clawmechanic.ai › hetzner-vps-setup

Docs · Server Setup

Set Up a Hetzner VPS
for OpenClaw

A step-by-step walkthrough with real screenshots. No server experience needed — just follow along.

Lite — CPX22 · 4 GB RAM Heavy — CPX32 · 8 GB RAM

Which server do I need?

Use Case	Plan	RAM	CPU	SSD	Est. Price
LITE 1 bot, personal use	CPX22	4 GB	3 vCPU	80 GB	~$6.59/mo
HEAVY Multiple bots, production	CPX32	8 GB	4 vCPU	160 GB	~$12/mo

Create your Hetzner account

hetzner.com → Login → Console → Register

Go to hetzner.com. In the top-right navigation, click Login → Console. On the login screen, click Register now if you don't have an account.

console.hetzner.cloud — Login

Fill in your email and a strong password. Complete the contact info and payment screens that follow.

Registration complete ✓

💰

€20 free credit on new accountsEnough to run a CPX22 for 2–3 months before you're charged anything.

Generate your SSH key pair

Terminal (Mac/Linux) or PowerShell (Windows) — run on your local machine

SSH keys replace passwords for server login — more secure, more convenient. One command creates two files: a private key (never leaves your machine) and a public key (you give this to Hetzner).

Terminal — generate key pair

ssh-keygen -t ed25519 -C "openclaw" -f ~/.ssh/openclaw_key

→When asked for a passphrase: press Enter twice to skip, or type one for extra security
→Two files appear in ~/.ssh/ — openclaw_key (private) and openclaw_key.pub (public)

Now print your public key so you can copy it:

View your public key

cat ~/.ssh/openclaw_key.pub

The output will look something like this — copy the entire line:

Example output

          ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAI...  openclaw

🔐

Save both keys in your password manager right nowOpen 1Password, Bitwarden, or similar. Create a Secure Note. Paste the public key output. Note the private key path (~/.ssh/openclaw_key). You'll need this if you ever change machines.

🪟

WindowsSame commands work in PowerShell. Keys save to C:\Users\YourName\.ssh\

Create your server

console.hetzner.cloud → your project → Create Resource → Servers

After logging in you'll land on your project dashboard. Rename the default project to something descriptive like OpenClaw (click the ⋯ menu on the project card). Then click Create Server under that project.

Hetzner Console — Projects → Create Server

⚙️ Type Regular Performance → x86 (AMD)

Select Regular Performance under Shared Resources. Best price/performance for OpenClaw. Architecture: x86 (AMD).

Create Server → Type

Scroll down in that section to the server list and select CPX22 (lite) or CPX32 (heavy):

CPX22 selected — 3 vCPU · 4 GB RAM · $4.99/mo

✅

CPX22 for lite use · CPX32 for heavy useThe total shown (image above) is $6.59/mo — that includes the server + backups + IPv4. Backups are optional but recommended.

📍 Location

Pick the region closest to you or your users. Any works fine.

Location selection

🐧 Image — Ubuntu 22.04

Select Ubuntu, then use the version dropdown to switch from 24.04 → 22.04 LTS. OpenClaw is tested on 22.04.

Image → Ubuntu (change dropdown to 22.04)

⚠️

Must change to Ubuntu 22.04The default selected version is 24.04. Click the dropdown arrow on the Ubuntu card and switch it to 22.04 LTS before proceeding.

🌐 Networking

Leave Public IPv4 and Public IPv6 both checked. No private networks needed.

🔑 SSH Keys — paste your public key here

This is critical. Without it, Hetzner emails you a root password instead — less secure. Click + Add SSH key:

SSH Keys — no key added yet

+ Add SSH key — paste your .pub content here

After adding, your key appears as a card. Make sure it's selected (red border = selected):

SSH key added and selected ✓

📦 Volumes / Firewalls / Backups / Cloud Config / Labels

We'll set up the firewall separately after the server is running (Step 5). For now:

→Volumes — skip, not needed
→Firewalls — skip for now, we'll add one after creation
→Backups — optional but recommended (+20% of server price ≈ $1/mo for CPX22)
→Cloud config / Labels / Placement groups — skip all

🚀 Name your server and buy

Give it a name (e.g. openclaw-prod) and click Create & Buy now. The server is ready in about 30 seconds.

Name your server

Buy your server

Set up a firewall

console.hetzner.cloud → Create Resource → Firewalls

A firewall blocks all unwanted inbound traffic while keeping your bot's outbound connections open. You only need two inbound rules: SSH (so you can connect) and PING (for diagnostics).

From your project dashboard, click Create Resource → Firewalls:

Dashboard → Create Resource → Firewalls

Inbound rules — SSH + PING only

Hetzner adds these two rules by default when you create a firewall. Leave them exactly as shown — don't add anything else:

Inbound rules — SSH (TCP/22) + PING (ICMP)

💡

Why only SSH and PING?OpenClaw's outbound tunnel means ClawMechanic connects out from your server — no inbound ports needed for monitoring. Keeping inbound ports minimal is correct and intentional.

Outbound rules

Leave outbound rules empty (no rules = all outbound traffic allowed). This is what you want.

Name and create

Give the firewall a name like openclaw-fw and click Create Firewall:

Name your firewall

Create Firewall

You can leave Apply to and Labels blank — the firewall will be applied to your VPS automatically when you create it.

🔒

Your server is now locked downOnly SSH (port 22) is open inbound. All outbound traffic — including ClawMechanic's monitoring tunnel — is allowed.

Server ready.

Your Hetzner VPS is running, secured with SSH keys, firewall active, and Node.js installed. Next: install OpenClaw and connect to ClawMechanic.

Start Free Trial →

Set Up a Hetzner VPSfor OpenClaw

Create your Hetzner account

Generate your SSH key pair

Create your server

Set up a firewall

Server ready.

Set Up a Hetzner VPS
for OpenClaw