# OpenClaw on Hetzner: Production Docker VPS Setup

## Overview

This guide enables deploying OpenClaw Gateway on a Hetzner VPS using Docker, with persistent state and reliable restart behavior. The setup costs approximately $5/month and maintains 24/7 availability.

## Key Architecture Points

The deployment model separates ephemeral and durable components:

**Ephemeral (rebuilt on restart):**
- Docker container and Node runtime
- OS packages and external binaries

**Persistent (survives restarts):**
- Gateway configuration at `/home/node/.openclaw/`
- Model authentication profiles
- Skill configurations
- Agent workspace artifacts
- WhatsApp session data
- Gmail keyring (password-protected)

## Critical Setup Requirement

External binaries must be baked into the image during Docker build, not installed at runtime. Installing binaries in a running container causes data loss on restart. The Dockerfile should include all required CLI tools (gog, goplaces, wacli, etc.) via curl and tar extraction to `/usr/local/bin/`.

## Access Pattern

The Gateway runs on port 18789 bound to `127.0.0.1` for security. Access from your laptop requires an SSH tunnel:

```bash
ssh -N -L 18789:127.0.0.1:18789 root@YOUR_VPS_IP
```

Then connect to `http://127.0.0.1:18789/` with your gateway token.

## Prerequisites

You'll need root SSH access, Docker/Docker Compose, model credentials, and about 20 minutes to complete the deployment.