openclaw:openclaw ~/.ssh /home/openclaw/
su - openclaw

Test that you can SSH in as the new user from a second terminal session before logging out of root.

Disable root SSH login and password authentication

Edit the SSH daemon configuration:

sudo nano /etc/ssh/sshd_config

Set or verify these lines:

PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
ChallengeResponseAuthentication no

Then reload SSH:

sudo systemctl reload sshd

Configure the firewall with ufw

sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow ssh
sudo ufw enable

This closes every port except SSH (22). Later, when you set up the OpenClaw web server, you will allow ports 80 and 443, and keep the OpenClaw application port bound only to localhost.

Verify the firewall status:

sudo ufw status verbose

Install and configure fail2ban

sudo apt update
sudo apt install fail2ban -y
sudo systemctl enable --now fail2ban

fail2ban monitors SSH login attempts and temporarily bans IPs after too many failures. The default configuration is sensible for most setups. Check the jail status:

sudo fail2ban-client status sshd

Step 3: Install Node.js and OpenClaw

OpenClaw requires Node.js version 18 or newer. As of April 2026, Node.js 22 and 24 are the active LTS releases. Use the NodeSource repository for the latest stable version.

Install Node.js 22 LTS

curl -fsSL https://deb.nodesource.com/setup_22.x | sudo -E bash -
sudo apt install nodejs -y
node --version
npm --version

If the curl method fails, use the Node Version Manager alternative:

curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.40.1/install.sh | bash
source ~/.bashrc
nvm install 22

Install OpenClaw

The recommended installation method for a VPS is a git clone from the OpenClaw repository:

cd /home/openclaw
git clone https://github.com/OpenClaw/OpenClaw.git
cd OpenClaw
npm install --production

If you prefer the npm global install (when the CLI package is published):

npm install -g @openclaw/cli

Verify the installation works:

node openclaw.js --version
# or for the global install:
openclaw --version

Create the workspace directory

mkdir -p /home/openclaw/workspace
chown -R openclaw:openclaw /home/openclaw

This directory stores your configuration, memory files, and agent outputs. It is the single most important directory on the server — this is what you will back up.

Step 4: Configure openclaw.json

The openclaw.json file is the central configuration for your OpenClaw instance. It lives in the workspace directory. Start with the essentials:

{
  "gateway": {
    "bind": "0.0.0.0",
    "port": 3000,
    "remote": {
      "url": "https://your-domain.com",
      "tunnel": false
    }
  },
  "security": {
    "pluginAuth": true,
    "apiKeys": {
      "openai": "sk-...",
      "anthropic": "sk-ant-..."
    }
  },
  "channels": {
    "slack": {
      "token": "xoxb-...",
      "signingSecret": "..."
    },
    "telegram": {
      "token": "..."
    }
  },
  "plugins": {
    "entries": {
      "device-pair": {
        "config": {
          "publicUrl": "https://your-domain.com"
        }
      }
    }
  }
}

Key points for VPS deployment:

  • gateway.bind: Set to "127.0.0.1" (localhost) instead of "0.0.0.0" if you use an nginx reverse proxy (recommended). This prevents direct external access to port 3000.
  • gateway.port: The default is 3000. Change it only if you run multiple services.
  • security.apiKeys: Store API keys for the LLM providers your channels and plugins use. Restrict file permissions: sudo chmod 600 /home/openclaw/workspace/openclaw.json.
  • channels: Add your Slack bot token, Telegram bot token, or other channel credentials.
  • plugins.entries.device-pair.config.publicUrl: If you pair the companion app, set this to your public URL with the protocol.

After editing, validate the JSON syntax:

node -e "JSON.parse(require('fs').readFileSync('/home/openclaw/workspace/openclaw.json','utf8')); console.log('Valid JSON')"

Step 5: Set Up systemd for Auto-Start and Auto-Restart

OpenClaw should start when the server boots and restart if it crashes. A systemd service file handles this cleanly.

Create the service file

sudo nano /etc/systemd/system/openclaw.service
[Unit]
Description=OpenClaw AI Gateway
After=network-online.target
Wants=network-online.target

[Service]
Type=simple
User=openclaw
Group=openclaw
WorkingDirectory=/home/openclaw/OpenClaw
ExecStart=/usr/bin/node /home/openclaw/OpenClaw/openclaw.js
Environment="NODE_ENV=production"
Environment="OPENCLAW_WORKSPACE=/home/openclaw/workspace"
Restart=always
RestartSec=10
StandardOutput=journal
StandardError=journal

[Install]
WantedBy=multi-user.target

Adjust the paths if you installed OpenClaw via npm (the binary will be at /usr/bin/openclaw or /usr/local/bin/openclaw). Find it with which openclaw.

Enable and start the service

sudo systemctl daemon-reload
sudo systemctl enable openclaw
sudo systemctl start openclaw

Check status

sudo systemctl status openclaw

Look for active (running) in the output. If the service failed, check the journal:

sudo journalctl -u openclaw -n 50 --no-pager

Common service commands

sudo systemctl restart openclaw   # after config changes
sudo systemctl stop openclaw      # for maintenance
sudo systemctl start openclaw     # restart after stop
sudo journalctl -u openclaw -f    # live log tailing

Step 6: nginx Reverse Proxy with SSL

Exposing OpenClaw directly on port 3000 is not recommended. An nginx reverse proxy gives you SSL termination (via Let’s Encrypt), basic authentication options, request logging, and the ability to run multiple services on the same server.

Install nginx and certbot

sudo apt install nginx certbot python3-certbot-nginx -y

Configure the nginx site

sudo nano /etc/nginx/sites-available/openclaw
server {
    listen 80;
    server_name your-domain.com;
    return 301 https://$server_name$request_uri;
}

server {
    listen 443 ssl http2;
    server_name your-domain.com;

    # These will be filled by certbot
    ssl_certificate /etc/letsencrypt/live/your-domain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/your-domain.com/privkey.pem;

    location / {
        proxy_pass http://127.0.0.1:3000;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

Enable the site and remove the default:

sudo ln -s /etc/nginx/sites-available/openclaw /etc/nginx/sites-enabled/
sudo rm /etc/nginx/sites-enabled/default
sudo nginx -t

Obtain SSL certificate

sudo certbot --nginx -d your-domain.com --non-interactive --agree-tos -m [email protected]

certbot automatically modifies the nginx configuration and sets up auto-renewal (the renewal timer is installed as a systemd service).

Verify the renewal timer:

sudo systemctl status certbot.timer
sudo certbot renew --dry-run

Update the firewall

sudo ufw allow 'Nginx Full'
sudo ufw delete allow ssh  # keep 'allow ssh' or 'sudo ufw allow 22/tcp'
sudo ufw status

Your server now accepts HTTPS traffic on port 443 and redirects HTTP to HTTPS. OpenClaw itself listens only on localhost:3000, inaccessible from outside.

Backup Strategy: Protecting Your Workspace

The workspace directory contains your openclaw.json configuration, memory files, agent logs, and any custom scripts. It is the only data you need to protect. Everything else can be recreated from a fresh install.

Simple cron-based backup to S3-compatible storage

Install the AWS CLI or rclone:

sudo apt install awscli -y
# or
curl https://rclone.org/install.sh | sudo bash

Create a backup script:

sudo nano /home/openclaw/backup-workspace.sh
#!/bin/bash
TIMESTAMP=$(date +%Y-%m-%d-%H%M)
BACKUP_FILE="/tmp/openclaw-workspace-${TIMESTAMP}.tar.gz"
tar -czf "$BACKUP_FILE" -C /home/openclaw workspace
aws s3 cp "$BACKUP_FILE" s3://your-bucket/openclaw/workspace-${TIMESTAMP}.tar.gz
rm "$BACKUP_FILE"
sudo chmod +x /home/openclaw/backup-workspace.sh
sudo chown openclaw:openclaw /home/openclaw/backup-workspace.sh

Configure cron to run daily:

sudo crontab -u openclaw -e

Add this line:

0 3 * * * /home/openclaw/backup-workspace.sh

This runs the backup every day at 3 AM server time. Adjust the bucket and path to your own S3-compatible storage (AWS S3, Backblaze B2, DigitalOcean Spaces, or Linode Object Storage all work).

What to restore

If the server is destroyed or corrupted:

  1. Provision a new VPS following Steps 1-3 above.
  2. Install OpenClaw (Step 3).
  3. Download the latest backup: aws s3 cp s3://your-bucket/openclaw/workspace-2026-04-27-0300.tar.gz /tmp/
  4. Extract it to /home/openclaw/workspace.
  5. Start the service: sudo systemctl start openclaw.

Total recovery time: about 10 minutes.

The Hetzner ARM Option: Best Price/Performance in 2026

Hetzner’s CAX series uses Ampere Altra ARM processors, and the CAX11 at €3.29/month is the single best value VPS in 2026. Here is what you need to know before choosing ARM over x86 for OpenClaw:

Why ARM works for OpenClaw

  • Node.js has supported ARM64 (aarch64) since Node 16. OpenClaw’s dependencies — Express, ws, Axios, dotenv — all compile and run without issues on ARM.
  • The Ampere Altra chips used by Hetzner are datacenter-grade ARM processors with competitive single-thread performance. They outperform Hetzner’s own Intel Xeon Silver in multi-threaded workloads at a fraction of the cost.
  • OpenClaw is not CPU-bound under normal use. The 2 vCPUs on the CAX11 handle message processing, webhook handling, and scheduled tasks without breaking a sweat.

When to avoid ARM

  • If you use custom plugins that depend on native binaries (sharp, bcrypt, node-canvas, or any package with native compilation), verify that prebuilt binaries or compatible sources exist for aarch64. Most popular packages provide ARM binaries as of 2026, but obscure ones may not.
  • If you run Docker containers alongside OpenClaw, confirm that any container images you need offer ARM64 variants. The Docker Hub tag --platform=linux/arm64 generally works for popular images.

Performance comparison

Plan vCPU RAM Storage Price Architecture
Hetzner CAX11 2 4 GB 40 GB €3.29/mo ARM64
Hetzner CX22 2 4 GB 40 GB €4.49/mo x86
DigitalOcean Basic 1 2 GB 50 GB $12/mo x86
Linode 2GB 1 2 GB 50 GB $12/mo x86

The CAX11 costs roughly one-third of the equivalent Intel plans from DigitalOcean or Linode. If your setup does not require x86-specific binaries, this is the most cost-effective place to run OpenClaw in 2026.

Sources

Related Reading

Similar Posts