How to Run OpenClaw on Hetzner Cloud (Step-by-Step)

TL;DR: Provision a Hetzner CX22 (€4/mo), harden it, install Node.js, clone OpenClaw, configure your channels and API keys, set up systemd, and you're live. Budget 2-4 hours for the full setup. Or skip all of this with lobsterfarm.

This is a genuinely useful guide. We're going to walk through every step, including the boring-but-important security stuff that most tutorials skip.

Why Hetzner?

Hetzner offers the best price-to-performance ratio for European cloud servers:

• CX22: 2 vCPUs, 4 GB RAM, 40 GB SSD — €4.35/month (plenty for OpenClaw)
• CX32: 4 vCPUs, 8 GB RAM, 80 GB SSD — €8.45/month (if you want headroom)
• Data centers in Germany and Finland (EU data sovereignty)
• Reliable network, good uptime
• Straightforward pricing with no surprise bandwidth charges

OpenClaw is not resource-hungry — the AI processing happens at your API provider (Anthropic, OpenAI, etc.). The server just orchestrates. A CX22 is more than enough for most setups.

Step 1: Create a Hetzner Account

1. Go to hetzner.com/cloud
2. Click "Get Started" and create an account
3. You'll need to verify your identity (Hetzner is strict about this — it's a good thing)
4. Add a payment method

Step 2: Create a Server

From the Hetzner Cloud Console:

1. Click Add Server
2. Location: Pick the nearest datacenter (Falkenstein, Nuremberg, Helsinki, or Ashburn)
3. Image: Choose Ubuntu 24.04 (latest LTS)
4. Type: Shared vCPU → CX22 (€4.35/mo)
5. Networking: Public IPv4 + IPv6 (default)
6. SSH Keys:

Setting Up SSH Keys (If You Haven't)

If you don't already have SSH keys:

ssh-keygen -t ed25519 -C "[email protected]"

Press Enter for default location. Set a passphrase (recommended).

Copy your public key:

cat ~/.ssh/id_ed25519.pub

Paste this into the Hetzner SSH key field.

Why SSH keys? Password authentication is the #1 way servers get compromised. Automated bots try thousands of passwords per hour against every SSH server on the internet. SSH keys are effectively uncrackable.

7. Name: Something memorable, like openclaw-prod
8. Click Create & Buy

Your server will be ready in about 30 seconds. Note the IP address.

Step 3: Initial Server Setup

SSH into your new server:

ssh root@YOUR_SERVER_IP

Create a Non-Root User

Running everything as root is bad practice. Create a regular user:

adduser openclaw
usermod -aG sudo openclaw

Set a strong password when prompted.

Copy SSH Keys to the New User

mkdir -p /home/openclaw/.ssh
cp /root/.ssh/authorized_keys /home/openclaw/.ssh/
chown -R openclaw:openclaw /home/openclaw/.ssh
chmod 700 /home/openclaw/.ssh
chmod 600 /home/openclaw/.ssh/authorized_keys

Test the new user (from your local machine):

ssh openclaw@YOUR_SERVER_IP

Step 4: Security Hardening

This is the part most tutorials skip. Don't skip it.

Disable Root SSH Login

sudo nano /etc/ssh/sshd_config

Find and change these lines:

PermitRootLogin no
PasswordAuthentication no

Restart SSH:

sudo systemctl restart sshd

⚠️ Make sure you can log in as your non-root user before doing this. Otherwise you'll lock yourself out.

Set Up the Firewall (UFW)

sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow ssh
sudo ufw enable

This blocks all incoming connections except SSH. OpenClaw doesn't need incoming ports — it connects outward to Telegram, WhatsApp, etc.

If you plan to run a web dashboard, also allow HTTPS:

sudo ufw allow 443/tcp

Install fail2ban

fail2ban automatically bans IPs that try to brute-force your SSH:

sudo apt update
sudo apt install fail2ban -y

Create a local config:

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo nano /etc/fail2ban/jail.local

Under [sshd], make sure:

[sshd]
enabled = true
maxretry = 5
bantime = 3600

Start it:

sudo systemctl enable fail2ban
sudo systemctl start fail2ban

Enable Automatic Security Updates

sudo apt install unattended-upgrades -y
sudo dpkg-reconfigure -plow unattended-upgrades

Select "Yes" when prompted. This ensures critical security patches install automatically.

Set the Timezone and Hostname

sudo timedatectl set-timezone UTC
sudo hostnamectl set-hostname openclaw-prod

Step 5: Install Node.js

OpenClaw requires Node.js. Install via NodeSource:

curl -fsSL https://deb.nodesource.com/setup_22.x | sudo -E bash -
sudo apt install nodejs -y

Verify:

node --version   # Should show v22.x.x
npm --version    # Should show 10.x.x

Also install common build tools (some npm packages need them):

sudo apt install build-essential git -y

Step 6: Install OpenClaw

Switch to your openclaw user:

su - openclaw

Clone the repository:

git clone https://github.com/lobsterhunt/openclaw.git
cd openclaw

Install dependencies:

npm install

This will take a minute or two.

Step 7: Configure OpenClaw

Copy the example config:

cp config.example.yaml config.yaml
nano config.yaml

At minimum, you'll need to configure:

AI Provider

providers:
  anthropic:
    apiKey: "sk-ant-your-api-key-here"
    
defaultModel: "anthropic/claude-sonnet-4-20250514"

Get your API key from console.anthropic.com.

Messaging Channel

For Telegram (simplest to set up):

channels:
  telegram:
    enabled: true
    token: "YOUR_BOT_TOKEN"

See our Telegram setup guide for how to get a bot token.

Other Settings

Review the rest of the config file. The defaults are generally fine, but you may want to adjust:

• memory settings for how your AI remembers context
• compaction settings to manage context window size
• heartbeat interval for proactive behavior

Step 8: Test It

Run OpenClaw directly first to make sure it works:

node index.js

Or if OpenClaw uses a different start command:

npm start

Watch the output. You should see:

[gateway] Starting...
[telegram] Connected as @your_bot_name
[gateway] Ready

Send a message to your bot on Telegram. If it responds, everything is working. Press Ctrl+C to stop.

If it doesn't work, check:

1. API key is correct and has credits
2. Bot token is correct
3. Firewall isn't blocking outgoing connections (it shouldn't with our config)
4. Check the error messages carefully — they usually tell you exactly what's wrong

Step 9: Set Up as a Systemd Service

Running OpenClaw in a terminal isn't reliable — it stops when you disconnect. Set it up as a system service:

sudo nano /etc/systemd/system/openclaw.service

Paste:

[Unit]
Description=OpenClaw AI Assistant
After=network.target

[Service]
Type=simple
User=openclaw
WorkingDirectory=/home/openclaw/openclaw
ExecStart=/usr/bin/node index.js
Restart=always
RestartSec=10
Environment=NODE_ENV=production

# Security hardening
NoNewPrivileges=true
ProtectSystem=strict
ProtectHome=read-only
ReadWritePaths=/home/openclaw/openclaw

# Logging
StandardOutput=journal
StandardError=journal
SyslogIdentifier=openclaw

[Install]
WantedBy=multi-user.target

Enable and start:

sudo systemctl daemon-reload
sudo systemctl enable openclaw
sudo systemctl start openclaw

Check status:

sudo systemctl status openclaw

View logs:

sudo journalctl -u openclaw -f

The service will now:

• Start automatically on boot
• Restart automatically if it crashes
• Run as the openclaw user (not root)
• Log to systemd journal

Step 10: Monitoring and Maintenance

Log Rotation

Systemd journal handles this automatically, but set a size limit:

sudo nano /etc/systemd/journald.conf

Add:

SystemMaxUse=500M

Restart journald:

sudo systemctl restart systemd-journald

Updating OpenClaw

When new versions are released:

su - openclaw
cd openclaw
git pull
npm install
exit
sudo systemctl restart openclaw

Check the changelog before updating — sometimes there are breaking config changes.

Monitoring Uptime

A simple approach — add a cron job that checks if OpenClaw is responding:

crontab -e

Add:

*/5 * * * * systemctl is-active openclaw || systemctl restart openclaw

This checks every 5 minutes and restarts if the service died.

For more robust monitoring, consider:

• Uptime Kuma (self-hosted)
• Hetrix Tools (free tier available)
• UptimeRobot (free for 50 monitors)

Backups

Your OpenClaw config and data should be backed up. A simple approach:

sudo nano /etc/cron.daily/openclaw-backup

#!/bin/bash
tar czf /home/openclaw/backups/openclaw-$(date +%Y%m%d).tar.gz \
  /home/openclaw/openclaw/config.yaml \
  /home/openclaw/openclaw/data/
# Keep only last 30 days
find /home/openclaw/backups/ -name "*.tar.gz" -mtime +30 -delete

sudo chmod +x /etc/cron.daily/openclaw-backup
mkdir -p /home/openclaw/backups

Disk Space

Check periodically:

df -h

If you're running low, clear old logs:

sudo journalctl --vacuum-size=100M

Recap: What You Just Did

Let's count the steps:

1. ✅ Created a Hetzner account
2. ✅ Provisioned a server
3. ✅ Set up SSH keys and a non-root user
4. ✅ Hardened SSH (disabled root login, disabled passwords)
5. ✅ Configured a firewall
6. ✅ Installed fail2ban
7. ✅ Enabled automatic security updates
8. ✅ Installed Node.js
9. ✅ Cloned and installed OpenClaw
10. ✅ Configured your AI provider and messaging channel
11. ✅ Tested the setup
12. ✅ Created a systemd service
13. ✅ Set up log rotation
14. ✅ Set up monitoring
15. ✅ Set up backups

That's a lot of steps. If you enjoyed it — great, you now have a fully self-hosted AI assistant running on hardened infrastructure that you control completely. That's genuinely empowering.

Or Skip All of This

If you'd rather not manage server infrastructure yourself, lobsterfarm provides managed OpenClaw hosting on Hetzner infrastructure — deployment, updates, and support handled for you.

Get started with lobsterfarm → · Compare self-hosted vs lobsterfarm →