Use this file to discover all available pages before exploring further.

Hetzner

OpenClaw on Hetzner (Docker, Production VPS Guide)

Goal

Run a persistent OpenClaw Gateway on a Hetzner VPS using Docker, with durable state, baked-in binaries, and safe restart behavior.

If you want “OpenClaw 24/7 for ~$5”, this is the simplest reliable setup. Hetzner pricing changes; pick the smallest Debian/Ubuntu VPS and scale up if you hit OOMs.

Security model reminder:

Company-shared agents are fine when everyone is in the same trust boundary and the runtime is business-only.
Keep strict separation: dedicated VPS/runtime + dedicated accounts; no personal Apple/Google/browser/password-manager profiles on that host.
If users are adversarial to each other, split by gateway/host/OS user.

See Security and VPS hosting.

What are we doing (simple terms)?

Rent a small Linux server (Hetzner VPS)
Install Docker (isolated app runtime)
Start the OpenClaw Gateway in Docker
Persist
text
~/.openclaw
+
text
~/.openclaw/workspace
on the host (survives restarts/rebuilds)
Access the Control UI from your laptop via an SSH tunnel

That mounted

text

~/.openclaw

state includes

text

openclaw.json

, per-agent

text

agents/<agentId>/agent/auth-profiles.json

, and

text

.env

The Gateway can be accessed via:

SSH port forwarding from your laptop
Direct port exposure if you manage firewalling and tokens yourself

This guide assumes Ubuntu or Debian on Hetzner.
If you are on another Linux VPS, map packages accordingly. For the generic Docker flow, see Docker.

Quick path (experienced operators)

Provision Hetzner VPS
Install Docker
Clone OpenClaw repository
Create persistent host directories
Configure
text
.env
and
text
docker-compose.yml
Bake required binaries into the image
text
docker compose up -d
Verify persistence and Gateway access

What you need

Hetzner VPS with root access
SSH access from your laptop
Basic comfort with SSH + copy/paste
~20 minutes
Docker and Docker Compose
Model auth credentials
Optional provider credentials
- WhatsApp QR
- Telegram bot token
- Gmail OAuth

Provision the VPS

Create an Ubuntu or Debian VPS in Hetzner.


text
Connect as root:

```bash}
ssh root@YOUR_VPS_IP
```

This guide assumes the VPS is stateful.
Do not treat it as disposable infrastructure.

Install Docker (on the VPS)

```bash} apt-get update apt-get install -y git curl ca-certificates curl -fsSL https://get.docker.com | sh ```


text
Verify:

```bash}
docker --version
docker compose version
```

Clone the OpenClaw repository

```bash} git clone https://github.com/openclaw/openclaw.git cd openclaw ```


text
This guide assumes you will build a custom image to guarantee binary persistence.

Create persistent host directories

Docker containers are ephemeral. All long-lived state must live on the host.


text
```bash}
mkdir -p /root/.openclaw/workspace

# Set ownership to the container user (uid 1000):
chown -R 1000:1000 /root/.openclaw
```

Configure environment variables

Create `.env` in the repository root.


text
```bash}
OPENCLAW_IMAGE=openclaw:latest
OPENCLAW_GATEWAY_TOKEN=
OPENCLAW_GATEWAY_BIND=lan
OPENCLAW_GATEWAY_PORT=18789

OPENCLAW_CONFIG_DIR=/root/.openclaw
OPENCLAW_WORKSPACE_DIR=/root/.openclaw/workspace

GOG_KEYRING_PASSWORD=
XDG_CONFIG_HOME=/home/node/.openclaw
```

Leave `OPENCLAW_GATEWAY_TOKEN` blank unless you explicitly want to
manage it through `.env`; OpenClaw writes a random gateway token to
config on first start. Generate a keyring password and paste it into
`GOG_KEYRING_PASSWORD`:

```bash}
openssl rand -hex 32
```

**Do not commit this file.**

This `.env` file is for container/runtime env such as `OPENCLAW_GATEWAY_TOKEN`.
Stored provider OAuth/API-key auth lives in the mounted
`~/.openclaw/agents/<agentId>/agent/auth-profiles.json`.

Docker Compose configuration

Create or update `docker-compose.yml`.


text
```yaml}
services:
  openclaw-gateway:
    image: ${OPENCLAW_IMAGE}
    build: .
    restart: unless-stopped
    env_file:
      - .env
    environment:
      - HOME=/home/node
      - NODE_ENV=production
      - TERM=xterm-256color
      - OPENCLAW_GATEWAY_BIND=${OPENCLAW_GATEWAY_BIND}
      - OPENCLAW_GATEWAY_PORT=${OPENCLAW_GATEWAY_PORT}
      - OPENCLAW_GATEWAY_TOKEN=${OPENCLAW_GATEWAY_TOKEN}
      - GOG_KEYRING_PASSWORD=${GOG_KEYRING_PASSWORD}
      - XDG_CONFIG_HOME=${XDG_CONFIG_HOME}
      - PATH=/home/linuxbrew/.linuxbrew/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
    volumes:
      - ${OPENCLAW_CONFIG_DIR}:/home/node/.openclaw
      - ${OPENCLAW_WORKSPACE_DIR}:/home/node/.openclaw/workspace
    ports:
      # Recommended: keep the Gateway loopback-only on the VPS; access via SSH tunnel.
      # To expose it publicly, remove the `127.0.0.1:` prefix and firewall accordingly.
      - "127.0.0.1:${OPENCLAW_GATEWAY_PORT}:18789"
    command:
      [
        "node",
        "dist/index.js",
        "gateway",
        "--bind",
        "${OPENCLAW_GATEWAY_BIND}",
        "--port",
        "${OPENCLAW_GATEWAY_PORT}",
        "--allow-unconfigured",
      ]
```

`--allow-unconfigured` is only for bootstrap convenience, it is not a replacement for a proper gateway configuration. Still set auth (`gateway.auth.token` or password) and use safe bind settings for your deployment.

Shared Docker VM runtime steps

Use the shared runtime guide for the common Docker host flow:


text
* [Bake required binaries into the image](/install/docker-vm-runtime#bake-required-binaries-into-the-image)
* [Build and launch](/install/docker-vm-runtime#build-and-launch)
* [What persists where](/install/docker-vm-runtime#what-persists-where)
* [Updates](/install/docker-vm-runtime#updates)

Hetzner-specific access

After the shared build and launch steps, complete the following setup to open the tunnel:


text
**Prerequisite:** Ensure your VPS sshd config allows TCP forwarding. If you
have hardened your SSH config, check `/etc/ssh/sshd_config` and set:

```
AllowTcpForwarding local
```

`local` allows `ssh -L` local forwards from your laptop while blocking
remote forwards from the server. Setting it to `no` will fail the tunnel
with:
`channel 3: open failed: administratively prohibited: open failed`

After confirming TCP forwarding is enabled, restart the SSH service
(`systemctl restart ssh`) and run the tunnel from your laptop:

```bash}
ssh -N -L 18789:127.0.0.1:18789 root@YOUR_VPS_IP
```

Open:

`http://127.0.0.1:18789/`

Paste the configured shared secret. This guide uses the gateway token by
default; if you switched to password auth, use that password instead.

The shared persistence map lives in Docker VM Runtime.

Infrastructure as Code (Terraform)

For teams preferring infrastructure-as-code workflows, a community-maintained Terraform setup provides:

Modular Terraform configuration with remote state management
Automated provisioning via cloud-init
Deployment scripts (bootstrap, deploy, backup/restore)
Security hardening (firewall, UFW, SSH-only access)
SSH tunnel configuration for gateway access

Repositories:

Infrastructure: openclaw-terraform-hetzner
Docker config: openclaw-docker-config

This approach complements the Docker setup above with reproducible deployments, version-controlled infrastructure, and automated disaster recovery.

note

Community-maintained. For issues or contributions, see the repository links above.

Next steps

Set up messaging channels: Channels
Configure the Gateway: Gateway configuration
Keep OpenClaw up to date: Updating

OpenClaw Docs

Hetzner

OpenClaw on Hetzner (Docker, Production VPS Guide)

Goal

What are we doing (simple terms)?

Quick path (experienced operators)

What you need

Provision the VPS

Install Docker (on the VPS)

Clone the OpenClaw repository

Create persistent host directories

Configure environment variables

Docker Compose configuration

Shared Docker VM runtime steps

Hetzner-specific access

Infrastructure as Code (Terraform)

note

Next steps

Related