Hetzner Cloud
Install on Hetzner Cloud
Complete walkthrough: create a Hetzner Cloud account, provision a server, install OpenClaw with Docker, and connect Lobster Shell — all for ~$4/month.
Prerequisites
Steps
Create a Hetzner Cloud account
Go to hetzner.com/cloud and click "Sign Up". Enter your email, create a password, and verify via the confirmation email. Once logged in, add a payment method under Billing (required before you can create servers). Hetzner accepts credit cards and PayPal.
Hetzner has data centers in Germany (Falkenstein, Nuremberg), Finland (Helsinki), US (Ashburn VA, Hillsboro OR), and Singapore. For lowest latency to your users, pick the closest region.
Generate an SSH key (if you don't have one)
You need an SSH key to access your server. If you already have one at ~/.ssh/id_ed25519.pub, skip this step.
# Generate a new SSH key (hit Enter to accept defaults)
ssh-keygen -t ed25519 -C "your-email@example.com"
# Copy the public key to your clipboard
# macOS:
cat ~/.ssh/id_ed25519.pub | pbcopy
# Linux:
cat ~/.ssh/id_ed25519.pub | xclip -selection clipboardGo to your Hetzner Cloud Console → Security → SSH Keys → Add SSH Key. Paste your public key and give it a name like "my-laptop".
Create a server
In the Hetzner Cloud Console, click Servers → Add Server. Choose these settings:
Location: Pick the region closest to you
Image: Ubuntu 24.04
Type: Shared vCPU → CX22 (2 vCPU, 4 GB RAM, 40 GB disk) — €4.49/mo
or CX23 (2 vCPU, 4 GB RAM, 40 GB disk) — €3.49/mo (EU only)
Networking: Public IPv4 + IPv6 (default)
SSH Keys: Select the key you added in step 2
Volumes: None needed
Firewalls: Skip for now (we'll use SSH tunnel)
Name: openclaw-1 (or whatever you like)The CX22/CX23 is more than enough for OpenClaw. You can always resize later. Click "Create & Buy Now" to provision — it takes about 30 seconds. Note the IP address shown on the server detail page.
SSH into your server
Connect to your new server using the IP address from the Hetzner console.
ssh root@YOUR_SERVER_IPFirst connection will ask you to verify the host fingerprint — type "yes" to continue. If you set up your SSH key correctly, you won't need a password.
Secure the server
Create a non-root user, enable the firewall, harden SSH, and install fail2ban. Do this before anything else — bots scan for new servers within minutes.
# Create a 'deploy' user with sudo + docker access
adduser --disabled-password --gecos "Deploy" deploy
usermod -aG sudo deploy
usermod -aG docker deploy
echo "deploy ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/deploy
chmod 440 /etc/sudoers.d/deploy
# Copy your SSH key to the new user
rsync --archive --chown=deploy:deploy ~/.ssh /home/deploy/
# Enable firewall — allow SSH only
ufw allow OpenSSH && ufw --force enable
# Disable root login and password auth
cat > /etc/ssh/sshd_config.d/hardening.conf << 'SSHCONF'
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
MaxAuthTries 3
SSHCONF
systemctl restart ssh
# Install fail2ban to block brute-force attempts
apt-get update -qq && apt-get install -y -qq fail2ban
systemctl enable fail2ban && systemctl start fail2banAfter this step, root SSH is disabled. From now on, connect with: ssh deploy@YOUR_SERVER_IP. Test this in a new terminal BEFORE closing your current session!
Install Docker
Open a new terminal and SSH in as the deploy user, then install Docker.
ssh deploy@YOUR_SERVER_IP
sudo apt-get install -y git curl ca-certificates
curl -fsSL https://get.docker.com | sudo sh
# Verify (no sudo needed — deploy is in the docker group)
docker --version
docker compose versionClone and configure OpenClaw
Clone the OpenClaw repository and set up the environment.
git clone https://github.com/openclaw/openclaw.git
cd openclaw
# Create persistent state directories
mkdir -p ~/.openclaw/workspaceCreate the .env file
Configure OpenClaw with secure tokens. Generate random secrets for the gateway token and keyring password.
# Generate two random secrets
export GW_TOKEN=$(openssl rand -hex 32)
export KR_PASS=$(openssl rand -hex 32)
cat > .env << EOF
OPENCLAW_IMAGE=openclaw:latest
OPENCLAW_GATEWAY_TOKEN=$GW_TOKEN
OPENCLAW_GATEWAY_BIND=lan
OPENCLAW_GATEWAY_PORT=18789
OPENCLAW_CONFIG_DIR=$HOME/.openclaw
OPENCLAW_WORKSPACE_DIR=$HOME/.openclaw/workspace
GOG_KEYRING_PASSWORD=$KR_PASS
XDG_CONFIG_HOME=/home/node/.openclaw
EOF
# Print your gateway token — you'll need this later
echo "Your gateway token: $GW_TOKEN"Save the gateway token somewhere safe — you'll need it to access the OpenClaw UI. Never commit this .env file to git.
Start OpenClaw
Run the Docker setup script to build and launch the gateway.
./docker-setup.shFollow the on-screen prompts to configure your LLM API key (Anthropic, OpenAI, etc). The setup takes 2-3 minutes to pull images and start.
Install the Lobster Shell plugin
Install the plugin inside the running container, then restart to load it.
docker compose exec openclaw-gateway openclaw plugins install @spikelabs/lobster-shell-plugin
# Restart to load the plugin
docker compose restart openclaw-gateway
# Verify it loaded (look for "Lobster Shell plugin registered successfully")
docker compose logs openclaw-gateway --tail=30 | grep -i lobsterOpen an SSH tunnel to access the gateway
The gateway only listens on localhost for security. Open an SSH tunnel from your local machine to access it in your browser.
# Run this on your LOCAL machine (not the server):
ssh -N -L 18789:127.0.0.1:18789 deploy@YOUR_SERVER_IPLeave this terminal open. The -N flag means "don't open a shell, just forward the port". Now http://localhost:18789 on your laptop reaches the gateway on your Hetzner server.
Connect to Lobster Shell
Open the setup page in your browser, then connect your Lobster Shell account.
# On your local machine:
open http://localhost:18789/lobster/setupClick "Connect to Lobster Shell". You'll be redirected to lobstershell.ai to sign in (or create a free account). After authorizing, you'll be redirected back to the setup page with a "Connected!" confirmation.
Verify the connection
Check that everything is working end-to-end.
# On the server — check bridge status:
docker compose logs openclaw-gateway --tail=50 | grep -i "bridge\|ably\|connected"
# In the OpenClaw chat, run:
# /lobster-statusThe status should show Cloud Bridge: connected. Head to your Lobster Shell dashboard at lobstershell.ai/app, pick an avatar shell for your bot, and send your first message!
Keep it running (optional)
The Docker container is set to restart: unless-stopped, so it survives reboots. To make the SSH tunnel persistent, use autossh.
# On your LOCAL machine — install autossh:
# macOS: brew install autossh
# Ubuntu: sudo apt install autossh
# Persistent tunnel that auto-reconnects:
autossh -M 0 -f -N -L 18789:127.0.0.1:18789 deploy@YOUR_SERVER_IPTroubleshooting
SSH connection refused
Wait 30-60 seconds after server creation for it to boot. Verify the IP address in the Hetzner console. After hardening, use: ssh deploy@YOUR_SERVER_IP (root login is disabled). Make sure you're using the correct SSH key: ssh -i ~/.ssh/id_ed25519 deploy@YOUR_SERVER_IP
Docker setup script fails or hangs
On a fresh CX22 you may need to install git first: apt-get update && apt-get install -y git. If it hangs during image pull, the server may be out of disk — check with df -h.
Plugin install fails with network error
Verify DNS works inside the container: docker compose exec openclaw-gateway nslookup registry.npmjs.org. If it fails, restart Docker: systemctl restart docker
Setup page shows 'Not Found' at /lobster/setup
The plugin didn't load. Check: docker compose logs openclaw-gateway | grep lobster — if it says the plugin isn't found, re-run the install and restart commands from step 9.
OAuth redirect fails or loops
Make sure you're accessing via the SSH tunnel at http://localhost:18789 (not the server's public IP). The plugin builds the OAuth callback from your browser's Host header, so it must be consistent.
Avatar stays in 'idle' after sending a message
Check bridge status: docker compose logs openclaw-gateway --tail=100 | grep bridge. If it shows 'disconnected', visit /lobster/setup and click Connect again. Also verify your LLM API key is valid.
Server costs — how do I delete it when done?
In the Hetzner Cloud Console, go to Servers → click your server → Delete. Billing stops immediately. Hetzner bills hourly, so a few hours of testing costs just a few cents.
Ready to give your bot a face?
Connect your OpenClaw instance and go live with a custom shell in under five minutes.