Can a 2GB VPS run OpenClaw?

Yes for a basic gateway, but 2 vCPU / 4GB is a safer baseline once you add more tools, logs, or browser automation.

Do I need a reverse proxy?

Yes. Bind OpenClaw to 127.0.0.1 and expose only HTTPS through Caddy or Nginx.

Run OpenClaw on a Hostinger VPS (Step-by-Step)

What this guide covers

Picking a VPS plan that will not feel cramped
Getting a secure baseline for SSH, firewall, and updates
Installing OpenClaw and keeping it alive with systemd
Publishing it safely through HTTPS instead of exposing raw ports
A few boring pitfalls that save real downtime

Before you start

You can SSH into the server as a sudo user
You know your public IP so you can restrict SSH access
You have a domain ready if you want a clean HTTPS endpoint
You have half an hour where you are not multitasking badly

Recommended baseline VPS specs

OpenClaw itself is not especially heavy. The problem is everything around it: logs, supporting services, automation bursts, and the temptation to keep adding tools after the first successful deploy.

Tier	Practical use	Verdict
1 vCPU / 2GB	Testing, light experiments	Works, but easy to outgrow
2 vCPU / 4GB	Most single-instance deployments	Best default
2–4 vCPU / 8GB	More tools, more agents, more concurrency	Comfortable headroom

Operator note

If you already know you want headed browser automation on the same box, skip the tiny plans. The cheap option becomes expensive the moment you burn hours debugging resource starvation.

Step 1 — create a user and lock down SSH

If you only copy one part of this article, copy this part. SSH hardening is the least glamorous step and the one most likely to save you from a very stupid weekend.

# create a non-root user
sudo adduser claw
sudo usermod -aG sudo claw

# add your SSH public key
sudo -u claw mkdir -p /home/claw/.ssh
sudo -u claw chmod 700 /home/claw/.ssh
sudo -u claw nano /home/claw/.ssh/authorized_keys
sudo -u claw chmod 600 /home/claw/.ssh/authorized_keys

Then update /etc/ssh/sshd_config:

PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes

Restart SSH and confirm you can reconnect from a fresh terminal before closing the original session.

sudo systemctl restart ssh
sudo systemctl status ssh --no-pager

Step 2 — run OpenClaw under systemd

Do not rely on a shell session staying open. Put the gateway behind a service manager from day one so reboots and failures look boring instead of dramatic.

[Unit]
Description=OpenClaw Gateway
After=network.target

[Service]
WorkingDirectory=/opt/openclaw
ExecStart=/usr/bin/openclaw gateway start
Restart=on-failure
User=claw
Environment=NODE_ENV=production

[Install]
WantedBy=multi-user.target

Step 3 — expose only HTTPS

The clean pattern is: OpenClaw listens locally, Caddy or Nginx listens publicly. This gives you TLS, cleaner routing, and fewer ways to accidentally publish the wrong port.

Safe default

Bind OpenClaw to 127.0.0.1. If you can reach the gateway directly from the public internet, stop and fix that before adding more features.

Common gotchas

Under-sizing RAM and then blaming the app
Testing SSH hardening in the only session you have open
Exposing the gateway port directly “just for now”
Skipping service logs and then guessing during failures

Need the infrastructure first?

If you still have not picked a VPS, go back to the sizing guide. If you already have the server, use the hardening checklist before exposing anything publicly.

View Hostinger VPS Plans Open the VPS Sizing Guide