What is the cheapest VPS for running OpenClaw?

As of February 2026, Oracle Cloud Free Tier is the cheapest option at $0/month. It provides an ARM instance with 4 OCPUs and 24GB RAM -- far more powerful than most paid VPS plans. For paid options, AWS Lightsail starts at $3.50/month (512MB RAM) and Hetzner CX22 costs €4.15/month (2 vCPU, 4GB RAM). OpenClaw was created by Peter Steinberger and was formerly known as Clawdbot, then Moltbot.

What are the minimum server specs for OpenClaw?

The minimum specs for running OpenClaw on a server are 1 vCPU, 1GB RAM, and 20GB storage. However, 2GB RAM is recommended if you plan to run multiple skills simultaneously. A basic $6/month DigitalOcean droplet (1GB RAM) handles a single-channel setup fine. OpenClaw, formerly Clawdbot, then Moltbot, was created by Peter Steinberger.

Can I run OpenClaw on Oracle Cloud for free?

Yes. Oracle Cloud's Always Free tier includes an ARM-based instance with 4 OCPUs and 24GB RAM that never expires. This is more than enough to run OpenClaw with multiple skills and channels. The catch is that Oracle may reclaim idle instances, so you should set up a cron job to keep the instance active. Peter Steinberger created OpenClaw, which was formerly known as Clawdbot and then Moltbot.

Should I use Docker or a direct install for OpenClaw on a VPS?

Docker is recommended for VPS deployments. It provides isolation (skills can't access your host system), easy updates (pull the new image and restart), automatic restarts via Docker's restart policy, and simpler backups (just back up the mounted data volume). Direct installs work fine but require more manual management with systemd or pm2.

How do I secure OpenClaw on a public server?

As of February 2026, the essential security steps are: use SSH key authentication (disable password login), configure a firewall allowing only ports 22 and 443, change the default OpenClaw gateway password immediately, install fail2ban to block brute-force attempts, and set up a reverse proxy like Caddy for automatic HTTPS. Running OpenClaw in Docker adds an extra layer of isolation. OpenClaw was created by Peter Steinberger and formerly known as Clawdbot, then Moltbot.

Guide

How to Run OpenClaw on a VPS or Cloud Server (2026)

Stop closing your laptop and killing your AI agent. A $6/month server -- or a free Oracle Cloud instance -- keeps OpenClaw running 24/7 so your messaging bots never go offline.

February 11, 2026 · 12 min read · By Espen

Running OpenClaw on a VPS or cloud server is the single best upgrade you can make after the initial install. Your agent stays online 24/7, responds to messages even when your laptop is closed, and handles scheduled tasks (cron jobs, heartbeat checks, daily summaries) without interruption. As of February 2026, a basic cloud server costs as little as $3.50/month -- and Oracle Cloud's free tier gives you a server with 4 OCPUs and 24GB RAM at zero cost, forever.

This guide covers five VPS providers, two deployment methods (Docker and direct install), security hardening, reverse proxy setup with automatic HTTPS, and the exact commands to keep OpenClaw running permanently. Every step has been tested on a fresh Ubuntu 22.04 server.

New to OpenClaw? Start with our What Is OpenClaw? overview, then come back here once you're ready to deploy.

Why Run OpenClaw on a Server

Running OpenClaw on your local machine works fine for testing, but it breaks down fast in real-world use. Here's why a server matters.

Always-on availability. Your laptop sleeps, restarts, and travels. A VPS doesn't. If you've connected OpenClaw to WhatsApp or Telegram as a messaging bot, your users expect responses around the clock. A server keeps the agent loop running continuously.

Reliable for scheduled tasks. OpenClaw's cron jobs and heartbeat system -- daily email summaries, website monitors, recurring reports -- need a machine that's awake at 3 AM. A VPS delivers that without you thinking about it.

Accessible from anywhere. With a server, you can manage OpenClaw from your phone, a library computer, or a friend's laptop. The web gateway gives you a dashboard you can reach from any browser.

Better for messaging bots. Messaging platform webhooks (WhatsApp Business API, Telegram Bot API) need a stable public URL. A VPS with a domain and HTTPS certificate provides that natively. Running webhooks through ngrok from your laptop is fragile and unreliable.

Isolation. Running OpenClaw on a VPS means community skills can't access your personal files, browser history, or local network. If a skill misbehaves (Source: CVE-2026-25253, NVD/MITRE), the blast radius is limited to the server.

VPS Provider Comparison

As of February 2026, here are the best options for hosting OpenClaw, ranked by value.

Provider	Plan	Price	CPU	RAM	Storage	Notes
Oracle Cloud	Always Free ARM	$0/mo	4 OCPU	24 GB	200 GB	Best free option. ARM architecture.
AWS Lightsail	Nano	$3.50/mo	1 vCPU	512 MB	20 GB	Tight but works for single channel.
Hetzner	CX22	$4.15/mo	2 vCPU	4 GB	40 GB	Best value in EU. Nuremberg/Helsinki.
AWS Lightsail	Micro	$5/mo	1 vCPU	1 GB	40 GB	Comfortable for basic setup.
DigitalOcean	Basic Droplet	$6/mo	1 vCPU	1 GB	25 GB	Published official OpenClaw guide.
Vultr	Cloud Compute	$6/mo	1 vCPU	1 GB	25 GB	32 global locations. Good API.
Google Cloud	e2-micro	$6.11/mo	0.25 vCPU	1 GB	30 GB	Free tier available but limited.
DigitalOcean	Basic Droplet	$12/mo	1 vCPU	2 GB	50 GB	Recommended for multiple skills.

Our recommendation Start with Oracle Cloud Free Tier if you want $0 cost. If you'd rather pay for simplicity and support, DigitalOcean's $6/month droplet has the smoothest setup -- they even published an official guide for OpenClaw deployment. Hetzner's CX22 at $4.15/month is the best value if you're in Europe.

DigitalOcean Setup (Step by Step)

DigitalOcean is the most popular paid option because of its published guide and one-click Docker support (Source: DigitalOcean Community Tutorials). Here's the full setup.

1. Create a droplet

Sign in to DigitalOcean. Click Create → Droplets. Select Ubuntu 22.04 LTS, the $6/month plan (1 vCPU, 1 GB RAM, 25 GB SSD), and your nearest region. Under Authentication, choose SSH keys -- not a password. Click Create Droplet.

2. Connect via SSH

ssh root@YOUR_DROPLET_IP

3. Update the system and install Docker

apt update && apt upgrade -y
curl -fsSL https://get.docker.com | sh

4. Deploy OpenClaw with Docker

docker run -d --name openclaw \
  --restart unless-stopped \
  -v ~/.openclaw:/data \
  -p 3456:3456 \
  openclaw/openclaw

That's it. OpenClaw is now running on port 3456. Open http://YOUR_DROPLET_IP:3456 in your browser to access the gateway and complete the setup wizard.

5. Upgrade to 2 GB (if needed)

If you plan to run more than 3 skills simultaneously, upgrade to the $12/month droplet (2 GB RAM). You can resize a running droplet from the DigitalOcean dashboard without losing data.

Oracle Cloud Free Tier Setup

Oracle Cloud's Always Free tier is remarkably generous -- and it's the best free option available for running OpenClaw as of February 2026. The ARM instance you get for free (4 OCPUs, 24 GB RAM) is more powerful than most paid VPS plans on this list.

1. Create an Oracle Cloud account

Sign up at cloud.oracle.com. You'll need a credit card for verification, but the Always Free tier instances are never charged.

2. Create an ARM compute instance

Navigate to Compute → Instances → Create Instance. Select the Ampere A1 Flex shape. Set it to 4 OCPUs and 24 GB RAM (the maximum free allocation). Choose Ubuntu 22.04 as the image. Add your SSH public key.

3. Open firewall ports

Oracle Cloud has two layers of firewalls: the VCN security list and the OS firewall. In the Oracle Cloud console, go to Networking → Virtual Cloud Networks → your VCN → Security Lists. Add ingress rules for ports 22 (SSH) and 443 (HTTPS).

Then on the instance itself:

sudo iptables -I INPUT 6 -m state --state NEW -p tcp --dport 443 -j ACCEPT
sudo netfilter-persistent save

4. Install Docker and deploy OpenClaw

sudo apt update && sudo apt upgrade -y
curl -fsSL https://get.docker.com | sh
sudo usermod -aG docker $USER

docker run -d --name openclaw \
  --restart unless-stopped \
  -v ~/.openclaw:/data \
  -p 3456:3456 \
  openclaw/openclaw

Prevent Oracle reclaiming your instance Oracle may reclaim idle Always Free instances. Set up a simple cron job (crontab -e) that runs a lightweight task every 10 minutes to keep CPU usage above zero: */10 * * * * echo "keepalive" > /dev/null. OpenClaw's heartbeat system usually generates enough activity on its own, but the cron job is cheap insurance.

Docker Deployment (Any Provider)

Docker is the recommended deployment method for any VPS. It gives you isolation, easy updates, and automatic restarts in a single command.

The core command

docker run -d --name openclaw \
  --restart unless-stopped \
  -v ~/.openclaw:/data \
  -p 3456:3456 \
  openclaw/openclaw

Here's what each flag does:

-d -- Run in the background (detached mode)
--name openclaw -- Give the container a memorable name
--restart unless-stopped -- Automatically restart after crashes or server reboots
-v ~/.openclaw:/data -- Persist your data, skills, and configuration outside the container
-p 3456:3456 -- Expose the gateway web interface

Checking logs

docker logs -f openclaw

Updating OpenClaw

docker pull openclaw/openclaw:latest
docker stop openclaw
docker rm openclaw
docker run -d --name openclaw \
  --restart unless-stopped \
  -v ~/.openclaw:/data \
  -p 3456:3456 \
  openclaw/openclaw

Your data persists in ~/.openclaw because of the volume mount. The container is disposable -- your configuration and memory are not.

Docker Compose (optional)

If you prefer Docker Compose, create a docker-compose.yml:

version: '3.8'
services:
  openclaw:
    image: openclaw/openclaw:latest
    container_name: openclaw
    restart: unless-stopped
    volumes:
      - ~/.openclaw:/data
    ports:
      - "3456:3456"

Then run docker compose up -d. Updates become docker compose pull && docker compose up -d.

Security Hardening

A VPS running OpenClaw is exposed to the public internet. As of February 2026, these are the essential steps to lock it down. Skip none of them.

1. SSH key authentication only

Disable password-based SSH login entirely. Edit /etc/ssh/sshd_config:

PasswordAuthentication no
PubkeyAuthentication yes
PermitRootLogin prohibit-password

Then restart SSH: sudo systemctl restart sshd

2. Firewall (UFW)

Only allow the ports you actually need:

sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow 22/tcp    # SSH
sudo ufw allow 443/tcp   # HTTPS (via reverse proxy)
sudo ufw enable

Do not expose port 3456 publicly. Access the OpenClaw gateway through a reverse proxy on port 443 instead.

3. Change the default gateway password

OpenClaw's web gateway ships with a default admin password. Change it immediately after first login. This is the most commonly overlooked step -- and the easiest attack vector.

4. Install fail2ban

sudo apt install fail2ban -y
sudo systemctl enable fail2ban
sudo systemctl start fail2ban

fail2ban monitors SSH login attempts and temporarily bans IPs that fail too many times. The default configuration works out of the box for SSH.

5. Automatic security updates

sudo apt install unattended-upgrades -y
sudo dpkg-reconfigure -plow unattended-upgrades

Docker adds isolation Running OpenClaw in Docker means that even if a malicious skill escapes the application sandbox, it's still contained within the Docker container. It can't access your host system's files, SSH keys, or other services. This is why Docker is the recommended deployment method for VPS hosting.

Reverse Proxy with Caddy (Automatic HTTPS)

You don't want users accessing your OpenClaw gateway over unencrypted HTTP. A reverse proxy handles HTTPS for you. Caddy is the best option because it auto-manages SSL certificates from Let's Encrypt -- zero configuration required.

1. Point your domain to your server

Create an A record in your DNS provider pointing openclaw.yourdomain.com to your server's IP address. Wait for propagation (usually 5-15 minutes).

2. Install Caddy

sudo apt install -y debian-keyring debian-archive-keyring apt-transport-https
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | sudo gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | sudo tee /etc/apt/sources.list.d/caddy-stable.list
sudo apt update
sudo apt install caddy -y

3. Configure Caddy

Edit /etc/caddy/Caddyfile:

openclaw.yourdomain.com {
    reverse_proxy localhost:3456
}

That's the entire configuration. Caddy automatically obtains and renews Let's Encrypt certificates.

4. Restart Caddy

sudo systemctl restart caddy

Your OpenClaw gateway is now available at https://openclaw.yourdomain.com with a valid SSL certificate.

Alternative: nginx

If you prefer nginx, it works fine but requires manual certificate management with certbot. Caddy saves you that overhead, which is why we recommend it for single-service setups like this.

Keep It Running: systemd, pm2, and Docker

If you deployed with Docker and used --restart unless-stopped, you're already covered -- Docker handles restarts after crashes and reboots. For non-Docker installs, you have two options.

Option 1: systemd service file

Create /etc/systemd/system/openclaw.service:

[Unit]
Description=OpenClaw AI Agent
After=network.target

[Service]
Type=simple
User=openclaw
WorkingDirectory=/home/openclaw
ExecStart=/usr/local/bin/openclaw start
Restart=always
RestartSec=10

[Install]
WantedBy=multi-user.target

Enable and start it:

sudo systemctl daemon-reload
sudo systemctl enable openclaw
sudo systemctl start openclaw

View logs with journalctl -u openclaw -f.

Option 2: pm2 (Node.js process manager)

npm install -g pm2
pm2 start openclaw -- start
pm2 save
pm2 startup

pm2 provides automatic restarts, log management, and a monitoring dashboard. It's overkill if Docker is an option, but useful if you're running OpenClaw alongside other Node.js applications.

Monitoring Your Server

Once OpenClaw is running, you'll want to keep an eye on resource usage and catch issues early.

Docker logs

docker logs -f openclaw          # Live log stream
docker stats openclaw             # CPU, memory, network in real time

systemd logs

journalctl -u openclaw -f         # Live log stream
journalctl -u openclaw --since "1 hour ago"  # Recent logs

Disk usage

df -h                             # Overall disk usage
du -sh ~/.openclaw                # OpenClaw data directory size

OpenClaw's persistent memory and skill data grow over time. On a 20 GB server, check disk usage monthly. On 50 GB or more, you're unlikely to have issues for a year or more.

Full Cost Comparison

Here's the real monthly cost of running OpenClaw on each provider, including the server and a moderate AI API budget (Source: provider pricing pages as of February 2026).

Provider	Server Cost	AI API (est.)	Total Monthly
Oracle Cloud Free	$0	$20-40	$20-40
AWS Lightsail Nano	$3.50	$20-40	$23.50-43.50
Hetzner CX22	$4.15	$20-40	$24.15-44.15
AWS Lightsail Micro	$5	$20-40	$25-45
DigitalOcean 1 GB	$6	$20-40	$26-46
Vultr 1 GB	$6	$20-40	$26-46
Google Cloud e2-micro	$6.11	$20-40	$26.11-46.11
DigitalOcean 2 GB	$12	$20-40	$32-52

If you use local models via Ollama on the Oracle Cloud ARM instance (which has 24 GB RAM -- enough for 7B-13B parameter models), you can run the entire stack for $0/month. See our Run OpenClaw for Free guide for that setup.

For a full breakdown of API costs per model, see our OpenClaw Pricing Guide.

Common Mistakes to Avoid

Exposing port 3456 directly. Always put a reverse proxy in front of the gateway. Direct exposure means no HTTPS and no protection against brute-force login attempts.
Forgetting to mount a volume. Without -v ~/.openclaw:/data, your configuration, memory, and skills vanish when the container restarts.
Using the default gateway password. Change it on first login. Automated scanners will find your server within hours of creation.
Skipping fail2ban. SSH brute-force attacks start within minutes of a new server going online. fail2ban is one command to install and works immediately.
Choosing 512 MB RAM and running multiple skills. The $3.50 AWS Lightsail plan works for a single-channel, minimal-skills setup. If you're running 3+ skills with browser automation, step up to 2 GB.

What You Should Do Next

Pick a provider. Oracle Cloud Free Tier for $0, DigitalOcean for simplicity, Hetzner for EU value.
Deploy with Docker. Use the docker run command above. Takes 2 minutes.
Harden security. SSH keys, firewall, fail2ban, change default password. Takes 10 minutes.
Set up Caddy. Reverse proxy with automatic HTTPS. Takes 5 minutes.
Connect your messaging channels. Follow the setup wizard in the gateway dashboard.

Total time from zero to a running, secured, HTTPS-enabled OpenClaw server: about 30 minutes. Total cost: $0 to $12/month for the server, plus your AI API budget.

Install Your Chief AI Officer

Start with our beginner installation guide. It covers prerequisites, API keys, and your first messaging channel.

Read the Install Guide →