Hetzner VPS (Docker)

Production VPS guide with Docker on Hetzner. Durable state, baked-in binaries, SSH tunnel access. ~$4-10/month.

Hetzner is the go-to budget VPS provider for OpenClaw production deployments, offering reliable European hosting starting at ~€3.79/month for a CX22 (2 vCPU, 4GB RAM). The OpenClaw Hetzner guide uses Docker for containerized deployment with durable state, baked-in binaries, and safe restart behavior — designed for the "OpenClaw 24/7 for ~$5" use case. The deployment follows a straightforward Docker Compose workflow: provision a Hetzner VPS, SSH in, install Docker, clone the OpenClaw repo, configure environment variables in .env, build a custom Docker image with baked-in binaries, and start the gateway. Persistent state is managed through host directory mounts — ~/.openclaw and ~/.openclaw/workspace survive container rebuilds and restarts. The container user runs as uid 1000, so host directories need matching ownership. Hetzner's value proposition is cost efficiency and EU data residency. Their Falkenstein and Helsinki datacenters offer GDPR-compliant hosting at a fraction of US cloud provider prices. For a solo founder running a personal AI assistant 24/7, Hetzner is often the most economical cloud option after the Oracle Cloud free tier. The CX22 (4GB RAM) is the sweet spot — enough for the gateway, Docker builds, and basic agent sandboxing. Access to the Control UI happens via SSH tunnel from your laptop (ssh -N -L 18789:127.0.0.1:18789 root@YOUR_VPS_IP), keeping the gateway port unexposed to the internet. For more advanced setups, you can add Tailscale for mesh VPN access or nginx as a reverse proxy with Let's Encrypt SSL. The security model assumes a dedicated VPS — keep strict separation between OpenClaw and personal accounts, with no personal browser profiles or password managers on the host. The guide emphasizes building a custom Docker image with baked-in binaries (yt-dlp, gallery-dl, etc.) to ensure tools survive container restarts. Standard Docker installs may lose binaries installed at runtime — baking them into the image makes the deployment deterministic and predictable.

Tags: vps, europe, budget, docker, production

Use Cases

  • Budget-conscious 24/7 AI assistant deployment at ~€4/month with European hosting
  • EU data residency requirements for GDPR compliance
  • Production deployment for solo founders who want reliable cloud hosting without US cloud complexity
  • Always-on personal agent when your local machine sleeps or is unreliable
  • Development staging environment for testing OpenClaw configurations before deploying elsewhere

Tips

  • Start with CX22 (€3.79/mo, 4GB RAM) — it's the sweet spot for cost vs. capability for a single OpenClaw instance
  • Bake tools into the Docker image using a custom Dockerfile — binaries installed at runtime don't survive container restarts
  • Use SSH tunneling for Control UI access: ssh -N -L 18789:127.0.0.1:18789 root@YOUR_VPS_IP
  • Add Tailscale for secure remote access without SSH tunneling — install on both the VPS and your devices
  • Set up automatic Docker log rotation to prevent disk fill: add --log-opt max-size=10m --log-opt max-file=3 to your compose
  • Use Hetzner snapshots for backup before major updates — they're cheap and provide full disk-level recovery
  • Consider the CX22 in Falkenstein (Germany) or Helsinki for GDPR-compliant EU data residency

Known Issues & Gotchas

  • Docker's default networking bypasses UFW firewall rules — configure the DOCKER-USER iptables chain to prevent port exposure
  • The CX11 (1 vCPU, 2GB RAM) may OOM during Docker image builds — CX22 (4GB) is the recommended minimum
  • Host directories must be owned by uid 1000 to match the container user — run chown -R 1000:1000 /root/.openclaw
  • Don't expose port 18789 to the internet — use SSH tunneling or Tailscale for Control UI access
  • The .env file contains secrets (gateway token, API keys) — never commit it to version control
  • Hetzner's shared vCPU instances are burstable — sustained high CPU may get throttled. Dedicated vCPU instances are available at higher cost
  • Building from source inside Docker requires 2GB+ RAM — use the pre-built GHCR image on 2GB instances to avoid OOM

Alternatives

  • DigitalOcean Droplet
  • Oracle Cloud (Always Free)
  • Fly.io
  • Ansible
  • GCP Compute Engine

Community Feedback

Hetzner wins on raw cost for European hosting. CX22 at €3.79/mo with 4GB RAM is unbeatable for running Docker containers 24/7.

— Reddit r/Hosting

OpenClaw on Hetzner is the budget king. €4/month for a 24/7 AI assistant. Just remember to harden the firewall — Docker bypasses UFW by default.

— Reddit r/selfhosted

Self-hosting OpenClaw is a security minefield. The Hetzner guide covers the Docker setup but you still need to handle UFW, SSH hardening, and access control yourself.

— Reddit r/selfhosted

Official GHCR image has ~2k CVEs. Build your own image or use the Minimus stripped-down variant. This applies to Hetzner Docker deployments too.

— Reddit r/sysadmin

Frequently Asked Questions

Which Hetzner plan should I choose?

CX22 (2 vCPU, 4GB RAM, ~€3.79/mo) is the recommended starting point. It handles the gateway, Docker builds, and basic agent operations comfortably. Upgrade to CX32 if you need more concurrent agent sandboxes.

How do I access the Control UI securely?

Use SSH tunneling: ssh -N -L 18789:127.0.0.1:18789 root@YOUR_VPS_IP, then open http://127.0.0.1:18789/ in your browser. Alternatively, install Tailscale for persistent VPN access without port forwarding.

Does Hetzner support ARM instances?

Hetzner offers CAX ARM instances based on Ampere Altra processors. OpenClaw works on ARM64, but the x86 CX series is more tested and recommended for Docker deployments.

How do I update OpenClaw on Hetzner?

SSH into the VPS, cd into the openclaw directory, run git pull, then docker compose build && docker compose up -d openclaw-gateway. Your persistent data in ~/.openclaw survives the update.

Should I run as root or create a dedicated user?

Create a dedicated user for better security. The Ansible deployment automates this. For manual Docker setups, running as root is common but less secure — the container itself runs as uid 1000 regardless.

What about backups?

Use Hetzner snapshots for full disk backups before updates (~€0.01/GB/mo). For application-level backups, periodically copy ~/.openclaw/ to a local machine or object storage.