Phase 8 / Ep 40: Production Deployment —— 24/7 Operation of VPS + Cloudflare Tunnel

⏱ Est. reading time: 9 min Updated on 4/13/2026

🎯 Learning Objective: Deploy OpenClaw to a VPS to achieve 24/7 unattended operation.

1. Production Architecture Overview

graph TB
    subgraph Cloud["☁️ Cloud Services"]
        TG["📱 Telegram API"]
        DC["💬 Discord API"]
        CF["🔒 Cloudflare Tunnel"]
        LLM["🧪 Anthropic / OpenAI"]
    end

    subgraph VPS["🖥️ VPS (Hetzner CX22)"]
        subgraph Docker["📦 Docker Compose"]
            GW["🦀 Gateway"]
            PA["🤖 Personal Agent"]
            CA["💻 Code Agent"]
            OA["🔧 Ops Agent"]
        end
        Monitor["📊 Health Monitor\nCron Job"]
        Backup["💾 Backup Script"]
    end

    subgraph Storage["☁️ Object Storage"]
        R2["Cloudflare R2\nDaily Backup"]
    end

    TG & DC -->|"Webhook"| CF
    CF -->|"Secure Tunnel"| GW
    GW --> PA & CA & OA
    PA & CA & OA -->|"API"| LLM
    Monitor -->|"Alert"| TG
    Backup -->|"Daily Backup"| R2

2. VPS Selection

Provider Specifications Monthly Fee Recommendation
Hetzner CX22 2C/4G/40G €4.35 ⭐⭐⭐⭐⭐
DigitalOcean 2C/4G/80G $24 ⭐⭐⭐⭐
Alibaba Cloud ECS 2C/4G/40G ¥68 ⭐⭐⭐
Vultr 2C/4G/80G $24 ⭐⭐⭐⭐

💡 Recommendation: Hetzner CX22 - The king of cost-effectiveness, latency from European data centers is acceptable.

3. Docker Compose Production Configuration

# docker-compose.production.yml
version: '3.8'

services:
  openclaw:
    image: openclaw/openclaw:latest
    container_name: openclaw-prod
    restart: always
    env_file: .env.production
    volumes:
      - openclaw-data:/root/.openclaw
      - ./workspace:/workspace
    ports:
      - "127.0.0.1:3377:3377"  # Bind to localhost only
    healthcheck:
      test: ["CMD", "openclaw", "status"]
      interval: 60s
      timeout: 10s
      retries: 3
    logging:
      driver: json-file
      options:
        max-size: "10m"
        max-file: "3"

  cloudflared:
    image: cloudflare/cloudflared:latest
    container_name: cloudflared
    restart: always
    command: tunnel run
    environment:
      - TUNNEL_TOKEN=${CLOUDFLARE_TUNNEL_TOKEN}

volumes:
  openclaw-data:

4. Cloudflare Tunnel Configuration

Cloudflare Tunnel allows your VPS to receive Webhooks without a public IP:

# 1. Install cloudflared
curl -L https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64 -o /usr/local/bin/cloudflared
chmod +x /usr/local/bin/cloudflared

# 2. Login
cloudflared tunnel login

# 3. Create Tunnel
cloudflared tunnel create openclaw-agent

# 4. Configure DNS (Point agent.yourdomain.com to the Tunnel)
cloudflared tunnel route dns openclaw-agent agent.yourdomain.com

5. Monitoring and Alerts

Health Check Cron

# /etc/cron.d/openclaw-monitor
*/5 * * * * root docker exec openclaw-prod openclaw status || \
  curl -s "https://api.telegram.org/bot${BOT_TOKEN}/sendMessage?chat_id=${CHAT_ID}&text=⚠️ OpenClaw Error!"

Resource Monitoring

# Record resource usage hourly
0 * * * * root echo "$(date): CPU $(top -bn1 | head -3 | tail -1), MEM $(free -h | head -2 | tail -1)" >> /var/log/openclaw-resources.log

6. Backup Strategy

#!/bin/bash
# backup.sh - Daily automatic backup to Cloudflare R2
DATE=$(date +%Y-%m-%d)

# Backup OpenClaw data
docker run --rm -v openclaw-data:/data -v $(pwd)/backups:/backup \
  alpine tar czf /backup/openclaw-${DATE}.tar.gz /data

# Upload to R2
rclone copy ./backups/openclaw-${DATE}.tar.gz r2:openclaw-backups/

# Clean up local backups older than 7 days
find ./backups -name "*.tar.gz" -mtime +7 -delete

echo "✅ Backup completed: openclaw-${DATE}.tar.gz"

# Cron: Backup daily at 3 AM
0 3 * * * root /opt/openclaw/backup.sh >> /var/log/openclaw-backup.log 2>&1

7. Cost Breakdown

Item Monthly Fee
VPS (Hetzner CX22) €4.35 (~¥35)
Domain Name ¥5 (Annual average)
Cloudflare Tunnel Free
Cloudflare R2 (10GB) Free
Anthropic API (Avg. 50 conversations/day) $30 (¥220)
Total Approx. ¥260/month

8. Deployment Checklist

  • Purchase and initialize VPS
  • Install Docker + Docker Compose
  • Complete .env.production configuration
  • Configure and test Cloudflare Tunnel
  • Configure Telegram/Discord Bot Token
  • Start with docker compose up -d
  • Configure Health Check Cron
  • Configure backup script
  • Send test message from Telegram to confirm
  • Observe for 24 hours to confirm stable operation

🎉 Congratulations!

All 40 episodes of the course are complete. You now possess:

  1. ✅ Practical experience with three installation methods (macOS / Docker / UTM VM)
  2. ✅ Mastery of the complete CLI command system (30+ commands + Telegram reference table)
  3. ✅ Security awareness of the four-level permission model
  4. ✅ Ability to develop and publish Skills and Plugins
  5. ✅ Deep integration with Telegram & Discord
  6. ✅ Orchestration and management of a Multi-Agent Legion
  7. ✅ Complete memory system with Session + Memory
  8. ✅ Usage of the AgentMail + MCP ecosystem
  9. ✅ Operations and maintenance capabilities for VPS Production Deployment

Your Agent now lives on your own server, on standby 24/7, possesses complete memory, connects to your Telegram and Discord, and can send emails, write code, and query databases.

AI should belong to you. Welcome to the world of OpenClaw. 🦀