VPS Deploy, Day 13 of the Free Comprehensive OpenClaw Course

What VPS should I run OpenClaw on?

OpenClaw vps deployment is the moment your agent stops depending on your laptop being open. The honest answer for almost everyone: a $5 to $10 a month VPS from Hetzner, DigitalOcean, or Vultr is enough.

The minimum spec for a personal OpenClaw deployment running one or two agents:

• 2 vCPU, 2 GB RAM, 40 GB SSD if you are using a cloud model (Anthropic, OpenAI, Gemini). The agent itself is light, the heavy lifting is on the model provider.
• 4 vCPU, 16 GB RAM minimum if you are running Ollama on the same VPS. Llama 3 8B fits, Llama 3 70B does not on this size.
• Dedicated GPU server if you want to run Llama 3 70B on the same host as the agent. This is a different price tier, $50+ a month, and usually not worth it versus paying $5 to a cloud provider for a small VPS plus paying tokens to Anthropic.

The cheapest practical setup: $5 Hetzner VPS in their cheapest region, run the agent on it, point at Anthropic Claude. Total monthly cost roughly $10 to $25 (VPS plus Claude tokens). This is the deployment shape I run for most clients.

VPS provider comparison, real numbers

The four cheapest credible providers for a personal-agent VPS, with the prices and tradeoffs as of the time of writing.

Hetzner. The cheapest serious provider, around $4 to $5 a month for a 2 vCPU, 4 GB RAM, 40 GB SSD box in Germany or Finland. Network is fast, billing is hourly, support is German-precise. The catch: data centers in Europe and one in Virginia, so if your model provider's API endpoint is on the US west coast you eat the latency. Still the best value-per-dollar.

DigitalOcean. Around $6 a month for the same spec. More data center regions globally, friendlier dashboard, the documentation is unmatched. Slightly more expensive but the operational surface is the smoothest of the four.

Vultr. Around $5 a month for similar spec, the most data center regions of any cheap provider. Often the right pick if you need a specific geography (Tokyo, Sydney, Mumbai, Sao Paulo). The dashboard is functional but not as polished as DigitalOcean.

Linode (Akamai). Around $5 a month, similar spec. Stable, well-known brand, decent docs. The Akamai acquisition made the dashboard slightly worse but the underlying service is fine.

For most readers I default to Hetzner for cost and DigitalOcean if the docs friction matters more than the $1 a month savings. AWS Lightsail is technically in this price tier but I never recommend it for a personal-agent deployment, the AWS surface is too easy to misconfigure expensively.

How do I keep my OpenClaw agent running 24/7?

Three things keep an agent up.

systemd or equivalent. A process supervisor that restarts the agent if it crashes and starts it again on reboot. On Linux that is systemd. The unit file points at the docker compose stack from openclaw docker and uses Restart=always. On macOS the equivalent is launchd.

Sample systemd unit, save as /etc/systemd/system/openclaw.service:

[Unit]
Description=OpenClaw agent
After=docker.service
Requires=docker.service

[Service]
WorkingDirectory=/opt/openclaw
ExecStart=/usr/bin/docker compose up
ExecStop=/usr/bin/docker compose down
Restart=always
RestartSec=10

[Install]
WantedBy=multi-user.target

Then systemctl enable openclaw and systemctl start openclaw.

Resource limits. Set memory and CPU limits in your docker compose so a runaway prompt cannot eat the whole VPS. Without limits, a single bad heartbeat can OOM the host and take down the agent for an hour.

Log rotation. The runtime writes verbose logs by default. Without rotation the disk fills in a few weeks and the agent stops. Set up logrotate or use docker's built-in log size limits.

Nginx reverse proxy for the WebChat surface

If you want the agent's WebChat surface reachable on the public internet (under your own domain, with TLS), put nginx in front of the runtime. The minimum config:

# /etc/nginx/sites-available/openclaw
server {
    listen 443 ssl http2;
    server_name agent.example.com;

    ssl_certificate /etc/letsencrypt/live/agent.example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/agent.example.com/privkey.pem;

    # Rate limit, the agent's API is not for the public
    limit_req zone=agent burst=20 nodelay;

    # Auth gate, every request needs the bearer token
    auth_request /auth-check;

    location / {
        proxy_pass http://127.0.0.1:3000;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
    }
}

server {
    listen 80;
    server_name agent.example.com;
    return 301 https://$host$request_uri;
}

Pair with Let's Encrypt for the TLS cert (certbot --nginx -d agent.example.com) and the agent is on the public internet under TLS in 10 minutes. Always pair public exposure with auth, never run an open public WebChat.

How do I monitor an always-on OpenClaw deployment?

Two layers of monitoring.

Liveness. The agent should report it is alive on a schedule, and you should get an alert if it stops. The simplest pattern: a heartbeat-driven Skill that pings a free service like UptimeRobot or healthchecks.io every five minutes. If the ping stops, the service emails or texts you. Setup time is ten minutes, ongoing cost is zero.

Cost. The agent should report its accumulated daily and monthly token spend on its own channels. The runtime tracks this automatically, you surface it via a heartbeat-driven Skill that posts the running total to your main channel once a day. The first time you see "Today's spend: $4.20" you will be glad you wired it up.

Beyond those two, do not over-engineer. Production OpenClaw deployments at the personal-and-small-team scale do not need Prometheus, Grafana, or a full observability stack. Liveness ping plus daily cost report plus reading the docker logs occasionally is enough.

Backup strategy, what actually matters

The agent's state is split between the workspace files (markdown, easy to back up) and the runtime's internal state (embedding indices, conversation logs, dreaming history). Both deserve backup but the priority is different.

The workspace files are the irreplaceable part. AGENTS.md, SOUL.md, MEMORY.md, the daily notes, all your custom Skills. Keep these in a git repo from day one, push to a private GitHub or Gitea every commit. The repo is your real backup. The .env stays out of git, copy it separately to a password manager.

The runtime state is rebuildable from the workspace files plus the conversation logs. Daily snapshots of the workspace folder via borg backup, restic, or even a simple cron-driven tar + scp to another host are enough for personal use. For multi-client consulting deployments, push the snapshots offsite to S3-compatible storage (Backblaze B2 is around $6 per terabyte per month, dramatically cheaper than AWS S3).

SSH and firewall basics

The host the agent runs on is now part of your attack surface. Three things, every time.

SSH key only, never password. Edit /etc/ssh/sshd_config on the VPS, set PasswordAuthentication no, and reload sshd. Without this any open SSH port is constantly being brute-forced from the public internet.

Firewall on. ufw allow OpenSSH, ufw enable. If the agent does not need to expose its WebChat surface to the public internet, do not allow port 3000. Most agents do not, you reach them through messaging channels.

OS updates on. Unattended-upgrades on Debian or Ubuntu, equivalents on other distros. Pinning your OpenClaw version (openclaw docker) is right, leaving the OS unpatched is wrong.

Initial VPS bootstrap, the full sequence

What I run on every fresh VPS, in order. Step 1, secure the host. Update OS packages, set hostname, create a non-root user, copy your SSH public key, disable root SSH and password auth, set the firewall to deny by default with SSH allowed. About 15 minutes.

Step 2, install Docker. Use the official install script from get.docker.com, add your user to the docker group so you do not need sudo for compose. Verify with docker run hello-world. About 5 minutes.

Step 3, install systemd unit. Copy the openclaw.service file from earlier, run systemctl enable openclaw. About 2 minutes.

Step 4, copy the workspace. Either git clone your private workspace repo into /opt/openclaw, or scp your local workspace folder up. Set permissions correctly for the docker user. About 5 minutes.

Step 5, set the .env. Copy from your password manager, never paste into a terminal that might log it. Verify file mode is 600 (owner read-write only). About 3 minutes.

Step 6, start the agent. systemctl start openclaw, watch the logs with journalctl -u openclaw -f. Verify the agent connects to its channels and replies to a test message.

Step 7, wire monitoring. Set up the healthchecks.io ping in HEARTBEAT.md, set up the daily cost report. About 10 minutes.

Total time from fresh VPS to production agent: about 45 minutes once you have done it a few times. The first time, expect 2 to 3 hours including reading the docs.

How this connects to your full agent

VPS deployment is the moment the agent becomes a real piece of infrastructure. The combination of openclaw docker on day 12 plus this lesson is the production-ready shape, the full thing you can leave running unattended for months.

The next two lessons are where the agent becomes more interesting than just a personal assistant. Openclaw agentic coding on day 14 turns the same agent into a coding partner. Openclaw multi-agent on day 15 covers the gateway pattern for running a team of specialized agents on the VPS you just set up.

If you only do one operations task this week beyond the deploy itself, wire the dead-man's-switch alert. Find out the agent stopped in five minutes, not in three days when you wonder why you have not heard from it.