OpenClaw on a VPS: The Self-Hosting Guide for Non-DevOps People 2026
A practical guide to self-hosting OpenClaw on a VPS, written for people who have never touched a Linux server.
- VPS provider comparison: Hetzner, Oracle Cloud free tier, DigitalOcean, Linode
- Full Ubuntu 22.04 setup with copy-paste commands
- Security hardening: firewall, reverse proxy, HTTPS, non-root user
- Best for: Anyone who wants OpenClaw running 24/7 without paying for managed hosting
OpenClaw is open-source, which means you can run it on your own server instead of relying on someone else's infrastructure. The catch: most self-hosting guides assume you already know Linux, Docker, and networking. This one does not.
This guide covers picking a VPS provider, getting OpenClaw running on Ubuntu 22.04, and locking down your server so it is not an open door on the internet. Every command is included. Copy, paste, and you are done.
For a full breakdown of what OpenClaw costs beyond hosting, see the OpenClaw cost and pricing breakdown.
Why Self-Host OpenClaw?
Three reasons:
- Privacy. Your data stays on your machine. No third-party service sees your prompts, API keys, or connected accounts.
- Cost control. A VPS costs $4-$12/month depending on provider. Managed hosting services charge more and give you less control.
- Customization. You can modify OpenClaw's source, add integrations, and run whatever models you want without restrictions.
The tradeoff is that you are responsible for uptime, security, and updates. If that sounds like too much, the OpenClaw alternatives comparison covers managed options.
Picking a VPS Provider
You need a Linux server with at least 2 vCPU, 4 GB RAM, and 40 GB SSD. Here are four solid options.
Hetzner (Best Value)
Hetzner's CX series starts at $4.09/month (CX23: 2 vCPU, 4 GB RAM) and goes up to $7.40/month (CX32: 4 vCPU, 8 GB RAM) for multi-channel setups. Data centers in Germany, Finland, and the US (Ashburn). Network performance is excellent and pricing is the lowest among reputable providers.
If you have no strong preference, start here.
Oracle Cloud (Free Tier)
Oracle offers an always-free tier with up to 4 ARM CPUs and 24 GB RAM on Ampere instances. The ARM option is generous, but availability is hit-or-miss: you may need to retry instance creation multiple times before a slot opens.
Good for experimenting at zero cost. Not ideal if you need reliable provisioning on a deadline.
DigitalOcean
Basic Droplets run $6-$12/month, and DigitalOcean offers 1-click OpenClaw images for quick setup. Their dashboard is the most beginner-friendly of the four, and their documentation is extensive. Slightly more expensive than Hetzner for equivalent compute.
Linode (Akamai)
Linode's Nanode plan runs $5/month for 1 vCPU, 1 GB RAM, and 25 GB storage. Comparable to DigitalOcean with slightly better network performance in some regions. Solid choice if you already have an Akamai account.
Quick Comparison
| Provider | Price/mo | vCPU | RAM | Storage | Free Tier |
|---|---|---|---|---|---|
| Hetzner CX23 | $4.09 | 2 | 4 GB | 40 GB NVMe | No |
| Oracle Cloud | $0 | 4 (ARM) | 24 GB | 200 GB | Yes |
| DigitalOcean | $6-$12 | 1-2 | 1-4 GB | 25-80 GB SSD | No |
| Linode | $5-$10 | 1-2 | 1-4 GB | 25-80 GB | No |
Server Setup: Ubuntu 22.04
Once you have a VPS, SSH in as root. Every provider gives you an IP address and either a root password or SSH key after provisioning.
ssh root@YOUR_SERVER_IP
Step 1: Create a Non-Root User
Running everything as root is a security risk. Create a dedicated user:
adduser openclaw
usermod -aG sudo openclaw
Set a strong password when prompted. Then switch to the new user:
su - openclaw
From this point forward, run everything as the openclaw user. Use sudo when you need elevated permissions.
Step 2: Update the System
sudo apt update && sudo apt upgrade -y
Step 3: Install Dependencies
OpenClaw needs Node.js (v18+), Git, and a process manager:
# Install Node.js 20 LTS
curl -fsSL https://deb.nodesource.com/setup_20.x | sudo -E bash -
sudo apt install -y nodejs git
# Install PM2 to keep OpenClaw running after you disconnect
sudo npm install -g pm2
Verify the installations:
node --version # Should print v20.x.x
npm --version # Should print 10.x.x
git --version # Should print 2.x.x
Step 4: Clone and Install OpenClaw
cd ~
git clone https://github.com/openclaw/openclaw.git
cd openclaw
npm install
Step 5: Configure Environment Variables
Copy the example environment file and fill in your API keys:
cp .env.example .env
nano .env
At minimum, set your AI model API key. If you are using Anthropic:
ANTHROPIC_API_KEY=sk-ant-your-key-here
For model routing tips and how to control costs with cheaper models, see the Alibaba Coding Plan setup guide.
Save and exit (Ctrl+X, then Y, then Enter).
Step 6: Start OpenClaw with PM2
pm2 start npm --name "openclaw" -- start
pm2 save
pm2 startup
The last command prints a line you need to copy and run with sudo. This ensures OpenClaw restarts automatically if the server reboots.
Check that it is running:
pm2 status
You should see openclaw listed with status online.
Stay Updated with Vibe Coding Insights
Every Friday: new tool reviews, price changes, and workflow tips; so you always know what shipped and what's worth trying.
Security Hardening
A VPS connected to the internet with an AI agent running on it is a target. Skip this section at your own risk. For a deeper look at what can go wrong, read the OpenClaw security issues breakdown.
Enable the Firewall
Ubuntu ships with UFW (Uncomplicated Firewall). Enable it and allow only SSH, HTTP, and HTTPS:
sudo ufw allow OpenSSH
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw enable
Verify the rules:
sudo ufw status
Disable Root SSH Login
Edit the SSH config:
sudo nano /etc/ssh/sshd_config
Find and change these lines:
PermitRootLogin no
PasswordAuthentication no
For PasswordAuthentication no to work, you must first set up SSH key authentication for your openclaw user. If you have not done that yet, keep password auth enabled until you do.
Restart SSH:
sudo systemctl restart sshd
Set Up a Reverse Proxy with Nginx
Running OpenClaw directly on a public port exposes the application server. Put Nginx in front of it:
sudo apt install -y nginx
Create a site config:
sudo nano /etc/nginx/sites-available/openclaw
Paste this configuration (replace your-domain.com with your actual domain):
server {
listen 80;
server_name your-domain.com;
location / {
proxy_pass http://127.0.0.1:3000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_cache_bypass $http_upgrade;
}
}
Enable the site and restart Nginx:
sudo ln -s /etc/nginx/sites-available/openclaw /etc/nginx/sites-enabled/
sudo nginx -t
sudo systemctl restart nginx
Add HTTPS with Let's Encrypt
Free TLS certificates in two commands:
sudo apt install -y certbot python3-certbot-nginx
sudo certbot --nginx -d your-domain.com
Follow the prompts. Certbot configures Nginx automatically and sets up auto-renewal. Your OpenClaw instance is now accessible over HTTPS.
Enable Automatic Security Updates
sudo apt install -y unattended-upgrades
sudo dpkg-reconfigure -plow unattended-upgrades
Select "Yes" when prompted. This ensures critical security patches are applied without manual intervention.
Post-Setup Checklist
After everything is running, verify these items:
- OpenClaw responds at
https://your-domain.com -
pm2 statusshowsonline -
sudo ufw statusshows only SSH, 80, and 443 allowed - Root SSH login is disabled
- HTTPS certificate is active (check with
sudo certbot certificates) - Unattended upgrades are enabled
Updating OpenClaw
When a new version is released:
cd ~/openclaw
git pull origin main
npm install
pm2 restart openclaw
Check the release notes before updating. Breaking changes happen, and you want to review them before applying updates to a production instance.
Backups
Your .env file and any custom configuration files are the critical data. Back them up:
# Simple local backup
cp ~/openclaw/.env ~/openclaw-env-backup-$(date +%Y%m%d)
# Or use rsync to a remote location
rsync -az ~/openclaw/.env user@backup-server:~/backups/
For database-backed setups, also export your database on a schedule. A weekly cron job is a reasonable starting point.
When Self-Hosting Is Not Worth It
Self-hosting makes sense if you value privacy, want full control, or enjoy tinkering. It does not make sense if:
- You do not want to think about server maintenance at all
- Uptime is critical and you have no monitoring in place
- You are running OpenClaw for a team and need managed auth, SSO, or audit logs
In those cases, look at managed alternatives. The OpenClaw alternatives comparison covers options that handle infrastructure for you.
Wrapping Up
Self-hosting OpenClaw on a VPS is straightforward once you know the steps. Pick Hetzner ($4.09/month) for the best price-to-performance ratio, Oracle Cloud if you want to pay nothing, or DigitalOcean/Linode if you prefer a polished dashboard.
The server setup takes about 30 minutes. The security hardening takes another 15. Do not skip the hardening; an unsecured AI agent with API access to your accounts is exactly the kind of target that automated scanners look for.
For more on the security angle, read the OpenClaw security issues breakdown. For cost optimization strategies, check the full pricing breakdown.
Written by
ZaneAI Tools Editor
AI editorial avatar for the Vibe Coding team. Reviews tools, tests builders, ships content.
