How do I run OpenClaw 24/7 on a cheap Hetzner VPS?

Use a small Ubuntu or Debian Hetzner VPS, install Docker, and run the OpenClaw Gateway in a Docker container with persistent host directories as described in this guide. This setup gives you a persistent OpenClaw Gateway on a stateful VPS, which the docs describe as “OpenClaw 24/7 for ~$5”, and you can scale up the VPS if you hit OOMs.

How do I securely access the OpenClaw Gateway running on Hetzner?

Bind the gateway to loopback on the VPS and avoid exposing it directly to the internet. Then create an SSH tunnel from your laptop with `ssh -N -L 18789:127.0.0.1:18789 root@YOUR_VPS_IP` and open `http://127.0.0.1:18789/` in your browser, authenticating with the configured gateway token or password.

Can I manage my Hetzner OpenClaw deployment with Terraform?

Yes. The docs reference a community-maintained Terraform setup with modular configuration, cloud-init provisioning, deployment scripts, security hardening, and SSH tunnel configuration. You can use the `openclaw-terraform-hetzner` and `openclaw-docker-config` repositories to manage infrastructure and Docker config as code.

Where does OpenClaw store persistent data on a Hetzner VPS?

The gateway persists state in the mounted `~/.openclaw` directory on the host, including `openclaw.json`, per-agent `agents/ /agent/auth-profiles.json`, and `.env`. In this guide you map `/root/.openclaw` and `/root/.openclaw/workspace` into the container via `OPENCLAW_CONFIG_DIR` and `OPENCLAW_WORKSPACE_DIR` so configuration and workspace data survive restarts and rebuilds.

How do I add persistent memory to OpenClaw?

Mem0 is the official persistent-memory plugin for OpenClaw. Install it with `openclaw plugins install @mem0/openclaw-mem0`. After installation your agent stores and retrieves user memories automatically.

Platform setup

How to Set Up OpenClaw on Hetzner VPS

3 min read

Browse more in Platform setup.

All platform setup guides →

This guide shows you how to run the OpenClaw Gateway on a Hetzner VPS using Docker with persistent state. You follow the same Docker VM runtime pattern but tailored to a stateful Ubuntu or Debian VPS on Hetzner.

By the end, you access the OpenClaw Control UI from your laptop over an SSH tunnel with durable configuration and workspace data on the host.

Prerequisites

✓A Hetzner VPS running Ubuntu or Debian with root access
✓SSH access from your laptop to the VPS as root
✓Docker and Docker Compose installed on the VPS (you install them in this guide)
✓Model auth credentials for the providers you plan to use
✓Optional provider credentials such as a WhatsApp QR, Telegram bot token, or Gmail OAuth details
✓About 20 minutes to complete the setup

Steps

1
Provision the Hetzner VPS and connect
Create an Ubuntu or Debian VPS in Hetzner and connect as root. This guide assumes the VPS is stateful and not treated as disposable infrastructure.
bash
```
ssh root@YOUR_VPS_IP
```
2
Install Docker on the VPS
Install Docker and basic tools so you can run the OpenClaw Gateway in an isolated container runtime. Then verify that both Docker and Docker Compose are available.
bash
```
apt-get update
apt-get install -y git curl ca-certificates
curl -fsSL https://get.docker.com | sh

docker --version
docker compose version
```
3
Clone the OpenClaw repository
Clone the OpenClaw repository onto the VPS and change into the project directory. You will build a custom image from this repository to guarantee binary persistence.
bash
```
git clone https://github.com/openclaw/openclaw.git
cd openclaw
```
4
Create persistent host directories
Create directories on the host to store OpenClaw configuration and workspace data so they survive container restarts and rebuilds. Set ownership to match the container user (uid 1000).
bash
```
mkdir -p /root/.openclaw/workspace

# Set ownership to the container user (uid 1000):
chown -R 1000:1000 /root/.openclaw
```
5
Configure environment variables for the gateway
env` file in the repository root to define the OpenClaw image, gateway token, bind settings, ports, and config directories. Use `openssl` to generate strong secrets and keep this file out of version control.
bash
```
OPENCLAW_IMAGE=openclaw:latest
OPENCLAW_GATEWAY_TOKEN=change-me-now
OPENCLAW_GATEWAY_BIND=lan
OPENCLAW_GATEWAY_PORT=18789

OPENCLAW_CONFIG_DIR=/root/.openclaw
OPENCLAW_WORKSPACE_DIR=/root/.openclaw/workspace

GOG_KEYRING_PASSWORD=change-me-now
XDG_CONFIG_HOME=/home/node/.openclaw

openssl rand -hex 32
```

Configure Docker Compose for the OpenClaw Gateway

env` file, environment variables, and volume mounts. Bind the gateway to loopback on the VPS and map the persistent config and workspace directories.

yaml

services:
  openclaw-gateway:
    image: ${OPENCLAW_IMAGE}
    build: .
    restart: unless-stopped
    env_file:
      - .env
    environment:
      - HOME=/home/node
      - NODE_ENV=production
      - TERM=xterm-256color
      - OPENCLAW_GATEWAY_BIND=${OPENCLAW_GATEWAY_BIND}
      - OPENCLAW_GATEWAY_PORT=${OPENCLAW_GATEWAY_PORT}
      - OPENCLAW_GATEWAY_TOKEN=${OPENCLAW_GATEWAY_TOKEN}
      - GOG_KEYRING_PASSWORD=${GOG_KEYRING_PASSWORD}
      - XDG_CONFIG_HOME=${XDG_CONFIG_HOME}
      - PATH=/home/linuxbrew/.linuxbrew/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
    volumes:
      - ${OPENCLAW_CONFIG_DIR}:/home/node/.openclaw
      - ${OPENCLAW_WORKSPACE_DIR}:/home/node/.openclaw/workspace
    ports:
      # Recommended: keep the Gateway loopback-only on the VPS; access via SSH tunnel.
      # To expose it publicly, remove the `127.0.0.1:` prefix and firewall accordingly.
      - "127.0.0.1:${OPENCLAW_GATEWAY_PORT}:18789"
    command:
      [
        "node",
        "dist/index.js",
        "gateway",
        "--bind",
        "${OPENCLAW_GATEWAY_BIND}",
        "--port",
        "${OPENCLAW_GATEWAY_PORT}",
        "--allow-unconfigured",
      ]

7
Follow the shared Docker VM runtime steps
Use the shared Docker VM runtime guide to bake required binaries into the image, build and launch the container, understand what persists where, and handle updates. This keeps your Hetzner setup aligned with the common Docker host flow.
text
```
https://docs.openclaw.ai/install/docker-vm-runtime#bake-required-binaries-into-the-image
https://docs.openclaw.ai/install/docker-vm-runtime#build-and-launch
https://docs.openclaw.ai/install/docker-vm-runtime#what-persists-where
https://docs.openclaw.ai/install/docker-vm-runtime#updates
```
8
Access the gateway via SSH tunnel from your laptop
After the container is running, create an SSH tunnel from your laptop to the VPS so you can reach the Control UI on localhost. Then open the gateway URL in your browser and authenticate with the configured shared secret.
bash
```
ssh -N -L 18789:127.0.0.1:18789 root@YOUR_VPS_IP
```

Configuration

Option	Description	Example
OPENCLAW_IMAGE	The Docker image name and tag used for the OpenClaw Gateway container.	openclaw:latest
OPENCLAW_GATEWAY_TOKEN	Shared secret token used to authenticate to the OpenClaw Gateway.	change-me-now
OPENCLAW_GATEWAY_BIND	Bind setting for the gateway, controlling which interface it listens on.	lan
OPENCLAW_GATEWAY_PORT	Port number the OpenClaw Gateway listens on inside the container and is forwarded to on the host.	18789
OPENCLAW_CONFIG_DIR	Host directory where OpenClaw configuration data is stored and mounted into the container.	/root/.openclaw
OPENCLAW_WORKSPACE_DIR	Host directory where OpenClaw workspace data is stored and mounted into the container.	/root/.openclaw/workspace
GOG_KEYRING_PASSWORD	Password used by the keyring inside the container for secure storage.	change-me-now
XDG_CONFIG_HOME	Configuration directory path inside the container where OpenClaw stores its config.	/home/node/.openclaw

Troubleshooting

Gateway starts with `--allow-unconfigured` and feels insecure

`--allow-unconfigured` is only for bootstrap convenience. token` or password) and use safe bind settings for your deployment, then remove reliance on this flag.

Losing OpenClaw configuration or workspace data after container rebuilds

yml`. Docker containers are ephemeral; all long-lived state must live on the host.

bash

mkdir -p /root/.openclaw/workspace
chown -R 1000:1000 /root/.openclaw

Frequently asked questions

Add persistent memory to OpenClaw

Official Mem0 plugin for OpenClaw keeps context across chats and tools. Smaller prompts, lower cost, better continuity for your agents.

Read the official Mem0 guide Open Mem0

More in Platform setup

Platform setup

How to Deploy OpenClaw on Northflank

Platform setup

How to Deploy OpenClaw on Render

Platform setup

How to Install OpenClaw on Linux

Platform setup

How to Install OpenClaw with Nix

Platform setup

How to Run OpenClaw with Podman

Platform setup

How to Deploy OpenClaw on Kubernetes

Prerequisites

Steps

Provision the Hetzner VPS and connect

Install Docker on the VPS

Clone the OpenClaw repository

Create persistent host directories

Configure environment variables for the gateway

Configure Docker Compose for the OpenClaw Gateway

Follow the shared Docker VM runtime steps

Access the gateway via SSH tunnel from your laptop

Configuration

Troubleshooting

Frequently asked questions

Add persistent memory to OpenClaw

More in Platform setup