How to Deploy OpenClaw on a VPS (Beginner-Friendly Walkthrough)

You want OpenClaw running in the cloud. Not on your laptop that shuts down when you close the lid. Not on some mystery managed service. On your server, under your control, for $5/month. This is the guide for that.

By the end, you’ll have a hardened cloud server that won’t get pwned in 6 hours, OpenClaw running 24/7 under process management, a custom domain pointing to your agent, and a clear understanding of what you’re actually paying for.

What You’re Actually Building

Let’s set expectations. You’re not clicking “Deploy” and walking away. You’re:

1.Renting a server from a VPS provider (DigitalOcean, Linode, Vultr, Hetzner)
2.Securing that server (SSH keys, firewall, fail2ban)
3.Installing the stack (Node.js, npm, Git, PM2)
4.Deploying OpenClaw (clone repo, install dependencies, configure)
5.Setting up a domain (DNS, reverse proxy, SSL)
6.Maintaining it forever (updates, monitoring, troubleshooting)

That last part is the kicker. This isn’t a one-time setup. It’s infrastructure you own.

Step 1: Choose Your VPS Provider

The Big Four (All Good Choices)

●DigitalOcean ($6/mo) — Best documentation, beginner-friendly
●Linode/Akamai ($5/mo) — Excellent performance, great support
●Vultr ($5/mo) — More data center locations, low latency outside US/EU
●Hetzner (~$4.90/mo) — Cheapest, EU-only, strict ToS

Minimum Specs

●1 GB RAM (2 GB recommended)
●1 CPU core (2 if running heavy skills)
●25 GB SSD storage
●Ubuntu 22.04 LTS (or 24.04 LTS)

This costs $5–6/month across providers. We’ll use Linode for this guide because it’s the sweet spot of price, performance, and reliability.

Create Your Server

1.Sign up at linode.com
2.Create a Linode: Ubuntu 22.04 LTS, Shared CPU $5/mo Nanode, region close to you, strong root password
3.Boot the server

Step 2: Initial SSH Access and User Setup

First Login

ssh root@YOUR_SERVER_IP

Type “yes” when asked about fingerprints. Enter the root password.

Create a Non-Root User

adduser openclaw
usermod -aG sudo openclaw

Set Up SSH Key Authentication

On your local machine:

ssh-keygen -t ed25519 -C "[email protected]"
ssh-copy-id openclaw@YOUR_SERVER_IP
ssh openclaw@YOUR_SERVER_IP

Disable Password Authentication

sudo nano /etc/ssh/sshd_config

Change these lines:

PasswordAuthentication no
PermitRootLogin no

sudo systemctl restart sshd

? Note:Your server is now significantly harder to brute-force.

Step 3: Firewall and Security Hardening

An open VPS on the internet gets attacked within minutes. Not hyperbole. Minutes.

Install and Configure UFW

sudo apt update
sudo apt install ufw -y
sudo ufw allow OpenSSH
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw enable
sudo ufw status

Install Fail2Ban

sudo apt install fail2ban -y
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo nano /etc/fail2ban/jail.local

Find the [sshd] section:

[sshd]
enabled = true
port = ssh
logpath = /var/log/auth.log
maxretry = 3
bantime = 3600

sudo systemctl restart fail2ban

Anyone who fails SSH login 3 times gets banned for an hour.

Step 4: Install the OpenClaw Stack

sudo apt update && sudo apt upgrade -y

# Node.js via NodeSource
curl -fsSL https://deb.nodesource.com/setup_20.x | sudo -E bash -
sudo apt install -y nodejs

# Git
sudo apt install git -y

# PM2
sudo npm install -g pm2

Verify with node --version, npm --version, git --version, pm2 --version.

Step 5: Deploy OpenClaw

cd ~
git clone https://github.com/openclaw/openclaw.git
cd openclaw
npm install
cp .env.example .env
nano .env

Minimal Configuration

# AI Model (pick one or both)
OPENAI_API_KEY=sk-proj-your_key_here
ANTHROPIC_API_KEY=sk-ant-your_key_here

# Agent Settings
AGENT_NAME=MyCloudAgent
PORT=3000

# Web Interface
WEB_INTERFACE=true
ALLOW_EXTERNAL_ACCESS=false

? Note:Set ALLOW_EXTERNAL_ACCESS=false for now. We’ll expose it through a reverse proxy with SSL later.

Test Run

npm start

You should see initialization logs and “Agent ready”. Press Ctrl+C to stop.

Step 6: Set Up PM2 for Always-On Operation

pm2 start npm --name "openclaw" -- start
pm2 status
pm2 startup

Run the command PM2 outputs (looks like):

sudo env PATH=$PATH:/usr/bin pm2 startup systemd -u openclaw --hp /home/openclaw

pm2 save

Useful PM2 Commands

pm2 logs openclaw       # View logs
pm2 restart openclaw    # Restart the process
pm2 stop openclaw       # Stop it
pm2 delete openclaw     # Remove from PM2

Step 7: Set Up a Domain and SSL (Production-Ready)

Point Your Domain to the Server

In your DNS settings, create an A record:

Type: A
Name: openclaw (or @ for root)
Value: YOUR_SERVER_IP
TTL: 300

Wait 5–10 minutes for DNS propagation, then test with ping openclaw.yourdomain.com.

Install Nginx and Configure

sudo apt install nginx -y
sudo nano /etc/nginx/sites-available/openclaw

server {
    listen 80;
    server_name openclaw.yourdomain.com;

    location / {
        proxy_pass http://localhost:3000;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

sudo ln -s /etc/nginx/sites-available/openclaw /etc/nginx/sites-enabled/
sudo nginx -t
sudo systemctl restart nginx

Add SSL with Let’s Encrypt

sudo apt install certbot python3-certbot-nginx -y
sudo certbot --nginx -d openclaw.yourdomain.com

Follow the prompts (email, ToS, redirect HTTP→HTTPS = yes). Test auto-renewal:

sudo certbot renew --dry-run

Now visit https://openclaw.yourdomain.com. Green lock icon. Production-ready.

Step 8: Enable External Access (If Needed)

Option A: Basic Auth with Nginx

Add to your location / block:

auth_basic "Restricted Access";
auth_basic_user_file /etc/nginx/.htpasswd;

sudo apt install apache2-utils -y
sudo htpasswd -c /etc/nginx/.htpasswd yourusername
sudo systemctl restart nginx

Option B: Use PaioClaw (Seriously)

If you’re exposing OpenClaw to the internet and handling auth yourself, you’re now responsible for security vulnerabilities, DDoS protection, session management, rate limiting, and IP allowlisting.

? Tip:PaioClaw includes enterprise-grade DDoS protection, OAuth (Google, Microsoft), team-based access controls, and audit logs. At $4/mo for your VPS plus your time managing security, the math starts to favor managed hosting.

The Real Cost Breakdown (Let’s Be Honest)

Direct Costs

●VPS hosting: $5–6/month
●Domain name: $12/year (~$1/month)
●SSL certificate: $0 (Let’s Encrypt)
●Total monthly: ~$6–7

Hidden Costs

●Initial setup: 3–4 hours of your time
●Monthly maintenance: 1–2 hours (security updates, dependency updates, log monitoring, troubleshooting, SSL verification)
●Skill costs (paid LLMs): ~$20–50/month for OpenAI/Anthropic API
●Potential bandwidth overages, backup storage, monitoring tools

The Comparison Everyone Avoids

Self-hosted VPS: $6/mo + 1–2 hours/month of your time. PaioClaw managed service: $4/mo (free tier for basic use) + 0 hours/month. If your time is worth $30/hour, you’re spending $30–60/month in labor on a $6 VPS.

The break-even question: Is the control worth the maintenance? For developers who enjoy infrastructure, yes. For people who want an AI agent (not a hobby sysadmin job), no.

Common VPS Deployment Issues (And Fixes)

“OpenClaw crashes with ‘Out of memory’”

1 GB RAM isn’t enough. Upgrade to 2 GB ($12/mo) or add swap:

sudo fallocate -l 2G /swapfile
sudo chmod 600 /swapfile
sudo mkswap /swapfile
sudo swapon /swapfile
echo '/swapfile none swap sw 0 0' | sudo tee -a /etc/fstab

“npm install fails with permission errors”

sudo chown -R $USER:$USER ~/.npm
sudo chown -R $USER:$USER ~/openclaw

“Can’t access OpenClaw from my browser”

1.Is PM2 running? pm2 status
2.Is Nginx running? sudo systemctl status nginx
3.Is port 80/443 open? sudo ufw status
4.Does DNS point to your server? ping openclaw.yourdomain.com
5.Is your .env correct? Check ALLOW_EXTERNAL_ACCESS

“OpenClaw works but skills fail”

Verify API keys, check logs with pm2 logs openclaw, restart with pm2 restart openclaw.

“Server gets hacked / compromised”

Prevention: SSH keys only, fail2ban enabled, UFW configured, regular updates, no random skills. If it happens: nuke the VPS, rotate all API keys, review access logs.

Updating OpenClaw (Because You Have To)

cd ~/openclaw
git pull origin main
npm install
pm2 restart openclaw

? Note:PaioClaw handles updates automatically. Their staging environment tests new versions before pushing to production. Your staging environment is “run it and hope.”

Monitoring and Logs

pm2 logs openclaw
sudo tail -f /var/log/nginx/access.log
sudo tail -f /var/log/nginx/error.log
htop

Use a free service like Uptime Robot or Better Uptime to ping your domain every 5 minutes for downtime alerts.

Backup Strategy (You Need One)

Back up your .env file, the skills/ directory, and any custom modifications.

nano ~/backup.sh

#!/bin/bash
BACKUP_DIR=~/backups
mkdir -p $BACKUP_DIR
tar -czf $BACKUP_DIR/openclaw-backup-$(date +%Y%m%d).tar.gz ~/openclaw/.env ~/openclaw/skills/

chmod +x ~/backup.sh
crontab -e

Add this line to back up weekly at 2 AM Sunday:

0 2 * * 0 ~/backup.sh

? Note:Store backups off-server (Dropbox, Google Drive, S3). A backup on the same server that crashes isn’t a backup.

Skills and Security (The ClawHavoc Problem)

When you self-host, you’re the security gatekeeper. Skills have full access to your API keys, connected services, and your server (they can execute system commands). A malicious skill can exfiltrate data, steal API keys, mine crypto, or pivot to other systems on your network.

Self-Hosting Security Checklist

1.Only install skills from trusted sources
2.Review skill code before installing
3.Use separate API keys for your VPS (not your personal production keys)
4.Isolate your VPS (don’t connect to sensitive internal networks)
5.Monitor resource usage (unexpected CPU/bandwidth spikes = red flag)

? Tip:PaioClaw’s library is security-reviewed, the ClawHavoc Watchlist flags malicious skills, skills run sandboxed, and rate limiting prevents data exfiltration. You can replicate this with Docker and network policies — but now you’re building security infrastructure, not running an AI agent.

When Self-Hosting Makes Sense

Choose VPS self-hosting if:

●You’re a developer who enjoys infrastructure
●You need full control over code/data
●You’re running OpenClaw in a restricted environment
●You’re testing/developing custom skills
●You have compliance requirements that forbid SaaS
●You genuinely have time to maintain it

Choose PaioClaw if:

●You want an AI agent, not a sysadmin hobby
●Your time is worth more than the cost difference
●You need guaranteed uptime
●You’re running production workflows
●You value security and don’t want to think about it
●You need team collaboration features

The Bottom Line

You can absolutely run OpenClaw on a $5/month VPS. This guide just showed you how. But let’s talk about what you’re signing up for:

●Month 1: This is awesome! I built my own cloud AI agent for $5!
●Month 2: Why did it crash overnight? Oh, memory leak in a skill.
●Month 3: Time to update dependencies. Oh cool, breaking changes.
●Month 6: Am I really spending 2 hours/month managing a server to save $15?

The technical challenge is fun. The ongoing maintenance is work. If you did this to learn how VPS hosting and OpenClaw deployment work, you succeeded — these are valuable skills. If you did this to have a reliable AI agent without recurring costs, ask yourself: what’s your time worth?

? Tip:Want the same OpenClaw power without the server maintenance? PaioClaw’s managed hosting starts at $10/month (free tier available) and includes automatic updates, DDoS protection, security hardening, and professional support. Let infrastructure be someone else’s problem.