In this chapter, you will deploy your AI Employee from your laptop to a VPS so it runs when you sleep.
James opened his laptop in the morning and found three unanswered WhatsApp messages from the night. His agent had stopped checking leads at 11:47 PM, the exact minute he closed his laptop lid.
He looked at the gateway log. The preceding thirteen chapters of building, customizing, securing. His agent had a personality, skills, plugins, voice, multi-agent routing, and a custom approval gate. But it stopped working every time he closed his laptop lid.
"I want this running when I sleep," he said.
Emma pulled up a Hetzner pricing page. "Five dollars a month. Two vCPUs, four gigs of RAM, forty gigs of SSD." She turned the screen toward him. "Your agent runs on less hardware than your coffee maker."
"How long to set it up?"
"Budget forty-five minutes. Fifteen for the VPS and Docker. Fifteen for OpenClaw. Fifteen for the paper cuts you will definitely hit." She paused. "After that? Your agent never sleeps."
You are doing exactly what James is doing: taking an agent that works on your laptop and moving it to infrastructure that never sleeps.
Your AI Employee runs on your laptop, which sleeps, loses Wi-Fi, and shuts down for updates. This chapter moves it to a server that runs 24/7. By the end, your agent responds from a datacenter, and you access its Control UI through an encrypted tunnel.
Not Ready to Deploy? Read Along
If you do not want to deploy right now, read through the steps and understand the process. You can deploy later when you are ready. The exercises at the end work either way.
Alibaba Cloud's Simple Application Server comes with OpenClaw pre-installed. No Docker, no SSH, no manual configuration. Your agent is running 24/7 within minutes.
Pricing: Starting at $0.99/month (promotional). Regular price ~$8/month for a 2 GB instance. With the free token tier (see Step 6), your LLM cost can be $0.
Steps:
For the complete server setup walkthrough, see the Alibaba Cloud OpenClaw guide.
Select Singapore Region in Model Studio
Every model listed in Model Studio's Singapore region includes 1 million free tokens. If you skip this and use the default region, Alibaba charges for all token usage immediately. Default models like Qwen Max are expensive. With a zero-credit account, Alibaba sends an overdue notice and suspends your account within 24 hours, blocking all Model Studio access.
Enable the free quota limit option to cap usage at the free tier. With this setting, your only cost is the server instance ($0.99-$8/month).
Your OpenClaw gateway is now running in the cloud. The dashboard is your Control UI.
Verify your model. In the Control UI dashboard, confirm that the active model is one of the free-tier models available in the Singapore region. The default model may be different and expensive. In the instance UI, select Model Studio as your provider and pick a model from the Singapore region dropdown.
After provisioning, connect a messaging channel. For WhatsApp integration on the managed server, follow the Alibaba Cloud WhatsApp integration guide. For Telegram or Discord, SSH into your instance and configure the channel using the same flow from Module 9.1, Chapter 2.
Send a test message. If the agent responds, you are deployed.
Alibaba Cloud Free Trial
Alibaba Cloud also offers a 1-year free trial on ECS (Elastic Compute Service) instances. If you prefer the manual setup path (VPS tab) at zero cost, sign up for the free trial and follow the VPS steps below on your free ECS instance. When setting up Model Studio on the free trial, select the Singapore region for free tokens.
If you want full control or prefer a different provider, set up a VPS manually with Docker Compose.
New to Servers?
This path requires comfort with SSH, the Linux command line, and Docker. If terms like ssh, chown, or docker compose exec are unfamiliar, use the Managed Server tab instead. You get the same result with fewer steps and no command line.
You need: A Linux server with at least 2 vCPUs and 4 GB RAM, and basic experience with SSH and terminal commands.
On Hetzner (example):
Why Not Kubernetes?
WhatsApp is a single-connection protocol. You cannot load-balance it across multiple pods. The linked-device session is stateful, tied to one gateway process. Docker Compose on a single VPS is the right architecture for one AI Employee.
Log into your server remotely. Replace YOUR_VPS_IP with the IP address from step 7 above:
If Hetzner emailed you a root password, enter it when prompted. If you added an SSH key during server creation, the login happens automatically.
Now install Docker, the tool that runs your agent in an isolated container:
Verify both installed correctly:
If both print a version number, you are ready.
Download the OpenClaw source code:
Create the folders where your agent stores its configuration and workspace files:
The chown line gives ownership to user 1000, which is the user your agent runs as inside Docker. Skip this and you get "permission denied" errors later.
Generate a gateway token (a random password for your Control UI) and create the configuration file:
Save your gateway token. Print it now and copy it somewhere safe. You need this to log into the Control UI:
Start your agent. The -d flag runs it in the background so it keeps running after you close the terminal:
First pull takes 1-2 minutes (Docker downloads the pre-built image). Check status:
If it shows Restarting, check docker compose logs -f openclaw-gateway. If you see Gateway start blocked — gateway.mode not configured:
Your agent is running but has no brain yet. Run the setup wizard inside the container to connect it to an LLM:
Same wizard from Module 9.1, Chapter 2: choose your model provider, authenticate, select a model. The --no-install-daemon flag tells it Docker manages the process lifecycle, so no system daemon is needed.
Do Not Skip Onboarding
If you cancel the wizard, the gateway looks running but no model is configured. Nothing responds. Complete the wizard, or set the provider manually:
Your agent can think now, but it has no way to receive messages. Your local WhatsApp is linked to your laptop's gateway. You need a separate channel for the VPS.
Telegram (easiest for production):
Discord:
WhatsApp (requires a dedicated phone number):
Restart after adding the channel:
Send a test message. If the agent responds, you are deployed.
The gateway binds to 127.0.0.1. It is not accessible from the public internet. To reach the Control UI from your laptop, open an SSH tunnel:
Open http://127.0.0.1:18789/ in your browser and paste the gateway token.
If your local gateway is already using port 18789, use a different local port:
Then open http://localhost:19000. If the page loads but shows no data, fix the allowed origins:
No reverse proxy. No TLS certificates. No WAF.
The SSH key IS the authentication. The tunnel IS the encryption. The loopback binding IS the access control. For a single-operator deployment, this is the correct security posture.
Before any customer touches your agent, run the security audit:
On a default installation, expect critical findings from groupPolicy set to open and warn findings for credential directory permissions.
Run the audit again. Zero criticals.
Managed Server: Near-Zero Cost
If you chose the Alibaba Cloud managed server with the Singapore region free tier, your monthly cost can be as low as $0.99. The 1 million free tokens per model covers learning and light production with no LLM charges.
For heavier usage beyond the free tier, the model provider becomes the dominant cost. The real optimization is not cheaper hardware; it is fewer tokens per interaction. That is why Module 9.1, Chapter 4 spent time on workspace file optimization and Module 9.1, Chapter 8 covered heartbeat cost management.
If you have a VPS, follow Steps 1-7 and deploy. If you do not, trace the deployment by reading each step and predicting what goes wrong if you skip it.
What you are learning: Production deployment is sequential. Skipping onboarding (Step 5) leaves a running gateway that never responds. Skipping channel setup (Step 6) means the VPS gateway has no way to receive messages.
What you are learning: The SSH tunnel replaces three components (reverse proxy, TLS termination, API gateway) with one. The security model is simple because the attack surface is small: SSH key authentication plus loopback binding.
What you are learning: The infrastructure cost ($0.99-$15/month) is trivial. With the managed server free tier, the model cost can be $0 for light usage. Beyond the free tier, the model provider ($50-100/month) becomes the dominant cost. The economics favor AI Employees when the agent handles enough volume to justify any paid model usage.
Docker Compose on a $5/month VPS (2 vCPU, 4GB RAM) is the right production deployment for a single AI Employee. Not Kubernetes. Not serverless. Not multi-region. One container, one server, one agent.
The gateway binds to 127.0.0.1 inside the container. The SSH tunnel encrypts traffic from your laptop to the VPS. The SSH key is your authentication. No TLS certificate, no reverse proxy, no API gateway needed. Three components replaced by one.
Infrastructure ($5/month VPS or $0.99-$8/month managed) is trivial. On the managed server with Singapore region free tokens, the model provider can cost $0 within the 1 million token limit per model. Beyond the free tier, the model provider ($50-100/month at moderate volume) becomes the dominant cost. Workspace optimization (shorter SOUL.md, lighter heartbeats) reduces that dominant cost.
The VPS setup is Module 9.1, Chapter 2 on different hardware. Same wizard, same crash loop, same fixes. The preceding thirteen chapters on your laptop were not just about features; they built the debugging instincts you need when the same problems appear on a server with no one else around.
When Emma came back, James had his phone in one hand and a terminal SSH session in the other. "It is responding from Germany."
"How long?"
"Forty-two minutes. Permission denied because I forgot the chown. Then the CORS thing when I tunneled to port 19000." He paused. "Same debugging pattern as Module 9.1, Chapter 2, though. Check the log, find the error, fix the config."
Emma nodded. "The CORS paper cut caught me too, first time. I expected it to just work."
She looked at the terminal. Health endpoint returning 200. Gateway uptime climbing. "Your agent runs when you sleep now. That is what separates a demo from a product."
James thought about his old job. The operations team had a saying: production is the thing that works at 3 AM when nobody is watching. His agent was that now.
"The hardest part was not the deployment," he said. "It was realizing that the setup from Module 9.1, Chapter 2 repeats almost exactly on the VPS. Same wizard, same config, same crash loop. I already knew the fixes."
"That is the point." Emma closed her laptop. "The preceding thirteen chapters on your laptop were not just about learning features. They were about building the instincts you need when the same problems appear on a server with no one else around to ask."