🦞 OpenClaw
Blog Deployment

How to Deploy an AI Agent on a VPS DigitalOcean, Hetzner, Railway — 2026 Guide

Your AI agent shouldn't depend on your laptop being open. Here's how to deploy it to a VPS so it runs 24/7 — accessible from anywhere, secure, and monitored.

Updated March 2026 ~15 min read 3 providers compared

Why Deploy Your AI Agent on a VPS?

Running an AI agent on your laptop works fine — until you close the lid. A VPS gives your agent a permanent home: always on, always reachable, always working. Here's what you gain:

🕐 24/7 Availability

Your agent responds to messages, monitors inboxes, and runs scheduled tasks even while you sleep.

📱 Access From Anywhere

Talk to your agent from your phone, tablet, or any device — no need to be on the same network.

⚡ Consistent Performance

No more agent slowdowns when your laptop is running Slack, Chrome, and a dozen other apps.

🔒 Better Security

Isolate your agent on a dedicated server with proper firewall rules and SSH hardening.

Important: AI agents like OpenClaw don't run models locally — they call cloud APIs (Anthropic, OpenAI, Google) for inference. This means you don't need a GPU or beefy hardware. A $5/month VPS with 1 vCPU and 1GB RAM is genuinely enough.

What You'll Need

Before we start, make sure you have:

  • A VPS account (we'll help you choose below)
  • An API key for your preferred AI model (Anthropic, OpenAI, or Google)
  • Basic comfort with the command line (SSH, cd, nano)
  • ~30 minutes of your time
  • A Tailscale account (free, recommended for secure access)
  • A Telegram or Discord bot token (if you want messaging integration)

Don't have a model API key yet? Check our AI model pricing comparison to pick the best one for your budget.

Choosing a VPS Provider

There are dozens of VPS providers, but three stand out for running AI agents in 2026. Here's the honest breakdown:

🌊

DigitalOcean

Best for Beginners

The most beginner-friendly option. Great UI, excellent documentation, one-click apps. Slightly more expensive than Hetzner but worth it if you value simplicity.

Starting price $6/mo (1 vCPU, 1GB RAM, 25GB SSD)
Recommended $12/mo (1 vCPU, 2GB RAM, 50GB SSD)
Regions 14 data centers worldwide
Pros Simple UI, great docs, marketplace
🏗️

Hetzner

Best Value

The price-performance king. European company with data centers in Germany, Finland, and the US. You get 2–3x more resources per dollar compared to DigitalOcean or AWS. The UI is less polished but perfectly functional.

Starting price €3.79/mo (2 vCPU, 4GB RAM, 40GB SSD)
Recommended €5.39/mo (2 vCPU, 8GB RAM, 80GB SSD)
Regions Nuremberg, Falkenstein, Helsinki, Ashburn, Hillsboro
Pros Unbeatable pricing, 20TB bandwidth included
🚂

Railway

Best for Developers

Not a traditional VPS — it's a PaaS that deploys containers. Push code or a Dockerfile, Railway handles the rest. Great if you hate server administration. Pay-as-you-go pricing can surprise you, though.

Starting price $5/mo + usage (pay per vCPU-hour and GB-hour)
Typical cost $7–$15/mo (for a light always-on service)
Regions US West, US East, EU West
Pros Zero server management, git deploy, auto-scaling

Provider Comparison

Feature DigitalOcean Hetzner Railway
Min. monthly cost $6 €3.79 (~$4) ~$7
Setup difficulty Easy Moderate Easiest
SSH access ✅ Full root ✅ Full root ⚠️ Limited (container)
Persistent storage ✅ Block + Spaces ✅ Block + Volumes ✅ Volumes (extra cost)
Tailscale support ✅ Easy ✅ Easy ⚠️ Possible (userspace)
Bandwidth 1–6TB included 20TB included 100GB + $0.10/GB
Best for First-timers Cost-conscious Hate sysadmin

Our recommendation: If you want the best value and don't mind a slightly less polished UI, go with Hetzner. If you want the smoothest experience and are willing to pay a small premium, go with DigitalOcean. If you hate managing servers entirely, try Railway.

Step 1: Initial Server Setup

Once you've created your VPS (we'll use Ubuntu 24.04 LTS as the example), SSH in and do the basics:

1

SSH into your server

ssh root@your-server-ip
2

Update the system and install essentials

apt update && apt upgrade -y
apt install -y curl git build-essential ufw fail2ban
3

Create a non-root user

# Create user with sudo access
adduser openclaw
usermod -aG sudo openclaw

# Copy SSH keys to new user
mkdir -p /home/openclaw/.ssh
cp ~/.ssh/authorized_keys /home/openclaw/.ssh/
chown -R openclaw:openclaw /home/openclaw/.ssh
chmod 700 /home/openclaw/.ssh
chmod 600 /home/openclaw/.ssh/authorized_keys
4

Configure the firewall

# Allow SSH, deny everything else
ufw default deny incoming
ufw default allow outgoing
ufw allow ssh
ufw enable
5

Disable root login and password auth

# Edit SSH config
nano /etc/ssh/sshd_config

# Set these values:
# PermitRootLogin no
# PasswordAuthentication no

systemctl restart sshd

⚠️ Before disabling root login: Make sure you can SSH in as your new user first! Open a second terminal, test ssh openclaw@your-server-ip, and verify it works before locking yourself out.

For a deeper dive on server hardening, check our AI agent security guide.

Step 2: Installing OpenClaw

Now log in as your new user and install OpenClaw:

1

Install Node.js (v22+ required)

# Install via NodeSource
curl -fsSL https://deb.nodesource.com/setup_22.x | sudo -E bash -
sudo apt install -y nodejs

# Verify
node --version   # Should be v22.x+
npm --version
2

Install OpenClaw

sudo npm install -g openclaw
3

Run the setup wizard

openclaw setup

This will walk you through configuring your AI model API key, messaging integrations (Telegram, Discord), and workspace settings.

4

Configure your environment

# Create your env file
nano ~/.openclaw/.env

# Add your API keys:
ANTHROPIC_API_KEY=sk-ant-...
TELEGRAM_BOT_TOKEN=123456:ABC...
# Add any other integrations
5

Test it

# Start the gateway
openclaw gateway start

# Check status
openclaw gateway status

If everything is green, your agent is alive. Send it a test message through Telegram or Discord.

Pro tip: Set up your SOUL.md and USER.md files in your workspace to give your agent personality and context. See our guide on writing the perfect SOUL.md.

Step 3: Setting Up Tailscale

Tailscale creates a private, encrypted network between your devices. It's the best way to securely access your agent's VPS without exposing ports to the internet. Free for personal use (up to 100 devices).

Why Tailscale?

  • Zero open ports — Your VPS firewall can block everything except Tailscale
  • WireGuard encryption — Fast, modern, battle-tested
  • Magic DNS — Access your server as my-vps.tail1234.ts.net instead of remembering IPs
  • Works everywhere — Phone, laptop, other servers — all on the same network
  • SSH via Tailscale — No need to expose port 22 to the world

Installation

# Install Tailscale on your VPS
curl -fsSL https://tailscale.com/install.sh | sh

# Authenticate
sudo tailscale up

# Check your Tailscale IP
tailscale ip -4

Install Tailscale on your personal devices too. Now you can SSH into your VPS using the Tailscale IP or Magic DNS hostname — even from your phone.

Lock Down SSH to Tailscale Only

Once Tailscale is working, you can remove the public SSH rule from your firewall: 

# Remove public SSH access
sudo ufw delete allow ssh

# Allow SSH only from Tailscale
sudo ufw allow in on tailscale0 to any port 22

# Verify
sudo ufw status

Result: Your VPS now has zero publicly open ports. SSH only works through the Tailscale tunnel. This is the gold standard for security.

Configure your OpenClaw gateway to bind to the Tailscale interface for the companion app, or use the gateway.remote.url setting for remote access. Details in the OpenClaw setup guide.

Step 4: Keeping Your Agent Running

Your agent needs to survive SSH disconnections, server reboots, and crashes. You have three solid options:

Option A: systemd (Recommended)

The cleanest approach. Create a systemd service that starts on boot, restarts on failure, and logs properly: 

# Create the service file
sudo nano /etc/systemd/system/openclaw.service
[Unit]
Description=OpenClaw AI Agent Gateway
After=network-online.target
Wants=network-online.target

[Service]
Type=simple
User=openclaw
Group=openclaw
WorkingDirectory=/home/openclaw/.openclaw/workspace
ExecStart=/usr/bin/openclaw gateway start --foreground
Restart=always
RestartSec=10
Environment=NODE_ENV=production
EnvironmentFile=/home/openclaw/.openclaw/.env

# Security hardening
NoNewPrivileges=true
PrivateTmp=true
ProtectSystem=strict
ReadWritePaths=/home/openclaw

[Install]
WantedBy=multi-user.target
# Enable and start
sudo systemctl daemon-reload
sudo systemctl enable openclaw
sudo systemctl start openclaw

# Check status
sudo systemctl status openclaw

# View logs
sudo journalctl -u openclaw -f

Option B: PM2

If you're more comfortable with Node.js tooling: 

# Install PM2
sudo npm install -g pm2

# Start OpenClaw with PM2
pm2 start "openclaw gateway start --foreground" --name openclaw

# Save the process list and set up startup script
pm2 save
pm2 startup

Option C: tmux / screen (Quick & Dirty)

Good for testing, not recommended for production: 

# Start a tmux session
tmux new -s openclaw

# Start the gateway
openclaw gateway start

# Detach with Ctrl+B then D
# Reattach later with: tmux attach -t openclaw

tmux warning: This doesn't survive server reboots. Use systemd or PM2 for anything you care about keeping running.

Step 5: Monitoring & Logs

Your agent is running. Now you need to know when something goes wrong. Here's a practical monitoring setup:

Basic Health Checks

# Check if the process is running
systemctl is-active openclaw

# View recent logs
journalctl -u openclaw --since "1 hour ago"

# Check resource usage
htop
# or
top -u openclaw

Disk Space Monitoring

Logs and workspace files can fill up small VPS disks. Set up a simple cron alert: 

# Add to crontab (crontab -e)
# Check disk usage every 6 hours, warn if > 85%
0 */6 * * * df -h / | awk 'NR==2{if(int($5)>85) print "DISK WARNING: "$5" used"}' | logger -t disk-alert

Auto-Restart on Failure

The systemd service config above already handles this with Restart=always and RestartSec=10. If the process crashes, systemd will restart it after 10 seconds. Check restart count: 

systemctl show openclaw --property=NRestarts

Uptime Monitoring (Optional)

For extra peace of mind, use a free uptime monitor like UptimeRobot or Better Stack to ping your agent's health endpoint and alert you via email or Slack if it goes down.

OpenClaw built-in: The gateway has a built-in healthcheck system. Use the openclaw healthcheck skill to audit your server security and set up automated monitoring. See the security guide for details.

Security Essentials

An AI agent with API keys and system access is a juicy target. Here's the minimum you should do:

✅ Do

  • • Use SSH keys, disable password auth
  • • Run as non-root user
  • • Use Tailscale for access
  • • Keep system packages updated
  • • Store API keys in env files, not code
  • • Set up fail2ban
  • • Use UFW or iptables
  • • Enable unattended upgrades

❌ Don't

  • • Run the agent as root
  • • Expose the gateway to the public internet
  • • Hardcode API keys in config files
  • • Skip firewall setup
  • • Use password authentication for SSH
  • • Ignore log rotation
  • • Give the agent unrestricted sudo
  • • Forget to update Node.js

For a comprehensive deep-dive, read our full AI Agent Security Guide — it covers threat modeling, permission scoping, key rotation, and everything else you need.

Common Issues & Fixes

"Gateway won't start"

Usually a port conflict or missing env var.

# Check what's using the port
sudo lsof -i :3000

# Check env vars are loaded
openclaw gateway status

# Check logs for the real error
journalctl -u openclaw --no-pager -n 50

"Can't connect from phone/laptop"

Likely a firewall or Tailscale issue.

# Verify Tailscale is running
tailscale status

# Check if the gateway is listening
ss -tlnp | grep openclaw

# Verify UFW allows Tailscale traffic
sudo ufw status verbose

"Agent stops responding after a few hours"

Could be OOM (out of memory) or unhandled errors.

# Check for OOM kills
dmesg | grep -i oom

# Check memory usage
free -h

# Add swap if needed (2GB)
sudo fallocate -l 2G /swapfile
sudo chmod 600 /swapfile
sudo mkswap /swapfile
sudo swapon /swapfile
echo '/swapfile none swap sw 0 0' | sudo tee -a /etc/fstab

"Telegram/Discord bot not receiving messages"

Webhook URL might not be reachable.

# Check if the bot token is set
grep TELEGRAM /home/openclaw/.openclaw/.env

# Test the bot manually
curl https://api.telegram.org/bot<TOKEN>/getMe

# Check gateway logs for webhook errors
journalctl -u openclaw | grep -i webhook

Don't Want to Do This Yourself?

We offer a done-for-you setup service. We'll deploy your AI agent on a VPS, configure Tailscale, set up monitoring, harden security, and hand you a working agent in under 24 hours.

Get Setup Help Full Setup Guide

Professional setup with security hardening included

Your Agent, Always On

Deploying an AI agent to a VPS isn't complicated — it's just a few steps beyond what you'd do for any server application. The real magic happens after deployment: your agent starts checking your emails at 3 AM, handling requests while you're hiking, and doing work before you even ask.

The key decisions are simple: pick a provider (Hetzner for value, DigitalOcean for ease), use Tailscale for security, systemd for persistence, and set up basic monitoring so you know when something goes wrong.

Once it's running, check out 50 things you can automate with your agent to put it to real work.

Related Posts

AI Agent Security Guide

How to give your agent access without getting hacked. Threat models, permissions, key rotation.

50 Things You Can Automate

Concrete automation examples across dev, business, personal, and more.

OpenClaw Setup Guide

The complete walkthrough for getting OpenClaw running on any platform.

AI Model Pricing Comparison 2026

GPT-4o vs Claude vs Gemini vs Llama — pricing, speed, and quality compared.