Running Your Own VPN: WireGuard on a VPS for Privacy

Published on 2025-10-02

How to set up a personal WireGuard VPN on your VPS. Covers installation, client configuration, and why a self-hosted VPN beats commercial VPN services.

Written by Jochem, Infrastructure Expert, 5-10 years experience in game server hosting, VPS infrastructure, and 24/7 streaming solutions. Read author bio →

Commercial VPN services promise privacy but require trusting a third party. Running your own VPN on a VPS means you control everything.

WireGuard VPN privacy setup

Why Self-Hosted VPN

Factor	Commercial VPN	Self-Hosted VPN
Trust	Must trust provider's claims	Trust yourself
Logs	Provider says "no logs"	You verify no logs
Speed	Shared with thousands	Dedicated to you
IP	Shared (can be flagged)	Dedicated IP
Cost	$5-15/month	VPS cost ($5-15/month)
Other uses	VPN only	VPN + anything else

WireGuard Installation

WireGuard is the modern, fast VPN protocol:

sudo apt install wireguard

Generate Server Keys

cd /etc/wireguard
umask 077
wg genkey | tee server_private.key | wg pubkey > server_public.key

Server Configuration

# /etc/wireguard/wg0.conf
[Interface]
PrivateKey = <server_private_key>
Address = 10.0.0.1/24
ListenPort = 51820
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
PublicKey = <client_public_key>
AllowedIPs = 10.0.0.2/32

Enable IP Forwarding

echo "net.ipv4.ip_forward = 1" | sudo tee -a /etc/sysctl.conf
sudo sysctl -p

Start WireGuard

sudo systemctl enable wg-quick@wg0
sudo systemctl start wg-quick@wg0

Open Firewall Port

sudo ufw allow 51820/udp

Client Configuration

Generate Client Keys

wg genkey | tee client_private.key | wg pubkey > client_public.key

Client Config File

[Interface]
PrivateKey = <client_private_key>
Address = 10.0.0.2/24
DNS = 1.1.1.1, 8.8.8.8

[Peer]
PublicKey = <server_public_key>
Endpoint = your-vps-ip:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25

Connecting

Platform	App	Config Import
Windows	WireGuard for Windows	Import .conf file
macOS	WireGuard for Mac	Import .conf file
Linux	wg-quick	Save as /etc/wireguard/wg0.conf
iOS	WireGuard app	QR code or .conf
Android	WireGuard app	QR code or .conf

Generate QR Code for Mobile

sudo apt install qrencode
qrencode -t ansiutf8 < client.conf

Scan with the WireGuard mobile app. Connected in seconds.

Performance

WireGuard is significantly faster than OpenVPN:

Protocol	CPU Usage	Throughput	Latency Overhead
OpenVPN (UDP)	High	200-400 Mbps	5-15ms
OpenVPN (TCP)	High	100-300 Mbps	10-25ms
WireGuard	Low	500-900 Mbps	1-3ms

On a Space-Node VPS with 1 Gbps connectivity, WireGuard can saturate most home internet connections.

Multiple Clients

Add more peers to the server config:

[Peer]
# Phone
PublicKey = <phone_public_key>
AllowedIPs = 10.0.0.3/32

[Peer]
# Laptop
PublicKey = <laptop_public_key>
AllowedIPs = 10.0.0.4/32

Each device gets its own IP in the VPN subnet.

Privacy Considerations

Your VPN server's IP becomes your public IP. Your ISP still sees VPN traffic, but not its content.
The VPS provider can see your traffic. Choose a provider in a jurisdiction with strong privacy laws (Netherlands is excellent for this).
Don't log VPN traffic. WireGuard doesn't log by default.

A Netherlands-based VPS from Space-Node gives you Dutch privacy protections and a European IP address, perfect for a personal VPN.

About the Author

Jochem, Infrastructure Expert, expert in game server hosting, VPS infrastructure, and 24/7 streaming solutions with 5-10 years experience.

Since 2023

500+ servers hosted

4.8/5 avg rating

I specialize in Minecraft, FiveM, Rust, and 24/7 streaming infrastructure, operating enterprise-grade AMD Ryzen 9 hardware in Netherlands datacenters.

View my full bio and credentials →