Get Started →

    On this page

    How to Deploy OpenClaw on a VPS (Beginner-Friendly Walkthrough)

    You want OpenClaw running in the cloud. Not on your laptop that shuts down when you close the lid. Not on some mystery managed service. On your server, under your control, for $5/month. This is the guide for that.

    By the end, you’ll have a hardened cloud server that won’t get pwned in 6 hours, OpenClaw running 24/7 under process management, a custom domain pointing to your agent, and a clear understanding of what you’re actually paying for.

    What You’re Actually Building

    Let’s set expectations. You’re not clicking “Deploy” and walking away. You’re:

    1. 1.Renting a server from a VPS provider (DigitalOcean, Linode, Vultr, Hetzner)
    2. 2.Securing that server (SSH keys, firewall, fail2ban)
    3. 3.Installing the stack (Node.js, npm, Git, PM2)
    4. 4.Deploying OpenClaw (clone repo, install dependencies, configure)
    5. 5.Setting up a domain (DNS, reverse proxy, SSL)
    6. 6.Maintaining it forever (updates, monitoring, troubleshooting)

    That last part is the kicker. This isn’t a one-time setup. It’s infrastructure you own.

    Step 1: Choose Your VPS Provider

    The Big Four (All Good Choices)

    • DigitalOcean ($6/mo) — Best documentation, beginner-friendly
    • Linode/Akamai ($5/mo) — Excellent performance, great support
    • Vultr ($5/mo) — More data center locations, low latency outside US/EU
    • Hetzner (~$4.90/mo) — Cheapest, EU-only, strict ToS

    Minimum Specs

    • 1 GB RAM (2 GB recommended)
    • 1 CPU core (2 if running heavy skills)
    • 25 GB SSD storage
    • Ubuntu 22.04 LTS (or 24.04 LTS)

    This costs $5–6/month across providers. We’ll use Linode for this guide because it’s the sweet spot of price, performance, and reliability.

    Create Your Server

    1. 1.Sign up at linode.com
    2. 2.Create a Linode: Ubuntu 22.04 LTS, Shared CPU $5/mo Nanode, region close to you, strong root password
    3. 3.Boot the server

    Step 2: Initial SSH Access and User Setup

    First Login

    ssh root@YOUR_SERVER_IP

    Type “yes” when asked about fingerprints. Enter the root password.

    Create a Non-Root User

    adduser openclaw
    usermod -aG sudo openclaw

    Set Up SSH Key Authentication

    On your local machine:

    ssh-keygen -t ed25519 -C "[email protected]"
    ssh-copy-id openclaw@YOUR_SERVER_IP
    ssh openclaw@YOUR_SERVER_IP

    Disable Password Authentication

    sudo nano /etc/ssh/sshd_config

    Change these lines:

    PasswordAuthentication no
    PermitRootLogin no
    sudo systemctl restart sshd
    ? Note:Your server is now significantly harder to brute-force.

    Step 3: Firewall and Security Hardening

    An open VPS on the internet gets attacked within minutes. Not hyperbole. Minutes.

    Install and Configure UFW

    sudo apt update
    sudo apt install ufw -y
    sudo ufw allow OpenSSH
    sudo ufw allow 80/tcp
    sudo ufw allow 443/tcp
    sudo ufw enable
    sudo ufw status

    Install Fail2Ban

    sudo apt install fail2ban -y
    sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
    sudo nano /etc/fail2ban/jail.local

    Find the [sshd] section:

    [sshd]
    enabled = true
    port = ssh
    logpath = /var/log/auth.log
    maxretry = 3
    bantime = 3600
    sudo systemctl restart fail2ban

    Anyone who fails SSH login 3 times gets banned for an hour.

    Step 4: Install the OpenClaw Stack

    sudo apt update && sudo apt upgrade -y
    
    # Node.js via NodeSource
    curl -fsSL https://deb.nodesource.com/setup_20.x | sudo -E bash -
    sudo apt install -y nodejs
    
    # Git
    sudo apt install git -y
    
    # PM2
    sudo npm install -g pm2

    Verify with node --version, npm --version, git --version, pm2 --version.

    Step 5: Deploy OpenClaw

    cd ~
    git clone https://github.com/openclaw/openclaw.git
    cd openclaw
    npm install
    cp .env.example .env
    nano .env

    Minimal Configuration

    # AI Model (pick one or both)
    OPENAI_API_KEY=sk-proj-your_key_here
    ANTHROPIC_API_KEY=sk-ant-your_key_here
    
    # Agent Settings
    AGENT_NAME=MyCloudAgent
    PORT=3000
    
    # Web Interface
    WEB_INTERFACE=true
    ALLOW_EXTERNAL_ACCESS=false
    ? Note:Set ALLOW_EXTERNAL_ACCESS=false for now. We’ll expose it through a reverse proxy with SSL later.

    Test Run

    npm start

    You should see initialization logs and “Agent ready”. Press Ctrl+C to stop.

    Step 6: Set Up PM2 for Always-On Operation

    pm2 start npm --name "openclaw" -- start
    pm2 status
    pm2 startup

    Run the command PM2 outputs (looks like):

    sudo env PATH=$PATH:/usr/bin pm2 startup systemd -u openclaw --hp /home/openclaw
    pm2 save

    Useful PM2 Commands

    pm2 logs openclaw       # View logs
    pm2 restart openclaw    # Restart the process
    pm2 stop openclaw       # Stop it
    pm2 delete openclaw     # Remove from PM2

    Step 7: Set Up a Domain and SSL (Production-Ready)

    Point Your Domain to the Server

    In your DNS settings, create an A record:

    Type: A
    Name: openclaw (or @ for root)
    Value: YOUR_SERVER_IP
    TTL: 300

    Wait 5–10 minutes for DNS propagation, then test with ping openclaw.yourdomain.com.

    Install Nginx and Configure

    sudo apt install nginx -y
    sudo nano /etc/nginx/sites-available/openclaw
    server {
        listen 80;
        server_name openclaw.yourdomain.com;
    
        location / {
            proxy_pass http://localhost:3000;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection 'upgrade';
            proxy_set_header Host $host;
            proxy_cache_bypass $http_upgrade;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
        }
    }
    sudo ln -s /etc/nginx/sites-available/openclaw /etc/nginx/sites-enabled/
    sudo nginx -t
    sudo systemctl restart nginx

    Add SSL with Let’s Encrypt

    sudo apt install certbot python3-certbot-nginx -y
    sudo certbot --nginx -d openclaw.yourdomain.com

    Follow the prompts (email, ToS, redirect HTTP→HTTPS = yes). Test auto-renewal:

    sudo certbot renew --dry-run

    Now visit https://openclaw.yourdomain.com. Green lock icon. Production-ready.

    Step 8: Enable External Access (If Needed)

    Option A: Basic Auth with Nginx

    Add to your location / block:

    auth_basic "Restricted Access";
    auth_basic_user_file /etc/nginx/.htpasswd;
    sudo apt install apache2-utils -y
    sudo htpasswd -c /etc/nginx/.htpasswd yourusername
    sudo systemctl restart nginx

    Option B: Use PaioClaw (Seriously)

    If you’re exposing OpenClaw to the internet and handling auth yourself, you’re now responsible for security vulnerabilities, DDoS protection, session management, rate limiting, and IP allowlisting.

    ? Tip:PaioClaw includes enterprise-grade DDoS protection, OAuth (Google, Microsoft), team-based access controls, and audit logs. At $4/mo for your VPS plus your time managing security, the math starts to favor managed hosting.

    The Real Cost Breakdown (Let’s Be Honest)

    Direct Costs

    • VPS hosting: $5–6/month
    • Domain name: $12/year (~$1/month)
    • SSL certificate: $0 (Let’s Encrypt)
    • Total monthly: ~$6–7

    Hidden Costs

    • Initial setup: 3–4 hours of your time
    • Monthly maintenance: 1–2 hours (security updates, dependency updates, log monitoring, troubleshooting, SSL verification)
    • Skill costs (paid LLMs): ~$20–50/month for OpenAI/Anthropic API
    • Potential bandwidth overages, backup storage, monitoring tools

    The Comparison Everyone Avoids

    Self-hosted VPS: $6/mo + 1–2 hours/month of your time. PaioClaw managed service: $4/mo (free tier for basic use) + 0 hours/month. If your time is worth $30/hour, you’re spending $30–60/month in labor on a $6 VPS.

    The break-even question: Is the control worth the maintenance? For developers who enjoy infrastructure, yes. For people who want an AI agent (not a hobby sysadmin job), no.

    Common VPS Deployment Issues (And Fixes)

    “OpenClaw crashes with ‘Out of memory’”

    1 GB RAM isn’t enough. Upgrade to 2 GB ($12/mo) or add swap:

    sudo fallocate -l 2G /swapfile
    sudo chmod 600 /swapfile
    sudo mkswap /swapfile
    sudo swapon /swapfile
    echo '/swapfile none swap sw 0 0' | sudo tee -a /etc/fstab

    “npm install fails with permission errors”

    sudo chown -R $USER:$USER ~/.npm
    sudo chown -R $USER:$USER ~/openclaw

    “Can’t access OpenClaw from my browser”

    1. 1.Is PM2 running? pm2 status
    2. 2.Is Nginx running? sudo systemctl status nginx
    3. 3.Is port 80/443 open? sudo ufw status
    4. 4.Does DNS point to your server? ping openclaw.yourdomain.com
    5. 5.Is your .env correct? Check ALLOW_EXTERNAL_ACCESS

    “OpenClaw works but skills fail”

    Verify API keys, check logs with pm2 logs openclaw, restart with pm2 restart openclaw.

    “Server gets hacked / compromised”

    Prevention: SSH keys only, fail2ban enabled, UFW configured, regular updates, no random skills. If it happens: nuke the VPS, rotate all API keys, review access logs.

    Updating OpenClaw (Because You Have To)

    cd ~/openclaw
    git pull origin main
    npm install
    pm2 restart openclaw
    ? Note:PaioClaw handles updates automatically. Their staging environment tests new versions before pushing to production. Your staging environment is “run it and hope.”

    Monitoring and Logs

    pm2 logs openclaw
    sudo tail -f /var/log/nginx/access.log
    sudo tail -f /var/log/nginx/error.log
    htop

    Use a free service like Uptime Robot or Better Uptime to ping your domain every 5 minutes for downtime alerts.

    Backup Strategy (You Need One)

    Back up your .env file, the skills/ directory, and any custom modifications.

    nano ~/backup.sh
    #!/bin/bash
    BACKUP_DIR=~/backups
    mkdir -p $BACKUP_DIR
    tar -czf $BACKUP_DIR/openclaw-backup-$(date +%Y%m%d).tar.gz ~/openclaw/.env ~/openclaw/skills/
    chmod +x ~/backup.sh
    crontab -e

    Add this line to back up weekly at 2 AM Sunday:

    0 2 * * 0 ~/backup.sh
    ? Note:Store backups off-server (Dropbox, Google Drive, S3). A backup on the same server that crashes isn’t a backup.

    Skills and Security (The ClawHavoc Problem)

    When you self-host, you’re the security gatekeeper. Skills have full access to your API keys, connected services, and your server (they can execute system commands). A malicious skill can exfiltrate data, steal API keys, mine crypto, or pivot to other systems on your network.

    Self-Hosting Security Checklist

    1. 1.Only install skills from trusted sources
    2. 2.Review skill code before installing
    3. 3.Use separate API keys for your VPS (not your personal production keys)
    4. 4.Isolate your VPS (don’t connect to sensitive internal networks)
    5. 5.Monitor resource usage (unexpected CPU/bandwidth spikes = red flag)
    ? Tip:PaioClaw’s library is security-reviewed, the ClawHavoc Watchlist flags malicious skills, skills run sandboxed, and rate limiting prevents data exfiltration. You can replicate this with Docker and network policies — but now you’re building security infrastructure, not running an AI agent.

    When Self-Hosting Makes Sense

    Choose VPS self-hosting if:

    • You’re a developer who enjoys infrastructure
    • You need full control over code/data
    • You’re running OpenClaw in a restricted environment
    • You’re testing/developing custom skills
    • You have compliance requirements that forbid SaaS
    • You genuinely have time to maintain it

    Choose PaioClaw if:

    • You want an AI agent, not a sysadmin hobby
    • Your time is worth more than the cost difference
    • You need guaranteed uptime
    • You’re running production workflows
    • You value security and don’t want to think about it
    • You need team collaboration features

    The Bottom Line

    You can absolutely run OpenClaw on a $5/month VPS. This guide just showed you how. But let’s talk about what you’re signing up for:

    • Month 1: This is awesome! I built my own cloud AI agent for $5!
    • Month 2: Why did it crash overnight? Oh, memory leak in a skill.
    • Month 3: Time to update dependencies. Oh cool, breaking changes.
    • Month 6: Am I really spending 2 hours/month managing a server to save $15?

    The technical challenge is fun. The ongoing maintenance is work. If you did this to learn how VPS hosting and OpenClaw deployment work, you succeeded — these are valuable skills. If you did this to have a reliable AI agent without recurring costs, ask yourself: what’s your time worth?

    ? Tip:Want the same OpenClaw power without the server maintenance? PaioClaw’s managed hosting starts at $10/month (free tier available) and includes automatic updates, DDoS protection, security hardening, and professional support. Let infrastructure be someone else’s problem.

    Join Our Community

    Connect with other PaioClaw users, share tips, and stay up to date.