If you're running AI agents like OpenClaw or NanoClaw, you probably don't want them living on the same machine where you do your banking, store your photos, and keep your private keys. These are frameworks that get full system access — shell commands, file reads and writes, network requests — and OpenClaw in particular has been associated with several critical security vulnerabilities since its rise to prominence in late 2025.
A dedicated VPS solves two problems at once. First, it gives you an always-on machine. AI agents with persistent memory, scheduled tasks, and messaging integrations need to be running 24/7, and keeping your laptop open around the clock isn't practical. Second, it creates real isolation between the agent and your personal data. If something goes wrong — and with complex agent frameworks, things do go wrong — the blast radius is contained to a server with nothing else on it.
This guide walks you through provisioning a Hetzner Cloud VPS from scratch: account creation, server setup, firewall configuration, and SSH access. By the end, you'll have a hardened, accessible Ubuntu server ready for the next step. In a follow-up post, we'll cover actually installing and configuring OpenClaw and NanoClaw on this server.
One important note before we start: this guide assumes the VPS is stateful. Both OpenClaw and NanoClaw rely on persistent memory, SQLite databases, and local filesystems to function. Do not treat this as disposable infrastructure you tear down and rebuild regularly.
What you'll need before you start
Gather these before you begin: a payment method (credit card or PayPal — see the note below about possible identity verification), a password manager with SSH key support (such as 1Password) or familiarity with ssh-keygen, and an authenticator app for two-factor authentication for your Hetzner account (Google Authenticator, Authy, OneAuth, etc.).
By the end of this guide, you'll have a CPX32 server running Ubuntu 24.04 with a properly configured firewall and SSH access, at a total cost of roughly €14.49/month.
Why Hetzner?
Hetzner offers one of the best price-to-performance ratios in the VPS market. The CPX32 plan gives you 4 vCPUs, 8 GB of RAM, 160 GB of SSD storage, and 20 TB of traffic — more than enough to run OpenClaw or NanoClaw with Docker containers, the agent runtime, and persistent storage, all for under €15/month. The Cloud Console is straightforward, the documentation is solid, and the European data center locations (Germany and Finland) are a plus if data residency matters to you.
To put that in context, here's how comparable plans from other providers stack up:
| Provider | vCPUs | RAM | Storage | Traffic | Monthly cost |
|---|---|---|---|---|---|
| Hetzner CPX32 | 4 | 8 GB | 160 GB NVMe | 20 TB | €14.49 / ~$17 |
| Hostinger KVM 2 | 2 | 8 GB | 100 GB NVMe | 8 TB | $24.29 |
| AWS Lightsail | 2 | 8 GB | 160 GB SSD | 5 TB | $44.00 |
| DigitalOcean Basic | 4 | 8 GB | 160 GB SSD | 5 TB | $48.00 |
A few things stand out. Hetzner isn't just cheaper — it's cheaper while offering more. The CPX32 gives you double the vCPUs of both the Hostinger and AWS Lightsail options, and its 20 TB traffic allowance is four times what DigitalOcean and AWS include. The closest spec match is DigitalOcean's Basic Droplet, which has the same CPU and RAM but a quarter of the traffic at more than double the price.
A note on the Hostinger pricing: their heavily promoted rates (as low as ~$7/month) require a 24-month upfront commitment. The $24.29 figure shown here is the regular monthly billing rate after promotional pricing ends. Be sure to check the renewal terms before committing to a long-term plan.
Hetzner isn't perfect — the account verification process can catch new users off guard, which we'll cover next — but for self-hosting AI agents where you need a reliable, always-on server without paying a premium, it's hard to beat.
Step 1: Creating your Hetzner account
Head to Hetzner Cloud and click Get Started. Enter your account details and complete the registration.
Once you're in, enable two-factor authentication immediately. Go to your account settings, find the 2FA option, and set it up using your authenticator app. Hetzner also supports YubiKeys if you prefer hardware tokens. The Hetzner 2FA documentation has the full walkthrough, but the process is quick — you'll scan a QR code with your authenticator app and confirm with a verification code.
The "increased risk" verification hurdle
After creating your account, there's a good chance you'll see this message when you try to provision your first server:
Don't panic. This is Hetzner's automated fraud prevention system, and it's extremely common for new accounts. It is not a reflection of anything wrong with your information. Threads on Hacker News and Reddit are full of legitimate users who encountered this same screen.
You'll typically be offered two options: a €20 pre-payment via PayPal, or submitting an additional form of ID. The PayPal option is the path of least resistance — the €20 is applied as credit to your account and will be used toward your future invoices. It is not a fee. If you ever cancel your account with credit remaining, Hetzner will refund the balance.
Step 2: Provisioning the server
From the Hetzner Cloud Console, create a new server. Here's how to work through each configuration option.
Server type and plan
Select Regular Performance and choose the CPX32 plan. This gives you 4 vCPUs, 8 GB RAM, 160 GB SSD, and 20 TB of traffic. It's comfortably sized for running containerized AI agents without being overkill.
Location
Pick the data center closest to you or to your users. Hetzner offers several European locations including Nuremberg, Helsinki, and Falkenstein. For my own setup, I chose Nuremberg for one server (running OpenClaw) and Helsinki for the other (running NanoClaw) — Nuremberg didn't have availability when I went to provision the second server, and Helsinki worked just as well.
Image
Select Ubuntu 24.04. It's the current LTS release, widely supported, and both OpenClaw and NanoClaw have well-documented setup paths on Ubuntu.
Networking
Enable both IPv4 and IPv6. IPv4 adds roughly €0.50/month, but it's worth it. Many home networks, tools, and SSH clients still default to IPv4, and as we'll see in the firewall section, an IPv6-only setup can create a frustrating connectivity issue that's easy to misdiagnose.
SSH keys
Hetzner lets you add an SSH key during server creation, which is both more secure and more convenient than password authentication.
Click Add SSH key, then click Create SSH Key at the bottom of the dialog. Give it a descriptive name, select Ed25519 as the key type, and click Create & Fill. This generates a key pair — Hetzner fills in the public key automatically. Store the private key in your password manager (1Password, Bitwarden, etc.) so you don't lose it. Then click Add SSH key.
If you prefer to generate keys manually, you can run ssh-keygen -t ed25519 on your local machine (macOS, Linux, or Windows with WSL/Git Bash) and paste the contents of the resulting .pub file into the SSH key field instead.
Volumes — do you need one?
This tripped me up during my first setup. Hetzner Cloud servers come with local NVMe storage included in the plan — 160 GB on the CPX32. You don't need to add anything extra for basic storage.
Volumes are additional network-attached block storage that you can provision separately. They're useful if you later need to expand storage beyond what your plan includes, or if you want to move data between servers. For an initial setup, you can skip this.
Other options
Skip backups, placement groups, labels, and cloud config for now. You can always enable backups later if you decide you want them. None of these are required to get up and running.
Step 3: Configuring the firewall
Create the firewall before the server boots
Here's a workflow tip: you can pause partway through the server creation wizard, navigate to the Firewalls section in the Hetzner Console, create your firewall there, and then return to the server wizard. Your new firewall will appear as a selectable option. This way, the server is protected from the moment it comes online. The Hetzner firewall docs walk through the creation UI in detail.
How Hetzner Cloud firewalls work
Hetzner Cloud Firewalls operate as an allowlist for inbound traffic. Your inbound rules define what is permitted in — anything that doesn't match a rule is silently dropped. If you leave the outbound rules empty, all outbound traffic remains allowed by default. The firewall is also stateful, which means reply traffic for connections your server initiates is automatically allowed back in. If you've worked with AWS security groups, this model will feel familiar.
For a basic setup, you need one inbound rule: allow TCP traffic on port 22 (SSH) from your IP address.
Finding your IP address — the IPv4/IPv6 gotcha
This is where I hit my first real snag, and it's worth paying attention to.
After creating my server and attaching the firewall, I couldn't SSH in. The connection just timed out. The firewall rule looked correct. The server was running. Everything seemed fine.
The problem: I had found my IP address by running curl ifconfig.me, which returned my IPv6 address. But my SSH client was connecting to the server over IPv4. The firewall was correctly blocking the connection because my IPv4 address wasn't in the allowlist — only the IPv6 one was.
The fix is simple. Run this to get your IPv4 address specifically:
curl -4 ifconfig.meAdd that IPv4 address to your firewall's inbound SSH rule. You can enter a single IP (e.g., 203.0.113.42) or use CIDR notation (e.g., 203.0.113.42/32) for a single host. If you also want to allow your IPv6 address, add that as a second entry.
Applying the firewall
Attach the firewall to your server — either during the server creation wizard (if you created it ahead of time) or afterward from the server's Networking tab in the Console.
Step 4: Connecting via SSH
With the server running and the firewall configured, it's time to connect:
ssh root@<your-server-ipv4-address>If everything is set up correctly, you'll be greeted by Ubuntu's welcome message. You're in.
What's next
Your server is provisioned, firewalled, and accessible via SSH. It's a clean Ubuntu 24.04 machine with enough resources to run containerized AI agents comfortably.
In the next post in this series, we'll pick up right here and walk through installing and configuring OpenClaw and NanoClaw — including Docker setup, the agent runtime, security hardening, and connecting messaging channels like Telegram. Stay tuned.