Deploying OpenClaw on a VPS: DigitalOcean, Hetzner, AWS

Deploy OpenClaw on a VPS with DigitalOcean, Hetzner, or AWS. Full guide covering server setup, Nginx reverse proxy, TLS, systemd, and remote access for DenchClaw.

Mark Rachapoom

March 26, 2026·7 min read

Deploying OpenClaw on a VPS gives you persistent access to your DenchClaw workspace from any device — your phone, a second computer, or a team member's machine — without keeping your laptop running. This guide covers the full setup on DigitalOcean, Hetzner, and AWS, with Nginx reverse proxy, TLS via Let's Encrypt, and systemd for process management.

For Docker-based deployment, see Running OpenClaw in Docker. For basic setup, start with the DenchClaw setup guide.

Choosing a VPS Provider#

All three providers work well for DenchClaw. Here's how they compare:

Provider	Cheapest Option	CPU	RAM	Best For
Hetzner	€4/mo (CX22)	2 vCPU	4 GB	Best price/performance, EU data centers
DigitalOcean	$6/mo (Basic)	1 vCPU	1 GB	Simplest UI, good docs, US/global
AWS	~$8/mo (t3.micro)	2 vCPU	1 GB	Enterprise compliance, global reach

Recommendation for most users: Hetzner CAX11 (ARM64, 2 vCPU, 4 GB, €3.79/mo) is exceptional value. DigitalOcean's $6 Droplet works but the 1 GB RAM can be tight under load — consider the $12 option with 2 GB.

Server Requirements#

Minimum:

OS: Ubuntu 22.04 LTS or Debian 12
RAM: 1 GB (2 GB recommended)
Disk: 20 GB
Node.js: 20+

DenchClaw's memory usage is typically 200–400 MB idle. Leave headroom for the OS and occasional spikes.

Step 1: Provision Your Server#

DigitalOcean#

Go to cloud.digitalocean.com → Create Droplet
Choose Ubuntu 22.04 LTS
Plan: Basic, $12/month (2 GB RAM recommended)
Authentication: SSH key (strongly preferred over password)
Hostname: denchclaw-prod or similar

# From your local machine, add your public key if you haven't:
ssh-copy-id root@your-droplet-ip

Hetzner#

Go to console.hetzner.cloud → New Server
Location: choose nearest region
Image: Ubuntu 22.04
Type: CX22 (x86) or CAX11 (ARM, better value)
SSH key: add your public key

AWS EC2#

EC2 Console → Launch Instance
AMI: Ubuntu 22.04 LTS
Instance type: t3.small (2 vCPU, 2 GB) — t3.micro works but is tight
Key pair: create or select existing
Security group: allow inbound SSH (22), HTTP (80), HTTPS (443)

Step 2: Initial Server Setup#

SSH into your new server:

ssh root@your-server-ip

Update the System#

apt update && apt upgrade -y
apt install -y curl git ufw fail2ban

Configure Firewall#

ufw allow OpenSSH
ufw allow 80/tcp
ufw allow 443/tcp
ufw enable
ufw status

Create a Non-Root User#

adduser denchclaw
usermod -aG sudo denchclaw
# Copy SSH key to new user
rsync --archive --chown=denchclaw:denchclaw ~/.ssh /home/denchclaw

Switch to the new user for the rest of the setup:

su - denchclaw

Step 3: Install Node.js#

# Install nvm
curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.7/install.sh | bash
source ~/.bashrc
 
# Install Node.js 20
nvm install 20
nvm use 20
nvm alias default 20
 
# Verify
node --version   # v20.x.x
npm --version

Step 4: Install DenchClaw#

# Install globally
npm install -g denchclaw
 
# Create workspace directory
mkdir -p ~/.openclaw-dench/workspace
 
# Set your API key
export ANTHROPIC_API_KEY=sk-ant-your-key-here
 
# Run initial setup (this initializes the workspace)
npx denchclaw --setup-only

If npx denchclaw tries to open a browser, that's expected — it won't work in SSH, but the workspace will still initialize. Stop it with Ctrl+C after initialization completes.

Step 5: Configure Systemd Service#

This keeps DenchClaw running in the background and restarts it on crashes or reboots.

Create the service file:

sudo nano /etc/systemd/system/denchclaw.service

[Unit]
Description=DenchClaw AI Workspace
After=network.target
 
[Service]
Type=simple
User=denchclaw
WorkingDirectory=/home/denchclaw
ExecStart=/home/denchclaw/.nvm/versions/node/v20.x.x/bin/openclaw gateway start --bind 127.0.0.1
Restart=always
RestartSec=10
StandardOutput=journal
StandardError=journal
SyslogIdentifier=denchclaw
Environment="ANTHROPIC_API_KEY=sk-ant-your-key"
Environment="NODE_ENV=production"
Environment="DENCHCLAW_WORKSPACE=/home/denchclaw/.openclaw-dench/workspace"
 
[Install]
WantedBy=multi-user.target

Replace the Node.js path with the actual path from which openclaw or which node.

Enable and start:

sudo systemctl daemon-reload
sudo systemctl enable denchclaw
sudo systemctl start denchclaw
sudo systemctl status denchclaw

Check logs:

journalctl -u denchclaw -f

Step 6: Install Nginx#

sudo apt install -y nginx

Configure Reverse Proxy#

Create the site config:

sudo nano /etc/nginx/sites-available/denchclaw

server {
    listen 80;
    server_name your-domain.com;
 
    # Redirect HTTP to HTTPS (after cert is installed)
    return 301 https://$host$request_uri;
}
 
server {
    listen 443 ssl http2;
    server_name your-domain.com;
 
    # SSL (filled in by Certbot)
    ssl_certificate /etc/letsencrypt/live/your-domain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/your-domain.com/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
 
    # Security headers
    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-Content-Type-Options "nosniff";
    add_header Referrer-Policy "strict-origin-when-cross-origin";
 
    # Web UI
    location / {
        proxy_pass http://127.0.0.1:3100;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_read_timeout 86400;
    }
 
    # Gateway API
    location /api/ {
        proxy_pass http://127.0.0.1:3101/;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

Enable the site:

sudo ln -s /etc/nginx/sites-available/denchclaw /etc/nginx/sites-enabled/
sudo nginx -t
sudo systemctl reload nginx

Step 7: TLS With Let's Encrypt#

Point your domain to the server's IP first (DNS A record), then:

sudo apt install -y certbot python3-certbot-nginx
sudo certbot --nginx -d your-domain.com

Follow the prompts. Certbot auto-updates the Nginx config and sets up auto-renewal.

Verify renewal works:

sudo certbot renew --dry-run

Step 8: Optional — IP Allowlist for Extra Security#

If you want to restrict access to specific IP addresses (your home, office, VPN):

location / {
    # Only allow specific IPs
    allow 203.0.113.10;   # your home IP
    allow 198.51.100.20;  # your office IP
    deny all;
 
    proxy_pass http://127.0.0.1:3100;
    # ... rest of proxy config
}

Or use HTTP Basic Auth as a lightweight gate:

sudo apt install -y apache2-utils
sudo htpasswd -c /etc/nginx/.htpasswd yourname

location / {
    auth_basic "DenchClaw";
    auth_basic_user_file /etc/nginx/.htpasswd;
    proxy_pass http://127.0.0.1:3100;
    # ...
}

Automated Backups on the VPS#

Don't skip this. Set up the backup cron job from the backup guide on the VPS, and sync to an external location:

# Install rclone for offsite backup
curl https://rclone.org/install.sh | sudo bash
rclone config  # configure your cloud provider
 
# Backup cron job
crontab -e

Add:

0 3 * * * /home/denchclaw/scripts/backup-denchclaw.sh && rclone sync ~/backups/denchclaw b2:my-bucket/denchclaw/

Monitoring#

A simple uptime check using a free tier of UptimeRobot or similar:

URL: https://your-domain.com/health
Interval: 5 minutes
Alert: email/SMS if down

For logs:

# Live gateway logs
journalctl -u denchclaw -f
 
# Nginx access logs
tail -f /var/log/nginx/access.log
 
# Nginx error logs
tail -f /var/log/nginx/error.log

Keeping DenchClaw Updated#

# Update the npm package
npm update -g denchclaw
 
# Restart the service
sudo systemctl restart denchclaw
sudo systemctl status denchclaw

Back up before updating:

~/scripts/backup-denchclaw.sh && npm update -g denchclaw && sudo systemctl restart denchclaw

FAQ#

Do I need a domain name?
Not strictly. You can access via IP (http://your-server-ip:3100) without a domain. But TLS (HTTPS) requires a domain for Let's Encrypt. For anything beyond personal use, a domain is strongly recommended.

How do team members access a shared VPS deployment?
Point them to the HTTPS URL. Authentication is handled by the DenchClaw gateway. Multi-user workspace features are on the 2026 roadmap.

Which cloud provider is cheapest for a single-user deployment?
Hetzner, by a meaningful margin. Their CAX11 ARM instance at €3.79/month has 2 vCPU and 4 GB RAM — outperforming DigitalOcean's $6 Droplet on both price and specs.

Can I use Caddy instead of Nginx?
Yes. Caddy auto-handles TLS and has simpler config. Replace the Nginx setup with a Caddyfile:

your-domain.com {
    reverse_proxy 127.0.0.1:3100
}

What's the expected uptime with systemd restart configured?
DenchClaw is stable in production. With systemd restart and a reliable VPS, expect 99.9%+ uptime for the gateway service itself. VPS provider SLAs vary: DigitalOcean and Hetzner both offer 99.99% network uptime guarantees.

Ready to try DenchClaw? Install in one command: npx denchclaw. Full setup guide →