The True Cost of Self-Hosting OpenClaw (2026 Breakdown)
The Hetzner bill is $27/month. That's what you see. Here's what you don't see.
I self-hosted OpenClaw for four months before I did the math. The VPS cost was a rounding error. My time wasn't.
The Visible Costs
These show up on invoices. Easy to track.
VPS/Cloud Server: $20-80/month
OpenClaw needs at least 2 vCPUs and 4GB RAM. The sandbox container eats resources when agents run code.
- Hetzner CX31: $27/month (good for single-agent setups)
- DigitalOcean Droplet: $48/month (4GB, 2 vCPU)
- AWS EC2 t3.medium: $65/month (with reserved pricing)
- Hostinger VPS: $20/month (cheapest option, limited bandwidth)
Most people land around $30-50/month.
Domain + DNS: $0-15/year
You probably already own a domain. A subdomain like agent.yourcompany.com costs nothing extra. If not, a .com runs $12-15/year.
TLS Certificate: $0
Let's Encrypt is free. But setting it up with auto-renewal and your reverse proxy is the time cost.
Total visible cost: $20-80/month. Looks cheap. Keep reading.
The Invisible Costs
These don't show up on invoices. They show up on your calendar.
Initial Setup: 4-8 hours
You need to:
- Provision a VPS and SSH in
- Install Docker and Docker Compose
- Clone OpenClaw and configure the compose file
- Set up a reverse proxy (Nginx or Caddy) with TLS
- Configure DNS
- Test the deployment
- Set up firewall rules (UFW or iptables)
If you've done it before, 4 hours. First time, closer to 8.
At a technical co-founder's time value ($150-250/hour), that's $600-2,000 before your agent runs its first command. If you want the 60-second version, see our step-by-step setup tutorial.
Skip the setup? Clawctl deploys in 60 seconds. Encrypted keys, TLS, audit logs included. Deploy now →
Security Hardening: 8-16 hours
The basic setup gets you running. It doesn't get you secure.
To reach a production-grade security posture, you need:
- Docker socket proxy — replace the raw socket mount with a filtered proxy. 2-3 hours to configure and test.
- API key encryption — move keys out of plaintext
.envfiles. Set up Docker secrets or Vault. 2-4 hours. - Network egress controls — configure iptables or Docker network policies to restrict outbound traffic. 2-3 hours.
- Fail2ban or equivalent — rate limiting on the exposed ports. 1 hour.
- Log aggregation — set up some way to see what happened. Loki, ELK, or even just persistent Docker logs. 2-4 hours.
- Backup strategy — automated backups of workspace data and configuration. 1-2 hours.
Total: 8-16 hours. At founder rates: $1,200-4,000.
Most people skip this step. Then they find their instance on Shodan. We wrote about exactly what goes wrong.
Monthly Maintenance: 2-4 hours/month
OpenClaw updates frequently. Docker images need updating. TLS certs need renewing (even with auto-renewal, things break). Disk fills up. Logs rotate.
Monthly tasks:
- Pull and deploy new OpenClaw versions: 30-60 min
- Monitor disk space and clean up: 15-30 min
- Review logs for issues: 30-60 min
- Rotate API keys: 15-30 min
- Patch OS security updates: 30-60 min
That's 2-4 hours every month. $300-1,000/month in time cost.
Incident Response: 2-8 hours per incident
Things break. Containers crash at 2am. Docker socket permissions change after an OS update. TLS renewal fails silently. DNS propagation takes longer than expected.
In four months of self-hosting, I had three incidents:
- Sandbox container OOM-killed during a heavy agent task. Agent lost context mid-execution. Workspace files corrupted. 3 hours to diagnose and recover.
- Let's Encrypt renewal failed because Certbot's cron job stopped running after an apt upgrade. Site was down for 6 hours before I noticed.
- Docker Compose update changed the default network behavior. Agent lost internet access. 2 hours to figure out why.
Average: one incident per month. 2-8 hours each. $300-2,000/month when it happens.
The Full TCO Table
| Cost Category | DIY Self-Hosted | Clawctl Starter |
|---|---|---|
| VPS / hosting | $30-50/mo | $0 (included) |
| Domain + TLS | $0-15/yr | $0 (included) |
| Initial setup time | $600-2,000 (one-time) | $0 |
| Security hardening | $1,200-4,000 (one-time) | $0 (included) |
| Monthly maintenance | $300-1,000/mo | $0 |
| Incident response | $300-2,000/mo (avg) | $0 (auto-recovery) |
| Audit logging | $0 (you don't have it) | Included |
| SOC2 documentation | DIY or $5,000+ | Included (Team plan) |
| Monthly total | $630-3,050/mo | $49/mo |
| Year 1 total | $9,360-38,400 | $588 |
The VPS is $27. The total cost is $630-3,050/month.
That's not a typo. Most of the cost is your time.
"But My Time Is Free"
No it isn't.
Every hour you spend configuring Docker socket proxies is an hour you didn't spend on your product. On sales. On the feature your biggest customer is waiting for.
The opportunity cost is real even if you don't track it.
One CTO I talked to spent 60+ hours on agent security over two months. During that time, she lost a $50K enterprise deal because she couldn't produce SOC2 documentation for her agent infrastructure. (Sound familiar? Read what CISOs ask about AI agents.)
The $27/month VPS cost her $50,000 in revenue.
When DIY Makes Sense
Self-hosting is the right call if:
- You have a dedicated DevOps/infra team (not the CTO doing it at midnight)
- Your compliance requirements demand on-premise hosting
- You need deep customization of the OpenClaw gateway itself
- You're running OpenClaw for development/testing only, not production
For everyone else, the math doesn't work.
When Clawctl Makes Sense
Clawctl is the right call if:
- You want to ship your product, not manage infrastructure
- You need audit logs and security controls without building them
- Your customers ask about SOC2, security posture, or data handling
- Your time is worth more than $0/hour
$49/month. Everything included. Deploy in 60 seconds.
For a detailed comparison of what you get, check our managed vs self-hosted guide.
Ready to stop worrying?
Clawctl locks down your OpenClaw instance in 60 seconds. Encrypted keys, audit logs, egress controls, human approvals. $49/mo. No contracts. Start now →