OpenClaw on a Dedicated Server — Why Shared Hosting Fails

Most web applications are stateless: a request comes in, the server processes it, returns a response, and forgets everything. OpenClaw is the opposite. It's a stateful, long-running AI assistant process that maintains memory across sessions, executes scheduled tasks, manages files on disk, and runs browser automation in the background.

This architectural difference makes OpenClaw completely incompatible with shared hosting, serverless platforms, or PaaS environments like Heroku's free tier. OpenClaw needs a Linux server where it can run as a persistent systemd service, write to the filesystem at will, execute shell commands, spawn Chromium for browser automation, and maintain WebSocket connections to the Telegram API.

Shared hosting providers like cPanel-based hosts don't allow long-running processes. When your SSH session ends, so does your process. Vercel and Netlify are serverless — every function invocation is ephemeral. Cloud Run and Lambda impose 60-second (or 15-minute) execution limits. None of these work for an AI assistant that needs to run a heartbeat check every 30 minutes and remember the results.

Even 'semi-managed' options like Railway or Render hit limitations: they don't support LUKS2 encryption, they share underlying infrastructure with other tenants, and their filesystem is often ephemeral (resets on deploy). OpenClaw's memory system — which writes daily notes to memory/YYYY-MM-DD.md and maintains MEMORY.md — breaks entirely on ephemeral filesystems.

OpenClaw's documentation specifies a minimum of 1 vCPU and 1GB RAM for basic operation. In practice, you want more headroom. Here's why.

OpenClaw's Node.js runtime uses about 200-300MB RAM at baseline. Add the Caddy reverse proxy (minimal RAM), the OS itself (300-500MB on a lean Ubuntu/Debian install), and you're already at 700MB-900MB before doing anything interesting. If you run browser automation tasks — which spawn a Chromium instance — expect another 200-400MB per browser context.

For comfortable operation with browser automation, file management, and concurrent tool execution, 2GB RAM is the practical minimum. 4GB gives you proper headroom for peak workloads and prevents the dreaded OOM killer from terminating your assistant mid-task.

CPU matters less than RAM for typical OpenClaw workloads. The bottleneck is usually waiting for LLM API responses, not local compute. However, browser automation and image processing can spike CPU. A 2 vCPU configuration handles this comfortably.

Storage needs depend on usage. OpenClaw's base installation is small (under 500MB), but the memory system accumulates files over time. Browser screenshots, downloaded files, and workspace data can grow. 40GB SSD is generous for most users — with NVMe speeds, file I/O (which OpenClaw does constantly for memory reads/writes) is never a bottleneck.

PlugAndClaw uses Hetzner CX22: 2 vCPU, 4GB RAM, 40GB SSD NVMe. This is the sweet spot — enough for heavy workloads without overprovisioning.

Not all VPS providers are equal. PlugAndClaw chose Hetzner after evaluating DigitalOcean, Linode (Akamai), Vultr, OVH, and Contabo for OpenClaw workloads. Hetzner won on price-to-performance ratio, data center location, and reliability.

Hetzner's CX22 costs €4.35/month at list price — compared to DigitalOcean's equivalent at $18/month or Linode's at $12/month. For the same hardware, Hetzner is 3-4x cheaper. This is why PlugAndClaw can offer managed hosting at $39.50/month including $20 AI credits, while competitors like SimpleClaw and ClawDrift charge $49/month.

Hetzner operates data centers in Nuremberg, Falkenstein, and Helsinki — all in Europe, covered by GDPR. For users concerned about data sovereignty, Hetzner's German/Finnish locations offer stronger privacy protections than US-based providers. Your OpenClaw instance data stays in the EU by default.

Hetzner's network is high quality: 20Gbps uplink per server, low-latency peering with major European ISPs, and solid uptime. For OpenClaw, network matters mainly for API calls to Claude/GPT/Gemini and Telegram webhook delivery — both of which need reliable, low-latency connectivity.

Hetzner also supports LUKS2 full-disk encryption at the block device level, which is essential for OpenClaw deployments where conversation history, API keys, and personal memory files are stored on disk.

Running OpenClaw on a public-facing server means you need proper security hardening. The threat model is real: open SSH ports attract brute-force attacks within minutes of provisioning, and any exposed web service is continuously scanned for vulnerabilities.

The baseline hardening PlugAndClaw applies to every server: disable root SSH login, enforce key-based authentication (disable password auth), configure UFW with default-deny inbound (only ports 22, 80, 443 open), install and configure fail2ban for SSH brute-force protection, and enable automatic security updates.

LUKS2 encryption protects data at rest. If Hetzner (or any party with physical access to the hardware) were to pull the drive, they'd get encrypted data. The encryption key is derived from a passphrase set during provisioning and stored securely — it's not written anywhere accessible to PlugAndClaw staff.

Caddy handles TLS with automatic certificate management. All traffic between Telegram's servers and your OpenClaw instance is encrypted in transit. Caddy's HTTP/2 support and automatic HSTS headers add additional transport security.

OpenClaw itself runs as a non-root system user. Even if someone found an exploit in OpenClaw's code, they'd be limited to that user's permissions — not root. The systemd service unit is configured with NoNewPrivileges=true and other sandboxing options.

For users with heightened security requirements — healthcare, legal, finance — PlugAndClaw can provide additional hardening: CIS benchmark compliance, audit logging, network monitoring. Contact support for details.

You have two viable paths to running OpenClaw on a dedicated server: rent a VPS yourself and set everything up (self-hosting), or use a managed service that handles the infrastructure while you focus on the application.

Self-hosting gives you maximum control. You choose the provider, region, OS version, and every configuration detail. You can install additional software, modify the systemd unit, and have unrestricted root access. The cost is just the VPS price — €4-6/month for a Hetzner CX22.

The tradeoff is the time investment. A properly secured OpenClaw server requires 3-6 hours of initial setup and ongoing maintenance attention. Security patches, OpenClaw updates, Caddy certificate monitoring, and incident response when things break all add up. Most people underestimate this until something breaks at an inconvenient time.

Managed dedicated (PlugAndClaw's model) gives you the same isolated, dedicated hardware with the maintenance handled. You still have full SSH access. You still own all your data. You can still customize everything at the application layer. But you don't need to think about the infrastructure.

At $39.50/month (with $20 AI credits included), PlugAndClaw's effective server cost is $19.50/month — just $15/month more than the raw VPS cost. That $15 buys you the setup time, ongoing maintenance, monitoring, and support. For most professionals, that's a rational trade.