Running Your Own VPN: WireGuard on a VPS for Privacy

Commercial VPN services promise privacy but require trusting a third party. Running your own VPN on a VPS means you control everything.

Why Self-Hosted VPN

| Factor | Commercial VPN | Self-Hosted VPN | |--------|---------------|----------------| | Trust | Must trust provider's claims | Trust yourself | | Logs | Provider says "no logs" | You verify no logs | | Speed | Shared with thousands | Dedicated to you | | IP | Shared (can be flagged) | Dedicated IP | | Cost | $5-15/month | VPS cost ($5-15/month) | | Other uses | VPN only | VPN + anything else |

WireGuard Installation

WireGuard is the modern, fast VPN protocol:

sudo apt install wireguard

Generate Server Keys

cd /etc/wireguard
umask 077
wg genkey | tee server_private.key | wg pubkey > server_public.key

Server Configuration

# /etc/wireguard/wg0.conf
[Interface]
PrivateKey = <server_private_key>
Address = 10.0.0.1/24
ListenPort = 51820
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
PublicKey = <client_public_key>
AllowedIPs = 10.0.0.2/32

Enable IP Forwarding

echo "net.ipv4.ip_forward = 1" | sudo tee -a /etc/sysctl.conf
sudo sysctl -p

Start WireGuard

sudo systemctl enable wg-quick@wg0
sudo systemctl start wg-quick@wg0

Open Firewall Port

sudo ufw allow 51820/udp

Client Configuration

Generate Client Keys

wg genkey | tee client_private.key | wg pubkey > client_public.key

Client Config File

[Interface]
PrivateKey = <client_private_key>
Address = 10.0.0.2/24
DNS = 1.1.1.1, 8.8.8.8

[Peer]
PublicKey = <server_public_key>
Endpoint = your-vps-ip:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25

Connecting

| Platform | App | Config Import | |----------|-----|---------------| | Windows | WireGuard for Windows | Import .conf file | | macOS | WireGuard for Mac | Import .conf file | | Linux | wg-quick | Save as /etc/wireguard/wg0.conf | | iOS | WireGuard app | QR code or .conf | | Android | WireGuard app | QR code or .conf |

Generate QR Code for Mobile

sudo apt install qrencode
qrencode -t ansiutf8 < client.conf

Scan with the WireGuard mobile app. Connected in seconds.

Performance

WireGuard is significantly faster than OpenVPN:

| Protocol | CPU Usage | Throughput | Latency Overhead | |----------|----------|-----------|-----------------| | OpenVPN (UDP) | High | 200-400 Mbps | 5-15ms | | OpenVPN (TCP) | High | 100-300 Mbps | 10-25ms | | WireGuard | Low | 500-900 Mbps | 1-3ms |

On a Space-Node VPS with 1 Gbps connectivity, WireGuard can saturate most home internet connections.

Multiple Clients

Add more peers to the server config:

[Peer]
# Phone
PublicKey = <phone_public_key>
AllowedIPs = 10.0.0.3/32

[Peer]
# Laptop
PublicKey = <laptop_public_key>
AllowedIPs = 10.0.0.4/32

Each device gets its own IP in the VPN subnet.

Privacy Considerations

• Your VPN server's IP becomes your public IP. Your ISP still sees VPN traffic, but not its content.
• The VPS provider can see your traffic. Choose a provider in a jurisdiction with strong privacy laws (Netherlands is excellent for this).
• Don't log VPN traffic. WireGuard doesn't log by default.

A Netherlands-based VPS from Space-Node gives you Dutch privacy protections and a European IP address, perfect for a personal VPN.