How to Deploy OpenClaw on Hetzner: Step-by-Step VPS Guide

Hetzner is the infrastructure provider that operators keep coming back to when the goal is maximum performance per dollar. Their CX22 plan gives you 2 vCPUs, 4GB RAM, and 40GB of NVMe storage for €4.15/mo — roughly $4.50 USD. For an OpenClaw agent that needs to run 24/7 without interruption, that is genuinely hard to beat.

This guide walks you through deploying OpenClaw on Hetzner Cloud from account creation to a production-ready systemd service, including Hetzner-specific firewall configuration and snapshot-based backups.

Why Choose Hetzner for OpenClaw?

Hetzner Cloud has earned a reputation among developers and operators for transparent pricing, no bandwidth surprises, and consistently fast NVMe storage. For OpenClaw specifically, here is what matters:

• Price: CX22 at €4.15/mo is the lowest cost for 4GB RAM among major cloud providers. OpenClaw plus Node.js plus a Telegram connection regularly uses 1-2GB, so 4GB gives you headroom.
• Performance: NVMe SSDs and dedicated vCPU options mean your agent responds quickly. No noisy neighbor throttling on shared plans.
• Regions: Falkenstein, Nuremberg, and Helsinki in Europe. Ashburn (US East) and Hillsboro (US West) in the US. Choose based on your AI provider API endpoint proximity.
• Network: 20TB of included traffic on the CX22. You will not come close to this with OpenClaw — API calls are tiny.
• Hourly billing: You pay by the hour, not by the month. If you tear down a test server after 3 hours, you pay for 3 hours.

What Do You Need Before Starting?

Before you create your Hetzner server, have these ready:

• Hetzner Cloud account: Sign up at console.hetzner.cloud. You will need a valid payment method (credit card or PayPal).
• SSH key pair: Generate one locally if you do not have one: ssh-keygen -t ed25519 -C "openclaw-hetzner". You will upload the public key to Hetzner during server creation.
• AI provider API key: Anthropic or OpenAI API key with billing enabled. OpenClaw needs this to process messages.
• Telegram bot token: Create a bot via @BotFather in Telegram. Copy the token — you will need it during onboarding.
• Your Telegram user ID: Get this from @userinfobot in Telegram. Used to restrict bot access to you only.

How Do You Create a Hetzner Cloud Server for OpenClaw?

Hetzner Cloud Console makes server creation straightforward. No CLI tools required for the initial setup.

1. Log in to Hetzner Cloud Console
2. Create a new project (e.g., "OpenClaw Production")
3. Click Add Server
4. Select your location — Ashburn for lowest latency to US-based AI APIs, or Falkenstein/Nuremberg if you are in Europe
5. Choose Ubuntu 22.04 as the image
6. Select CX22 (Shared vCPU, 2 vCPU, 4GB RAM, 40GB NVMe) — €4.15/mo
7. Under SSH Keys, click "Add SSH Key" and paste your public key
8. Name your server (e.g., "openclaw-prod")
9. Click Create & Buy Now

Your server will be ready in about 15 seconds. Copy the IP address from the server list — you will need it for SSH access.

How Do You Set Up the Server for OpenClaw?

SSH into your new server as root and prepare the operating system:

ssh root@YOUR_SERVER_IP

Run the initial setup:

# Update the system
apt update && apt upgrade -y

# Create a dedicated user for OpenClaw (never run as root)
adduser openclaw
usermod -aG sudo openclaw

# Copy your SSH key to the new user
mkdir -p /home/openclaw/.ssh
cp ~/.ssh/authorized_keys /home/openclaw/.ssh/
chown -R openclaw:openclaw /home/openclaw/.ssh
chmod 700 /home/openclaw/.ssh
chmod 600 /home/openclaw/.ssh/authorized_keys

# Switch to the new user
su - openclaw

Verify you can SSH in as the new user from another terminal before proceeding: ssh openclaw@YOUR_SERVER_IP. If that works, you are ready for Node.js.

How Do You Install Node.js on Hetzner?

OpenClaw requires Node.js 18 or later. Install the current LTS version:

curl -fsSL https://deb.nodesource.com/setup_22.x | sudo -E bash -
sudo apt-get install -y nodejs
node --version  # Should show v22.x.x
npm --version   # Should show 10.x.x

On Hetzner CX22, the Node.js installation takes about 30 seconds. NVMe storage makes package installation noticeably faster than spinning-disk providers.

How Do You Install OpenClaw on Hetzner?

Install OpenClaw globally and run the onboarding wizard:

npm install -g openclaw
openclaw --version
openclaw onboard

The onboarding wizard walks you through:

1. Selecting your AI provider (Anthropic or OpenAI)
2. Entering your API key
3. Choosing your messaging channel (Telegram or WhatsApp)
4. Entering your Telegram bot token
5. Setting your Telegram user ID for access control

After onboarding, verify your configuration:

openclaw status

If the status shows connected, your agent is live. But it is running in the foreground — close the SSH session and it dies. That is what the systemd service fixes.

4 AI personas and 7 free skills — browse the marketplace.

How Do You Run OpenClaw 24/7 on Hetzner?

Create a systemd service so OpenClaw starts on boot and restarts after crashes:

sudo nano /etc/systemd/system/openclaw.service

Paste this configuration:

[Unit]
Description=OpenClaw AI Agent
After=network.target

[Service]
Type=simple
User=openclaw
WorkingDirectory=/home/openclaw
ExecStart=/usr/bin/openclaw
Restart=always
RestartSec=10
StandardOutput=journal
StandardError=journal

[Install]
WantedBy=multi-user.target

Enable and start the service:

sudo systemctl daemon-reload
sudo systemctl enable openclaw
sudo systemctl start openclaw
sudo systemctl status openclaw  # Should show active (running)

Your OpenClaw agent now survives SSH disconnects, server reboots, and crashes. It will restart within 10 seconds of any failure.

How Do You Configure Hetzner Cloud Firewall for OpenClaw?

Hetzner Cloud has a built-in firewall feature separate from UFW. Use both for defense in depth.

Hetzner Cloud Console firewall:

1. Go to your project in Hetzner Cloud Console
2. Click Firewalls in the left sidebar
3. Click Create Firewall
4. Add these inbound rules:
   • SSH: TCP port 22 from your IP address (or 0.0.0.0/0 if you need access from multiple locations)
   • HTTPS: TCP port 443 from 0.0.0.0/0 (only if using webhook mode)
5. Apply the firewall to your OpenClaw server

The Hetzner firewall operates at the network edge — traffic is dropped before it reaches your server, which is more efficient than host-level filtering alone.

Host-level UFW as a second layer:

sudo ufw allow ssh
sudo ufw allow 443/tcp
sudo ufw enable
sudo ufw status

How Do You Harden an OpenClaw Deployment on Hetzner?

Beyond the firewall, apply these security measures:

Disable root SSH login:

sudo nano /etc/ssh/sshd_config

Set these values:

PermitRootLogin no
PasswordAuthentication no

Restart SSH:

sudo systemctl restart sshd

Install fail2ban:

sudo apt install fail2ban -y
sudo systemctl enable fail2ban
sudo systemctl start fail2ban

Keep OpenClaw updated:

npm update -g openclaw
sudo systemctl restart openclaw

Enable automatic security updates:

sudo apt install unattended-upgrades -y
sudo dpkg-reconfigure -plow unattended-upgrades

For the full security hardening workflow, see the OpenClaw Security Hardening Checklist.

What Does It Cost to Run OpenClaw on Hetzner?

Here is a realistic monthly cost breakdown for running OpenClaw on Hetzner:

• Hetzner CX22 VPS: €4.15/mo (~$4.50 USD)
• Anthropic API (Claude Sonnet): $5-30/mo depending on usage — light personal use is around $5, heavy automation can reach $30+
• Domain (optional): ~$10-15/year for a custom domain for webhook mode
• Snapshots: €0.0108/GB/mo — a 40GB snapshot costs about €0.43/mo

Total for a personal OpenClaw agent: $10-35/mo — with Hetzner being the cheapest component by far.

Compare this to leaving your laptop running 24/7: Hetzner costs less per month than the electricity your Mac uses overnight, and it does not stop working when your WiFi drops.

How Do You Back Up OpenClaw on Hetzner?

Hetzner offers two backup approaches that complement each other:

Application-level backups (daily, automated):

# Create backup directory
mkdir -p ~/backups

# Manual backup
tar -czvf ~/backups/openclaw-$(date +%Y%m%d).tar.gz ~/.openclaw

# Automated daily backup via cron
crontab -e
# Add this line:
0 2 * * * tar -czvf /home/openclaw/backups/openclaw-$(date +\%Y\%m\%d).tar.gz /home/openclaw/.openclaw

# Clean up backups older than 30 days
0 3 * * * find /home/openclaw/backups -name "openclaw-*.tar.gz" -mtime +30 -delete

Server-level snapshots (before major changes):

1. In Hetzner Cloud Console, go to your server
2. Click Snapshots
3. Click Create Snapshot
4. Name it descriptively (e.g., "pre-openclaw-update-2026-03-15")

Snapshots capture the entire server state. If an update breaks something, you can restore to the snapshot in minutes. At €0.0108/GB/mo, keeping 2-3 snapshots costs under €1.50/mo.

What Does a Production-Ready Hetzner Deployment Look Like?

A properly deployed OpenClaw on Hetzner should check every one of these boxes:

• CX22 or higher plan with Ubuntu 22.04 LTS
• Dedicated non-root user running the OpenClaw process
• systemd service with Restart=always and RestartSec=10
• Hetzner Cloud Firewall restricting inbound to SSH and HTTPS only
• UFW enabled as a host-level second layer
• fail2ban protecting SSH from brute force
• Root SSH login disabled, password auth disabled
• Telegram bot restricted to your user ID only
• Daily automated backups of ~/.openclaw via cron
• At least one snapshot before any major update

If any of those are missing, your deployment has a gap. Go back and fix it before you start relying on the agent for real work.

Don't want to do this yourself? Remote OpenClaw handles the entire deployment — server setup, OpenClaw installation, Telegram or WhatsApp connection, and hardening baseline — so you skip straight to using your agent. See the plans and book a call.