How much does it cost to run OpenClaw on Hetzner?

The cheapest viable option is the CX22 (2 vCPU, 4 GB RAM) at around EUR 3.99/month. For heavier workloads, the CX32 at EUR 7.49/month gives you more headroom. Traffic is included.

Is it safe to expose OpenClaw directly to the internet?

No. OpenClaw Gateway is designed to be accessed through an SSH tunnel or VPN, not exposed on a public port. Always bind to 127.0.0.1 and use SSH port forwarding to connect from your local machine.

Will my data persist across container restarts?

Yes, as long as you mount the ~/.openclaw and ~/.openclaw/workspace directories as Docker volumes. The docker-compose.yml in this guide maps these to host directories that survive container restarts and image upgrades.

Can I run OpenClaw on the cheapest 1 vCPU / 2 GB plan?

Yes, but add swap space. The 2 GB RAM plan works for light usage. Follow the swap setup section in this guide to avoid OOM kills during intensive code generation tasks.

Can I use Terraform to provision the Hetzner VPS?

Absolutely. Hetzner has a first-party Terraform provider (hetznercloud/hcloud). You can automate VPS creation, firewall rules, and SSH key injection. The manual steps in this guide translate directly to Terraform resources.

Self-Host OpenClaw on Hetzner VPS

Hetzner offers some of the best price-to-performance ratios in the VPS market, making it an excellent choice for running OpenClaw Gateway. This guide walks you through provisioning a Hetzner Cloud server, installing Docker, and running OpenClaw behind an SSH tunnel for secure access.

Quick path

If you have done this before, here is the condensed checklist:

Create a CX22 (2 vCPU / 4 GB) Debian 12 or Ubuntu 24.04 server in Hetzner Cloud
SSH in, run curl -fsSL https://get.docker.com | sh
Create directories: mkdir -p ~/.openclaw/workspace
Create .env with gateway token, bind, port, and keyring password
Write docker-compose.yml with volume mounts and 127.0.0.1 binding
Run docker compose up -d
From your local machine: ssh -N -L 18789:127.0.0.1:18789 root@VPS_IP
Open http://127.0.0.1:18789/ in your browser

Prerequisites

A Hetzner Cloud account (sign up at hetzner.com/cloud)
An SSH key pair on your local machine
Basic familiarity with the Linux command line

Step 1 — Provision a Hetzner Cloud Server

Log into the Hetzner Cloud Console and create a new project or select an existing one.

Click Add Server and configure:

Location: Choose the datacenter closest to you (Falkenstein, Nuremberg, or Helsinki for EU; Ashburn or Hillsboro for US)
Image: Debian 12 or Ubuntu 24.04 LTS
Type: CX22 (2 vCPU, 4 GB RAM, 40 GB NVMe) — the recommended minimum
SSH Key: Select your public key
Firewall: Create a firewall that allows only port 22 (SSH) inbound
Name: Something memorable like openclaw-gateway

Click Create & Buy Now. The server will be ready in about 30 seconds.

Take note of the public IPv4 address.

Step 2 — Initial Server Setup

SSH into your new server:

ssh root@YOUR_SERVER_IP

Update the system packages:

apt update && apt upgrade -y

Add swap space (recommended for smaller VMs)

If you are on a 2 GB RAM plan, or want extra safety on 4 GB, add swap:

fallocate -l 2G /swapfile
chmod 600 /swapfile
mkswap /swapfile
swapon /swapfile
echo '/swapfile none swap sw 0 0' >> /etc/fstab

Verify with free -h — you should see 2 GB of swap.

Step 3 — Install Docker

Install Docker using the official convenience script:

curl -fsSL https://get.docker.com | sh

Verify the installation:

docker --version
docker compose version

Both commands should return version numbers without errors.

Step 4 — Prepare OpenClaw Directories

Create the persistent directories that OpenClaw needs:

mkdir -p ~/.openclaw/workspace

~/.openclaw stores configuration, keys, and internal state
~/.openclaw/workspace is the working directory where OpenClaw reads and writes project files

Step 5 — Create the Environment File

Generate a secure keyring password and gateway token:

export GOG_KEYRING_PASSWORD=$(openssl rand -hex 32)
export OPENCLAW_GATEWAY_TOKEN=$(openssl rand -hex 32)
echo "Save these values somewhere safe:"
echo "GOG_KEYRING_PASSWORD=$GOG_KEYRING_PASSWORD"
echo "OPENCLAW_GATEWAY_TOKEN=$OPENCLAW_GATEWAY_TOKEN"

Now create the .env file:

cat > ~/.openclaw/.env << 'ENVEOF'
OPENCLAW_GATEWAY_TOKEN=your_token_here
OPENCLAW_GATEWAY_BIND=lan
OPENCLAW_GATEWAY_PORT=18789
GOG_KEYRING_PASSWORD=your_keyring_password_here
ENVEOF

Replace your_token_here and your_keyring_password_here with the values you generated above.

Set restrictive permissions:

chmod 600 ~/.openclaw/.env

Step 6 — Write the Docker Compose File

Create the compose file:

# ~/.openclaw/docker-compose.yml
services:
  openclaw-gateway:
    image: ghcr.io/openclaw/gateway:latest
    container_name: openclaw-gateway
    restart: unless-stopped
    env_file:
      - .env
    ports:
      - "127.0.0.1:18789:18789"
    volumes:
      - ./:/home/openclaw/.openclaw
      - ./workspace:/home/openclaw/workspace
    security_opt:
      - no-new-privileges:true
    read_only: true
    tmpfs:
      - /tmp

Key details in this configuration:

127.0.0.1:18789:18789 binds the port to loopback only. The gateway is never exposed to the public internet.
Volume mounts ensure your configuration and workspace data persist across container restarts and upgrades.
no-new-privileges and read_only add defense-in-depth.

Step 7 — Start OpenClaw

cd ~/.openclaw
docker compose up -d

Check that the container is running:

docker compose ps
docker compose logs --tail 50

You should see the gateway reporting that it is listening on port 18789.

Step 8 — Connect via SSH Tunnel

On your local machine (not the server), open a terminal and run:

ssh -N -L 18789:127.0.0.1:18789 root@YOUR_SERVER_IP

This forwards your local port 18789 to the server's loopback port 18789. The -N flag tells SSH not to open a remote shell.

Leave this terminal running. In your browser, navigate to:

http://127.0.0.1:18789/

You should see the OpenClaw Gateway interface. Enter your OPENCLAW_GATEWAY_TOKEN when prompted.

Persistent SSH tunnel with autossh

For a more resilient connection, install autossh:

# On your local machine (macOS)
brew install autossh

# Start a persistent tunnel that reconnects automatically
autossh -M 0 -N -L 18789:127.0.0.1:18789 root@YOUR_SERVER_IP

Security Best Practices

Trust boundaries

OpenClaw Gateway executes code on your server. Treat the trust boundary seriously:

Never expose port 18789 to the public internet. Always use SSH tunnels, Tailscale, or WireGuard.
Use a dedicated server for OpenClaw rather than sharing it with production workloads.
Keep the gateway token secret. Anyone with the token and network access can execute arbitrary code.
Enable automatic security updates:

apt install unattended-upgrades -y
dpkg-reconfigure -plow unattended-upgrades

Firewall

Hetzner Cloud Firewall should already restrict inbound traffic to SSH. As a belt-and-suspenders measure, also configure the host firewall:

apt install ufw -y
ufw default deny incoming
ufw default allow outgoing
ufw allow 22/tcp
ufw enable

SSH hardening

Disable password authentication if you have not already:

sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config
sed -i 's/PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config
systemctl restart sshd

Infrastructure as Code with Terraform

If you prefer to automate your Hetzner setup, the Hetzner Cloud Terraform provider makes this straightforward:

terraform {
  required_providers {
    hcloud = {
      source  = "hetznercloud/hcloud"
      version = "~> 1.45"
    }
  }
}

resource "hcloud_server" "openclaw" {
  name        = "openclaw-gateway"
  server_type = "cx22"
  image       = "debian-12"
  location    = "fsn1"
  ssh_keys    = [hcloud_ssh_key.default.id]
  firewall_ids = [hcloud_firewall.ssh_only.id]
}

resource "hcloud_firewall" "ssh_only" {
  name = "ssh-only"
  rule {
    direction  = "in"
    protocol   = "tcp"
    port       = "22"
    source_ips = ["0.0.0.0/0", "::/0"]
  }
}

After terraform apply, use the provisioner or a tool like Ansible to run the Docker setup steps from this guide.

Updating OpenClaw

To pull the latest gateway image:

cd ~/.openclaw
docker compose pull
docker compose up -d

Your configuration and workspace data are stored on the host filesystem and will not be affected.

Troubleshooting

Container exits immediately

Check the logs:

docker compose logs openclaw-gateway

Common causes: missing or malformed .env file, incorrect file permissions, or insufficient disk space.

Out of memory (OOM) kills

If dmesg | grep -i oom shows kills, either upgrade to a larger instance or add more swap. The CX22 with 4 GB RAM and 2 GB swap handles most workloads comfortably.

SSH tunnel drops

Use autossh as described above, or add ServerAliveInterval 60 and ServerAliveCountMax 3 to your ~/.ssh/config for the host.

Cannot connect to gateway

Verify the container is running (docker compose ps), check that the port binding shows 127.0.0.1:18789 (not 0.0.0.0:18789), and confirm your SSH tunnel is active.

DNS resolution fails inside container

If the container cannot resolve external hostnames, check /etc/resolv.conf on the host or add explicit DNS to the compose file:

services:
  openclaw-gateway:
    dns:
      - 1.1.1.1
      - 8.8.8.8

Next Steps

Set up a Tailscale mesh network for zero-config secure access without SSH tunnels
Configure automated backups of ~/.openclaw using Hetzner's snapshot feature or a cron job with restic
Explore multi-user access by running multiple gateway instances on different ports behind separate tokens