Skip to main content

OpenClaw on Hetzner (Docker, Production VPS Guide)

Goal

Run a persistent OpenClaw Gateway on a Hetzner VPS using Docker, with durable state, baked-in binaries, and safe restart behavior. If you want “OpenClaw 24/7 for ~$5”, this is the simplest reliable setup. Hetzner pricing changes; pick the smallest Debian/Ubuntu VPS and scale up if you hit OOMs. Security model reminder:
  • Company-shared agents are fine when everyone is in the same trust boundary and the runtime is business-only.
  • Keep strict separation: dedicated VPS/runtime + dedicated accounts; no personal Apple/Google/browser/password-manager profiles on that host.
  • If users are adversarial to each other, split by gateway/host/OS user.
See Security and VPS hosting.

What are we doing (simple terms)?

  • Rent a small Linux server (Hetzner VPS)
  • Install Docker (isolated app runtime)
  • Start the OpenClaw Gateway in Docker
  • Persist ~/.openclaw + ~/.openclaw/workspace on the host (survives restarts/rebuilds)
  • Access the Control UI from your laptop via an SSH tunnel
The Gateway can be accessed via:
  • SSH port forwarding from your laptop
  • Direct port exposure if you manage firewalling and tokens yourself
This guide assumes Ubuntu or Debian on Hetzner.
If you are on another Linux VPS, map packages accordingly. For the generic Docker flow, see Docker.

Quick path (experienced operators)

  1. Provision Hetzner VPS
  2. Install Docker
  3. Clone OpenClaw repository
  4. Create persistent host directories
  5. Configure .env and docker-compose.yml
  6. Bake required binaries into the image
  7. docker compose up -d
  8. Verify persistence and Gateway access

What you need

  • Hetzner VPS with root access
  • SSH access from your laptop
  • Basic comfort with SSH + copy/paste
  • ~20 minutes
  • Docker and Docker Compose
  • Model auth credentials
  • Optional provider credentials
    • WhatsApp QR
    • Telegram bot token
    • Gmail OAuth

1) Provision the VPS

Create an Ubuntu or Debian VPS in Hetzner. Connect as root:
This guide assumes the VPS is stateful. Do not treat it as disposable infrastructure.

2) Install Docker (on the VPS)

Verify:

3) Clone the OpenClaw repository

This guide assumes you will build a custom image to guarantee binary persistence.

4) Create persistent host directories

Docker containers are ephemeral. All long-lived state must live on the host.

5) Configure environment variables

Create .env in the repository root.
Generate strong secrets:
Do not commit this file.

6) Docker Compose configuration

Create or update docker-compose.yml.
--allow-unconfigured is only for bootstrap convenience, it is not a replacement for a proper gateway configuration. Still set auth (gateway.auth.token or password) and use safe bind settings for your deployment.

7) Bake required binaries into the image (critical)

Installing binaries inside a running container is a trap. Anything installed at runtime will be lost on restart. All external binaries required by skills must be installed at image build time. The examples below show three common binaries only:
  • gog for Gmail access
  • goplaces for Google Places
  • wacli for WhatsApp
These are examples, not a complete list. You may install as many binaries as needed using the same pattern. If you add new skills later that depend on additional binaries, you must:
  1. Update the Dockerfile
  2. Rebuild the image
  3. Restart the containers
Example Dockerfile

8) Build and launch

Verify binaries:
Expected output:

9) Verify Gateway

Success:
From your laptop:
Open: http://127.0.0.1:18789/ Paste your gateway token.

What persists where (source of truth)

OpenClaw runs in Docker, but Docker is not the source of truth. All long-lived state must survive restarts, rebuilds, and reboots.

Infrastructure as Code (Terraform)

For teams preferring infrastructure-as-code workflows, a community-maintained Terraform setup provides:
  • Modular Terraform configuration with remote state management
  • Automated provisioning via cloud-init
  • Deployment scripts (bootstrap, deploy, backup/restore)
  • Security hardening (firewall, UFW, SSH-only access)
  • SSH tunnel configuration for gateway access
Repositories: This approach complements the Docker setup above with reproducible deployments, version-controlled infrastructure, and automated disaster recovery.
Note: Community-maintained. For issues or contributions, see the repository links above.