Tutorial
How to Set Up a Personal VPN on a VPS with WireGuard
Tutorial

How to Set Up a Personal VPN on a VPS with WireGuard

AnubizHost Team

Commercial VPNs ask you to trust their no-log claim. Running your own VPN on a VPS you control eliminates that trust requirement. WireGuard makes this practical: it is fast, audited, and takes under 10 minutes to configure. An offshore VPS adds jurisdiction protection that a US-based exit node cannot provide.

Why Self-Host a VPN?

Commercial VPN providers sell you a shared exit node with a privacy promise. The promise is only as good as the provider's logging practices, their jurisdiction, and their willingness to resist legal pressure. You cannot audit any of that from the outside.

A VPS-hosted VPN is different:

  • You control the server. Logs exist only if you configure them (configure none).
  • The exit IP is dedicated to you. No shared infrastructure with other users whose traffic patterns could trigger monitoring.
  • Jurisdiction is your choice. An offshore VPS in Romania or Iceland exits your traffic under those legal frameworks.
  • Cost is lower than most commercial VPN plans for a single user.

The tradeoff: the VPS IP is associated with your account if you pay with a traced method. See How to Pay with Monero for the anonymous payment path.

Step 1 - Provision the VPS

You need an Ubuntu 24.04 VPS. Any AnubizHost VPS plan works for personal VPN use - the entry plan (1 vCPU, 1 GB RAM) handles WireGuard traffic for a single user easily. See pricing.

After provisioning, SSH in as root:

ssh root@YOUR_VPS_IP

Update the system first:

apt update && apt upgrade -y

Step 2 - Install WireGuard

WireGuard is in the Ubuntu 24.04 kernel and default repositories:

apt install -y wireguard wireguard-tools

Enable IPv4 forwarding (required for VPN routing):

echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
sysctl -p

Step 3 - Generate Keys

WireGuard uses public/private key pairs for authentication. Generate server and client keys:

# Server keys
wg genkey | tee /etc/wireguard/server_private.key | wg pubkey > /etc/wireguard/server_public.key

# Client keys (run on server, copy to client)
wg genkey | tee /etc/wireguard/client_private.key | wg pubkey > /etc/wireguard/client_public.key

# Read the values
cat /etc/wireguard/server_private.key
cat /etc/wireguard/server_public.key
cat /etc/wireguard/client_private.key
cat /etc/wireguard/client_public.key
Warning: Keep private keys private. Never share or log them. The server private key stays on the server. The client private key goes only to your client device.

Step 4 - Configure WireGuard Server

Create /etc/wireguard/wg0.conf:

[Interface]
Address = 10.10.0.1/24
ListenPort = 51820
PrivateKey = <SERVER_PRIVATE_KEY>

# NAT all client traffic through the VPS internet interface
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
PublicKey = <CLIENT_PUBLIC_KEY>
AllowedIPs = 10.10.0.2/32

Replace eth0 with your actual network interface (check with ip a). Enable and start WireGuard:

chmod 600 /etc/wireguard/wg0.conf
systemctl enable wg-quick@wg0
systemctl start wg-quick@wg0

Open the WireGuard UDP port in UFW:

ufw allow 51820/udp
ufw enable

Step 5 - Configure the Client

On your client device (Linux, macOS, Windows, or mobile), create a WireGuard config:

[Interface]
Address = 10.10.0.2/24
PrivateKey = <CLIENT_PRIVATE_KEY>
DNS = 1.1.1.1

[Peer]
PublicKey = <SERVER_PUBLIC_KEY>
Endpoint = YOUR_VPS_IP:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25

AllowedIPs = 0.0.0.0/0 routes all traffic through the VPN. Import this config into the WireGuard app on your device. Toggle the tunnel on. Verify your exit IP has changed by visiting a site like ifconfig.me.

Tip: For DNS leak protection, set DNS in the client config to a trusted resolver. 1.1.1.1 (Cloudflare) or 9.9.9.9 (Quad9) both work. For maximum privacy, run your own Unbound resolver on the VPS and point DNS to 10.10.0.1.

Frequently Asked Questions

How many clients can I connect to a single WireGuard server?

Many. Add a [Peer] block for each client with a unique AllowedIPs (/32 per client). The entry AnubizHost VPS plan handles dozens of concurrent clients at typical browsing traffic levels.

Is this legal?

Running a personal VPN is legal in Romania, Iceland, and most countries. There are exceptions (some authoritarian governments ban VPN use). Check the laws of your own country before use.

What is the difference between this and Tor?

A VPN routes all traffic through a single VPS you control - faster than Tor, no anonymity against the VPS provider. Tor routes through three relays operated by different parties - slower, but the traffic is not linkable back to your IP by any single party. For censorship bypass, VPN is often sufficient. For anonymity against surveillance, Tor is stronger.

Get your Offshore VPS

No KYC. Crypto accepted. Romania + Iceland jurisdictions. Entry from $19.99/mo.

See Plans

Anubiz Chat AI

Online
How to Set Up a Personal VPN on a VPS (WireGuard) | AnubizHost | AnubizHost Blog