OpenClaw on Hetzner: The Cheapest Reliable VPS Setup Guide

Most people overspend on VPS hosting. Hetzner changes the math entirely — €4.15/month for a server that handles full OpenClaw production workloads. The CAX11 ARM instance has been running agent pipelines in our infrastructure for over six months without a single unplanned downtime event. Here's exactly how to set it up.

Why Hetzner Beats the Alternatives for OpenClaw

Hetzner Cloud launched ARM-based instances in 2023 and immediately undercut every major cloud provider on price-to-performance. The CAX11 — their entry ARM server — delivers 2 ARM vCPUs, 4GB RAM, 40GB SSD, and 20TB bandwidth for around €4.15/month. Compare that to DigitalOcean's 2GB RAM Droplet at $12/month or AWS t3.small at roughly $15/month.

OpenClaw runs without issues on ARM. The binary is cross-compiled and the ARM build has been tested across hundreds of community deployments. You get native ARM performance rather than x86 emulation overhead.

CAX11 vs CX11: Which Instance to Choose

This comparison comes up in every Hetzner thread. Here's the definitive answer for OpenClaw workloads.

The CAX11 beats the CX11 on every metric while costing less. More RAM, more CPU cores, more storage — on ARM. For a single OpenClaw agent handling moderate traffic, CAX11 runs comfortably at under 40% CPU and under 2GB RAM. For multiple agents or heavy context windows, step up to CAX21.

Creating the Hetzner Server

Log in to the Hetzner Cloud Console at console.hetzner.cloud. Create a new project, then click "Add Server."

1. Location: Pick your nearest datacenter region
2. Image: Ubuntu 22.04 LTS (recommended — widest support)
3. Type: Shared CPU → ARM64 → CAX11
4. Networking: Enable Public IPv4 and IPv6
5. SSH Keys: Upload your public key before creating the server
6. Firewall: Create a new firewall (configured in the next section)
7. Name: Give the server a clear name, e.g., openclaw-prod-01

Click "Create & Buy Now." The server is provisioned in under 30 seconds. Note the IPv4 address shown in the dashboard.

SSH Access and Initial Server Hardening

Connect to your new server as root. First connection uses your SSH key — no password needed.

ssh root@YOUR_SERVER_IP

Run updates immediately, then create a non-root user for day-to-day operations.

# Update system packages
apt update && apt upgrade -y

# Create a deploy user
adduser deploy
usermod -aG sudo deploy

# Copy SSH keys to the new user
rsync --archive --chown=deploy:deploy ~/.ssh /home/deploy

# Disable root SSH login
sed -i 's/PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
systemctl restart sshd

Now reconnect as the deploy user. This is the account you'll use for everything going forward.

Hetzner Cloud Firewall Configuration

Hetzner does not restrict inbound traffic by default. Every port is open until you configure a firewall. This is the step most people skip — and it's the most critical one.

In the Hetzner Cloud Console, go to Firewalls → Create Firewall. Add these inbound rules:

Assign this firewall to your server. All other inbound ports are blocked. Apply the firewall before installing OpenClaw — never run an unprotected gateway server on the public internet.

Installing OpenClaw

With the server hardened and firewall applied, install the OpenClaw dependencies and pull the binary.

# Install dependencies
sudo apt install -y curl wget git unzip

# Download OpenClaw (check releases page for latest version)
wget https://github.com/openclaw/openclaw/releases/latest/download/openclaw-linux-arm64.tar.gz
tar -xzf openclaw-linux-arm64.tar.gz
sudo mv openclaw /usr/local/bin/openclaw
sudo chmod +x /usr/local/bin/openclaw

# Verify installation
openclaw --version

Create the OpenClaw configuration directory and your gateway.yaml.

mkdir -p ~/.openclaw
nano ~/.openclaw/gateway.yaml

We'll get to the nginx setup in a moment — but first you need to understand why running OpenClaw directly on port 443 causes problems for certificate management.

Create the systemd service to manage OpenClaw as a daemon.

sudo nano /etc/systemd/system/openclaw.service

[Unit]
Description=OpenClaw AI Agent Gateway
After=network.target

[Service]
Type=simple
User=deploy
WorkingDirectory=/home/deploy/.openclaw
ExecStart=/usr/local/bin/openclaw start --config /home/deploy/.openclaw/gateway.yaml
Restart=always
RestartSec=5
StandardOutput=journal
StandardError=journal

[Install]
WantedBy=multi-user.target

sudo systemctl daemon-reload
sudo systemctl enable openclaw
sudo systemctl start openclaw
sudo systemctl status openclaw

Sound familiar? This systemd pattern is identical across every Linux-based OpenClaw deployment. Learn it once and it works on every provider.

Nginx Reverse Proxy and SSL

Nginx sits in front of OpenClaw and handles SSL termination, letting OpenClaw listen on localhost while serving HTTPS traffic on port 443.

sudo apt install -y nginx certbot python3-certbot-nginx

# Get SSL certificate (replace with your domain)
sudo certbot --nginx -d your-domain.com

# Create nginx config for OpenClaw
sudo nano /etc/nginx/sites-available/openclaw

server {
    listen 443 ssl;
    server_name your-domain.com;

    ssl_certificate /etc/letsencrypt/live/your-domain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/your-domain.com/privkey.pem;

    location / {
        proxy_pass http://127.0.0.1:8080;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_cache_bypass $http_upgrade;
    }
}

server {
    listen 80;
    server_name your-domain.com;
    return 301 https://$host$request_uri;
}

sudo ln -s /etc/nginx/sites-available/openclaw /etc/nginx/sites-enabled/
sudo nginx -t
sudo systemctl reload nginx

Here's where most people stop. Don't stop here — verify the end-to-end setup.

# Confirm OpenClaw is reachable through nginx
curl -s https://your-domain.com/health

You should get a JSON health response from OpenClaw. If you get a 502, OpenClaw isn't listening on port 8080 — check sudo journalctl -u openclaw -n 50.

Common Mistakes on Hetzner OpenClaw Setups

• Skipping the Hetzner firewall and relying on UFW alone — both are useful but the Hetzner Cloud Firewall acts at the network edge. Configure both for defense in depth.
• Using the root user for OpenClaw — run OpenClaw as a dedicated non-root user. If the process is ever compromised, the blast radius is contained.
• Not setting up a Floating IP — if you rebuild the server, the standard IP changes. A Floating IP stays static regardless of server changes and costs €1.19/month when assigned.
• Missing the Restart=always directive in systemd — without this, a crashed OpenClaw process stays down until you manually restart it. Always include this line.
• Choosing CX11 over CAX11 — the x86 instance costs more and gives you less. The ARM binary runs identically. There is no practical reason to choose CX11 for OpenClaw.

Frequently Asked Questions

Is Hetzner reliable enough for production OpenClaw deployments?

Hetzner Cloud offers a 99.9% uptime SLA and has proven extremely reliable for production workloads. Their Nuremberg and Falkenstein datacenters have strong track records. The CAX11 ARM instance delivers consistent performance for agent workloads at a fraction of comparable cloud pricing.

What is the difference between CAX11 and CX11 on Hetzner?

CAX11 is ARM-based with 2 vCPUs and 4GB RAM at around €4.15/month. CX11 is x86 with 1 vCPU and 2GB RAM at €4.35/month. For OpenClaw, CAX11 wins on every metric — more RAM, more cores, lower price. The ARM architecture runs OpenClaw without compatibility issues.

Do I need a firewall on Hetzner Cloud?

Yes — Hetzner applies zero default inbound firewall rules. All ports are open until you configure a Hetzner Cloud Firewall or UFW. Block everything except SSH (22), HTTP (80), and HTTPS (443) before going live. This step is non-negotiable.

Can I use Hetzner for multiple OpenClaw agents?

The CAX21 (4 vCPU, 8GB RAM, ~€8/month) handles three to five simultaneous OpenClaw agents without issue. For larger deployments, run multiple instances behind a load balancer. Hetzner's flat-rate pricing makes horizontal scaling genuinely affordable.

How do I point my domain to a Hetzner server for OpenClaw?

Assign a Floating IP to your server, then create an A record pointing your domain to that IP. Floating IPs survive server replacements — rebuild the server and the IP stays. Use nginx as a reverse proxy to route HTTPS traffic to OpenClaw on localhost.

What Ubuntu version should I use for OpenClaw on Hetzner?

Ubuntu 22.04 LTS is the recommended choice as of early 2025. It has the longest support window, stable systemd behavior, and is the most tested base for OpenClaw deployments. Avoid Ubuntu 24.04 for now — some users report dependency edge cases that add unnecessary troubleshooting time.