Why Self-Host a VPN?
Commercial VPN providers sell you a shared exit node with a privacy promise. The promise is only as good as the provider's logging practices, their jurisdiction, and their willingness to resist legal pressure. You cannot audit any of that from the outside.
A VPS-hosted VPN is different:
- You control the server. Logs exist only if you configure them (configure none).
- The exit IP is dedicated to you. No shared infrastructure with other users whose traffic patterns could trigger monitoring.
- Jurisdiction is your choice. An offshore VPS in Romania or Iceland exits your traffic under those legal frameworks.
- Cost is lower than most commercial VPN plans for a single user.
The tradeoff: the VPS IP is associated with your account if you pay with a traced method. See How to Pay with Monero for the anonymous payment path.
Step 1 - Provision the VPS
You need an Ubuntu 24.04 VPS. Any AnubizHost VPS plan works for personal VPN use - the entry plan (1 vCPU, 1 GB RAM) handles WireGuard traffic for a single user easily. See pricing.
After provisioning, SSH in as root:
ssh root@YOUR_VPS_IPUpdate the system first:
apt update && apt upgrade -yStep 2 - Install WireGuard
WireGuard is in the Ubuntu 24.04 kernel and default repositories:
apt install -y wireguard wireguard-toolsEnable IPv4 forwarding (required for VPN routing):
echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
sysctl -pStep 3 - Generate Keys
WireGuard uses public/private key pairs for authentication. Generate server and client keys:
# Server keys
wg genkey | tee /etc/wireguard/server_private.key | wg pubkey > /etc/wireguard/server_public.key
# Client keys (run on server, copy to client)
wg genkey | tee /etc/wireguard/client_private.key | wg pubkey > /etc/wireguard/client_public.key
# Read the values
cat /etc/wireguard/server_private.key
cat /etc/wireguard/server_public.key
cat /etc/wireguard/client_private.key
cat /etc/wireguard/client_public.keyStep 4 - Configure WireGuard Server
Create /etc/wireguard/wg0.conf:
[Interface]
Address = 10.10.0.1/24
ListenPort = 51820
PrivateKey = <SERVER_PRIVATE_KEY>
# NAT all client traffic through the VPS internet interface
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
[Peer]
PublicKey = <CLIENT_PUBLIC_KEY>
AllowedIPs = 10.10.0.2/32Replace eth0 with your actual network interface (check with ip a). Enable and start WireGuard:
chmod 600 /etc/wireguard/wg0.conf
systemctl enable wg-quick@wg0
systemctl start wg-quick@wg0Open the WireGuard UDP port in UFW:
ufw allow 51820/udp
ufw enableStep 5 - Configure the Client
On your client device (Linux, macOS, Windows, or mobile), create a WireGuard config:
[Interface]
Address = 10.10.0.2/24
PrivateKey = <CLIENT_PRIVATE_KEY>
DNS = 1.1.1.1
[Peer]
PublicKey = <SERVER_PUBLIC_KEY>
Endpoint = YOUR_VPS_IP:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25AllowedIPs = 0.0.0.0/0 routes all traffic through the VPN. Import this config into the WireGuard app on your device. Toggle the tunnel on. Verify your exit IP has changed by visiting a site like ifconfig.me.
Frequently Asked Questions
How many clients can I connect to a single WireGuard server?
Many. Add a [Peer] block for each client with a unique AllowedIPs (/32 per client). The entry AnubizHost VPS plan handles dozens of concurrent clients at typical browsing traffic levels.
Is this legal?
Running a personal VPN is legal in Romania, Iceland, and most countries. There are exceptions (some authoritarian governments ban VPN use). Check the laws of your own country before use.
What is the difference between this and Tor?
A VPN routes all traffic through a single VPS you control - faster than Tor, no anonymity against the VPS provider. Tor routes through three relays operated by different parties - slower, but the traffic is not linkable back to your IP by any single party. For censorship bypass, VPN is often sufficient. For anonymity against surveillance, Tor is stronger.