OpenClaw on Hetzner — Self-Host Your AI Agent on Hetzner Cloud

Why Hetzner for OpenClaw?

Hetzner Cloud has become the go-to choice for developers and the self-hosting community who want excellent price-to-performance without compromise. Their shared vCPU servers start at just €4.50/mo (CX22: 2 vCPU, 4 GB RAM) — and dedicated CPU options are available for workloads that need guaranteed compute power.

• Unbeatable value: CX22 (2 vCPU, 4 GB RAM) from €4.50/mo. CX32 (4 vCPU, 8 GB RAM) from €8.50/mo — hard to beat anywhere.
• Data centers worldwide: Nuremberg, Falkenstein, Helsinki, Ashburn (US East), and Hillsboro (US West) — pick the region closest to your users.
• Developer-friendly: Clean API, Terraform provider, and a strong community of self-hosters who already use Hetzner for their stacks.
• Dedicated CPU available: CCX series (dedicated vCPU) for production workloads that can't share CPU with noisy neighbors.

Requirements

Before you start, make sure you have:

• A Hetzner Cloud account at cloud.hetzner.com (free to sign up, pay-as-you-go billing).
• A cloud server with 2+ vCPU and 4 GB+ RAM. 8 GB RAM is recommended if you plan to use memory skills or browser automation.
• Ubuntu 24.04 as the operating system.
• An SSH key added to your Hetzner project (strongly preferred over password auth).
• An OpenRouter API key (or any other supported model provider key) for your AI agent.
• A Telegram bot token and/or Discord bot token to connect channels.

Step 1: Create a Hetzner Cloud Server

Sign up or log in at hetzner.com/cloud. Create a new project, then click Add Server. Configure it as follows:

1. Location: Choose Ashburn or Hillsboro for US-based latency, or Nuremberg/Falkenstein/Helsinki for Europe.
2. Image: Select Ubuntu 24.04.
3. Type: Choose CX22 (2 vCPU, 4 GB RAM, €4.50/mo) as the minimum, or CX32 (4 vCPU, 8 GB RAM, €8.50/mo) for comfortable headroom.
4. SSH keys: Add your SSH public key. This avoids password auth and is required for secure access.
5. Click Create & Buy now. The server provisions in roughly 30 seconds.
6. Note your server's public IPv4 address from the Hetzner Cloud console.

Step 2: Install Docker

SSH into your new server and install Docker using the official install script:

ssh root@your-server-ip

# Update system packages first
apt update && apt upgrade -y

# Install Docker using the official script
curl -fsSL https://get.docker.com | sh

# Verify Docker installed correctly
docker --version

# Enable Docker to start on boot
systemctl enable docker
systemctl start docker

The install script automatically detects Ubuntu 24.04 and installs the correct Docker CE version. After running it, docker --version should print something like Docker version 27.x.x.

If you created a non-root user and want to run Docker without sudo, add yourself to the docker group:

usermod -aG docker $USER
# Log out and back in for the group change to take effect

Step 3: Deploy OpenClaw

Create the config directory and pull the OpenClaw image:

# Create the config directory (with credentials subdirectory for DM pairing)
mkdir -p ~/openclaw/credentials
chmod 777 ~/openclaw
chmod 777 ~/openclaw/credentials

# Pull the OpenClaw image
docker pull ghcr.io/openclaw/openclaw:main

# Run the container
docker run -d \
  --name openclaw \
  --restart unless-stopped \
  --memory=3g --memory-swap=5g \
  -v ~/openclaw:/home/node/.openclaw \
  -p 18789:18789 \
  ghcr.io/openclaw/openclaw:main \
  node openclaw.mjs gateway --allow-unconfigured

Key flags explained:

• --memory=3g --memory-swap=5g — Allocates 3 GB RAM on a CX22. On a CX32 with 8 GB, you can safely raise this to --memory=6g --memory-swap=8g.
• -v ~/openclaw:/home/node/.openclaw — Mounts your config directory into the container. The container writes config changes back to this path.
• -p 18789:18789 — Exposes the OpenClaw web gateway on port 18789.
• --restart unless-stopped — Auto-restarts the container after crashes or server reboots.
• ghcr.io/openclaw/openclaw:main — Always use the :main tag, not :latest (which doesn't exist).

Verify the container is running:

docker logs openclaw

Step 4: Configure Your AI Agent

Create ~/openclaw/openclaw.json with your settings. Here's a complete example with Telegram and Discord:

{
  "gateway": {
    "port": 18789,
    "auth": { "token": "your-random-secret-token" },
    "controlUi": { "allowInsecureAuth": true }
  },
  "models": {
    "providers": {
      "openrouter": {
        "apiKey": "sk-or-your-openrouter-api-key"
      }
    }
  },
  "agents": {
    "defaults": {
      "model": {
        "primary": "openrouter/anthropic/claude-sonnet-4.6"
      },
      "systemPrompt": "You are a helpful AI assistant."
    }
  },
  "channels": {
    "telegram": {
      "enabled": true,
      "botToken": "123456:ABC-your-telegram-bot-token",
      "dmPolicy": "pairing"
    },
    "discord": {
      "enabled": true,
      "botToken": "your-discord-bot-token",
      "dmPolicy": "open",
      "allowFrom": ["*"]
    }
  },
  "plugins": {
    "entries": {
      "telegram": { "enabled": true },
      "discord": { "enabled": true }
    }
  }
}

Important configuration notes:

• gateway.auth must be an object with a token property — not a plain string.
• Both channels.X.enabled: true AND plugins.entries.X.enabled: true are required for a channel to work.
• Model IDs must be prefixed with the provider name: openrouter/anthropic/claude-sonnet-4.6, not just anthropic/claude-sonnet-4.6.
• Telegram dmPolicy should always be "pairing" — never "open", as that allows anyone on the internet to use your bot.
• Discord dmPolicy: "open" requires allowFrom: ["*"] to pass config validation.

After saving the config, restart the container to apply it:

docker restart openclaw

Step 5: Set Up Domain and HTTPS (Optional)

If you want to access the OpenClaw gateway over HTTPS with a custom domain (e.g. bot.yourdomain.com), set up Caddy as a reverse proxy. Caddy automatically provisions and renews SSL certificates via Let's Encrypt.

First, point your domain's A record to your Hetzner server IP address. Then install Caddy:

# Install Caddy
apt install -y debian-keyring debian-archive-keyring apt-transport-https
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' \
  | gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' \
  | tee /etc/apt/sources.list.d/caddy-stable.list
apt update && apt install caddy

Create /etc/caddy/Caddyfile:

bot.yourdomain.com {
    reverse_proxy localhost:18789
}

Restart Caddy to apply:

systemctl restart caddy

Caddy will obtain an SSL certificate automatically. Your OpenClaw gateway will be accessible at https://bot.yourdomain.com.

Hetzner vs Managed Hosting

Self-hosting on Hetzner gives you full control and excellent value — but it also means managing updates, monitoring uptime, handling Docker issues, and maintaining your server. Here's how it compares to OpenClaw Launch, the fully managed alternative:

Skip the Setup

Self-hosting on Hetzner is a great option for developers — but it comes with real maintenance overhead. If you'd rather focus on your AI agent instead of your server:

OpenClaw Launch deploys a fully managed OpenClaw instance in 10 seconds — no VPS, no Docker, no server maintenance. Visual configuration editor, automatic updates, built-in skills, and plans starting at $6/mo.