WireGuard VPS Setup: Run Your Own Self-Hosted VPN

WireGuard was designed from scratch with a minimal codebase of around 4,000 lines, compared to OpenVPN's 70,000+ and IPSec's sprawling kernel stack. That simplicity translates directly into speed, auditability, and reliability. The protocol uses modern cryptography by default: Curve25519 for key exchange, ChaCha20 for symmetric encryption, Poly1305 for authentication, and BLAKE2s for hashing. There are no cipher suite negotiation misconfigurations possible because there is only one cipher suite.

Performance on a basic VPS is measurably better than OpenVPN. WireGuard runs in the Linux kernel (kernel module or via kernel-space implementation), which means it processes packets without the user-space context switching overhead that burdens OpenVPN. On a modest 1 vCPU plan you can expect to saturate a 500 Mbps connection without the CPU becoming a bottleneck. On a 4 vCPU plan, throughput easily reaches 1 Gbps.

The configuration is also dramatically simpler. WireGuard uses a key-pair model similar to SSH: generate a public/private key pair on the server and each client, exchange public keys, and define allowed IP ranges. There are no certificates, no certificate authority, no revocation lists. Adding a new peer is a single wg addconf command or a one-line edit to wg0.conf followed by wg syncconf.

For operators who want a private VPN without trusting a commercial provider's no-log claims, running WireGuard on an offshore VPS is the cleanest solution. You are the only entity with access to the server and the VPN configuration. Traffic analysis at the network level is the only remaining threat model, which offshore jurisdiction addresses by removing easy legal compulsion.

Start by ordering any VPS plan with at least 1 vCPU and 512 MB RAM. The Romania Start plan at $17.90/mo is sufficient for personal VPN use with up to five simultaneous clients. Once your server is provisioned and you have SSH credentials, connect as root and update the system: apt update && apt upgrade -y on Debian/Ubuntu, or dnf update -y on AlmaLinux/Fedora.

Install WireGuard: apt install -y wireguard on Debian/Ubuntu. Enable IP forwarding in the kernel: echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.conf && sysctl -p. Generate the server key pair: cd /etc/wireguard && wg genkey | tee server_private.key | wg pubkey > server_public.key. Set strict permissions: chmod 600 server_private.key.

Create /etc/wireguard/wg0.conf with the server's private key, the listening port (51820 is standard), and your desired VPN subnet (10.8.0.0/24 is a common choice). Add a PostUp rule to masquerade outbound traffic through your main network interface (typically eth0): PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE. Add the corresponding PostDown rules to clean up on interface teardown.

Enable and start the interface: systemctl enable --now wg-quick@wg0. Check status with wg show. On each client, install WireGuard, generate a key pair, and add the client's public key to the server's wg0.conf as a new [Peer] block with AllowedIPs = 10.8.0.X/32. Generate a QR code for mobile clients using qrencode or use the wg-quick configuration file format for desktop clients. All traffic from the client is now routed through your offshore VPS.

A WireGuard server exposed to the internet needs a minimal firewall to prevent port scanning and unauthorized access to other services. Use ufw or nftables to allow only the WireGuard UDP port (51820), SSH (22 or a non-standard port you choose), and reject everything else inbound. Allow all outbound traffic from the WireGuard interface so tunneled clients can reach the internet.

Disable root SSH password login and use key-based authentication only. Change the SSH port to a non-standard value to reduce noise from automated scanners. Install fail2ban and configure it to monitor SSH auth failures. These steps do not affect WireGuard performance but significantly reduce the attack surface of your VPS.

Consider setting up unattended-upgrades on Debian/Ubuntu to apply security patches automatically. WireGuard's small codebase means kernel updates rarely break the module, but it is good practice to monitor for WireGuard-specific CVEs. Subscribe to the linux-kernel-sec mailing list or use a monitoring service to track kernel security announcements.

If you are running multiple clients, use unique pre-shared keys (PSK) for each peer pair using wg genpsk. PSKs add a layer of symmetric key material to the key exchange, providing post-quantum resistance against an adversary who records encrypted traffic now and decrypts it later with a quantum computer. This is a low-cost hardening step that takes seconds to implement.

The VPN's usefulness for privacy depends partly on where the exit node is located. Hosting in Romania puts your server outside the 5-Eyes and 14-Eyes intelligence agreements, in a jurisdiction with no mandatory ISP-level data retention law that applies to VPS providers. Romanian datacenters have strong connectivity to both Western Europe and CIS countries, making latency acceptable for most use cases.

Iceland is the other AnubizHost location and offers constitutional-level speech protections, a track record of hosting privacy-focused organizations, and excellent transatlantic peering. Iceland plans start at $19.99/mo. For operators targeting users in North America or Western Europe, Iceland often delivers better round-trip times than Romania.

Neither location will respond to takedown requests or data disclosure orders from jurisdictions outside their own legal system without due process under local law. For a VPN server where you control all configuration and there is no third-party log to subpoena, the risk of meaningful data disclosure is low regardless of where you host.

Both locations support static IPv4 assignment, which is required for WireGuard endpoint configuration. You can also request additional IPv4 addresses if you want to run multiple WireGuard interfaces or assign dedicated exit IPs to different client groups.