- Company-shared agents are fine when everyone is in the same trust boundary and the runtime is business-only.
- Keep strict separation: dedicated VPS/runtime + dedicated accounts; no personal Apple/Google/browser/password-manager profiles on that host.
- If users are adversarial to each other, split by gateway/host/OS user.
What you need
- Hetzner VPS with root access
- SSH access from your laptop
- Docker and Docker Compose
- Model auth credentials
- Optional provider credentials (WhatsApp QR, Telegram bot token, Gmail OAuth)
- ~20 minutes
Quick path
- Provision Hetzner VPS
- Install Docker
- Clone the OpenClaw repository
- Create persistent host directories
- Configure
.envanddocker-compose.yml - Bake required binaries into the image
docker compose up -d- Verify persistence and Gateway access
Provision the VPS
Create an Ubuntu or Debian VPS in Hetzner, then connect as root:Treat the VPS as stateful, not disposable infrastructure.
Clone the OpenClaw repository
Create persistent host directories
Docker containers are ephemeral; all long-lived state must live on the host.
Configure environment variables
Create Set Do not commit this file. It holds container/runtime env such as
.env in the repository root:OPENCLAW_GATEWAY_TOKEN to manage the stable gateway token through
.env; otherwise configure gateway.auth.token before relying on clients
across restarts. If neither is set, OpenClaw uses a runtime-only token for
that startup. Generate a keyring password for GOG_KEYRING_PASSWORD:OPENCLAW_GATEWAY_TOKEN. Stored provider OAuth/API-key auth lives in the
mounted ~/.openclaw/agents/<agentId>/agent/auth-profiles.json.Docker Compose configuration
Create or update
docker-compose.yml:--allow-unconfigured is only for bootstrap convenience, not a substitute for real gateway configuration. Still set auth (gateway.auth.token or password) and a safe bind mode for your deployment.Shared Docker VM runtime steps
Follow the shared runtime guide for the common Docker host flow:
Hetzner-specific access
After the shared build and launch steps, open the tunnel.Prerequisite: ensure your VPS sshd config allows TCP forwarding. If you
hardened your SSH config, check Open
/etc/ssh/sshd_config and set:local allows ssh -L local forwards from your laptop while blocking
remote forwards from the server. Setting it to no fails the tunnel with:
channel 3: open failed: administratively prohibited: open failedAfter confirming TCP forwarding is enabled, restart the SSH service
(systemctl restart ssh) and run the tunnel from your laptop:http://127.0.0.1:18789/ and paste the configured shared secret.
This guide uses the gateway token by default; use your configured password
instead if you switched to password auth.Infrastructure as Code (Terraform)
For teams preferring infrastructure-as-code workflows, a community-maintained Terraform setup provides:- Modular Terraform configuration with remote state management
- Automated provisioning via cloud-init
- Deployment scripts (bootstrap, deploy, backup/restore)
- Security hardening (firewall, UFW, SSH-only access)
- SSH tunnel configuration for gateway access
- Infrastructure: openclaw-terraform-hetzner
- Docker config: openclaw-docker-config
Community-maintained. For issues or contributions, see the repository links above.
Next steps
- Set up messaging channels: Channels
- Configure the Gateway: Gateway configuration
- Keep OpenClaw up to date: Updating