Agent Native
Loading...
OpenClaw Agents
OpenClaw-Operational Book

How to Deploy AI Agents

1. VPS setup (Hetzner, same process for any provider)

Start here first

We want to setup VPS server for our agents because otherwise our servers can be pinged, DDoSed, and brute-forced passwords from public internet.


First, we will go through all steps manually to create a VPS on Hetzner, then I will share the automation scripts to setup everything at once.


Although, we are running things on Hetzner, I will also provide you setup scripts for DigitalOcean and Mac Mini later.


  1. Log in to your Hetzner account.
    2. Hetzner login
  2. Create a new Project -> Create New Resource (Server)
    3. Create a project
    Project created

    Here's your project dashboard

    Hetzner project dashboard

    Now you can create and configure your server

    Create a server
  3. Type: start with Shared vCPU and upgrade to dedicated later. Recommended: CX23 or larger.
    4. Hetzner server config
  4. Location: pick the region closest to you, your services to be integrated (e.g., database) or your customers
  5. Image: Ubuntu 24.04. Some people recommend Debian because it gets updated automatically.
    6. Hetzner server image
  6. Networking: enable both IPv4 and IPv6.
    7. Hetzner server networking
  7. Add SSH keys
    $ ssh-keygen -t rsa -b 4096    # press <Enter> for defaults
$ cat ~/.ssh/id_rsa.pub        # copy to clipboard
    Paste the key in the Hetzner dialog.
    8. Hetzner server ssh
  8. Leave Volumes and Firewalls empty for now.
  9. Assign a server name and click Create and buy.
    10. Hetzner server creation
  10. When the server turns green, copy its public IP.
    11. Hetzner server ip
  11. SSH for the first time
    12. $ ssh root@<PUBLIC_IP>
# type "yes" when prompted
    Hetzner server ip

    You're in! Let's harden the security next.

2. Initial Security Hardening

Lock down before expanding capabilities

  1. Update the system
    2. $$ sudo apt update -y && sudo apt upgrade -y
    Hetzner server update
  2. Install Tailscale and connect devices

    3. Next, we will install Tailscale, which is private network connection between authorized devices, which means local device and VPS.

    curl -fsSL https://tailscale.com/install.sh | sh
    Tailscale installation

    Start the tailscale

    sudo tailscale up --ssh
    Tailscale start

    To authenticate, login to provided link in your browser.

    Tailscale login

    Connect your server to Tailscale network

    Tailscale connect

    Complete the onboarding

    Tailscale onboarding

    Install Tailscale to your local machine where you want to access your VPS from

    Tailscale installation

    Pick your operating system

    Tailscale operating system installation

    Sign in to your network from your local device

    Tailscale sign-in to network from local device

    Once all devices are connected, you can ping one device from another.

    Tailscale connect devices

    You can now ping your local device from VPS

    Tailscale ping device

    You should see the transmitted packages

    Tailscale ping local

    Now try pinging your VPS from your local device

    Tailscale ping vps

    When you login to Tailscale in your browser, you can see all the devices connected to your Tailscale network.

    In this case, it's my local computer and VPS that I created.

    Tailscale registered machines
  3. Great. Now we will harden VPS security by modifying a few fields in SSH config

    4. In your VPS terminal, open the ssh config file.

    nano /etc/ssh/sshd_config
    VPS SSH Config

    This opens the editor to change options so this server will only listen on Tailscale network. Uncomment ListenAddress and paste the Hetzner server Tailscale IP from Tailscale admin console.

    SSH Config ListenAddress

    Other two settings are:

    PasswordAuthentication no
PermitRootLogin no
    SSH Config PasswordAuthentication

    Save with Ctrl + S and exit with Ctrl + X.

  4. Create and verify non-root user
    5. adduser clawuser

    Enter password and accept default values.

    VPS add user
    usermod -aG sudo clawuser
    su - clawuser
    VPS switch user
    sudo whoami
    VPS whoami

    Use this to check the new user has sudo access.

  5. Restart SSH and verify access flow
    6. logout
systemctl restart ssh
logout
    VPS logout

    Now root SSH should fail, which is expected. SSH as clawuser using Tailscale IP, with Tailscale running locally:

    ssh root@100.105.11.108

    But you can ssh as a new user

    ssh clawuser@100.105.11.108
    SSH as new user

    If you want access from another device, connect that device to the same Tailscale network first.

    You may still be able to ping public IP at this stage. We will deal with that later after OpenClaw install.

Premium module: Hardening audit pack

Unlock an operator-grade security checkpoint before installation.

3. Install and onboard OpenClaw

Manual onboarding with OpenAI auth

Navigate to https://openclaw.ai/, take the one-liner for macOS/Linux, and run on server:

curl -fsSL https://openclaw.ai/install.sh | bash
OpenClaw installation

Once OpenClaw is installed, go through configuration.

OpenClaw installation successful

Select manual onboarding mode, and select OpenAI auth method to use existing ChatGPT subscription to leverage Codex.

OpenClaw OAuth setup

When you paste OAuth URL into browser, sign in, copy the returned redirect URL code, and paste back into OpenClaw configuration.

OpenClaw OAuth URL copy

If you want to check Codex usage:

https://chatgpt.com/codex/settings/usage
OpenClaw Codex Usage

If you use API keys, set spend limits on provider to cap maximum spend.

Proceed with the remaining options as shown below.

OpenClaw Model Selection
OpenClaw Channel Config
Upcoming sections are scheduled to be published during March.