Running your own VPN on your VPS (WireGuard)
What this is
Your own VPN server: your devices connect to your VPS and route their internet traffic through it, encrypted from the device to the datacenter. A personal VPN for your own use is explicitly allowed and is one of the most popular uses of a small plan (the required TUN/TAP support is already enabled). The line to respect: personal, running a VPN or proxy service for other people is not allowed.
What it gives you, honestly stated:
- Privacy from the network you're on: hotel Wi-Fi, airports, ISPs that snoop or throttle, they see only encrypted traffic to your VPS.
- A stable, known exit IP: useful for IP-allowlisted services (your own servers included) and for a consistent location while traveling.
- Not anonymity. The VPS's IP is yours, on your account; a self-hosted VPN moves trust from the coffee-shop network to your own server, it doesn't make you anonymous, and commercial "no-logs" theater isn't the product here.
The ten-minute setup
The community-standard wireguard-install script (by Nyr) handles server setup, keys, forwarding, and client management:
wget https://git.io/wireguard -O wireguard-install.sh
bash wireguard-install.sh
Accept the defaults (UDP 51820), name your first client, and it prints a QR code, open the WireGuard app on your phone (iOS/Android), "Create from QR code", scan, toggle on. Done. For laptops, the script writes a .conf file, import it into the WireGuard client (or wg-quick up on Linux).
Re-run the script any time to add a client per device (one profile per phone/laptop, so a lost device is revoked by deleting its client, same logic as SSH keys), or to remove one.
Two housekeeping notes: if you run your own firewall, allow 51820/udp (the script handles its own rules on a default setup; our edge firewall doesn't block VPN ports). And prefer the script's defaults unless you know why not, it configures DNS through the tunnel correctly, which hand-rolled setups often miss.
Verify it, including DNS
With the VPN on, check two things from the connected device:
- Your visible IP is the VPS's, any "what is my IP" site.
- DNS isn't leaking: dnsleaktest.com (or browserleaks.com/dns) should show resolvers consistent with your tunnel, not your home ISP's. A leak means DNS queries escape the tunnel, the privacy hole people don't notice; the script's default config avoids it, custom configs should set
DNS =in the client profile.
The traffic math
Routed VPN traffic crosses your VPS twice, in from your device, out to the destination, so a gigabyte browsed is roughly two gigabytes against your monthly allowance. Generous plans make this a non-issue for normal browsing; heavy streaming through the tunnel is where the math starts to matter, watch the Graphs the first month.
When WireGuard won't connect: the OpenVPN fallback
Some restrictive networks (corporate guest Wi-Fi, certain hotel setups) block unfamiliar UDP entirely, and WireGuard is UDP-only. The classic workaround is a parallel OpenVPN setup via the sibling openvpn-install script, configured on TCP port 443, indistinguishable from HTTPS to most middleboxes, slower than WireGuard, but it connects where nothing else will. Run both; use WireGuard by default and the 443 fallback when a network fights you.
Still need help?
You can open a support ticket. So we can help on the first reply, it's worth mentioning:
- the VPS hostname or IP,
- the client device,
- where it fails (importing the profile, the handshake, or no internet through the tunnel).
Related questions
- "Can I run a VPN on my VPS, and is it allowed?"
- "How do I set up WireGuard on my VPS?"
- "How do I add my phone to my VPN (QR code)?"
- "Does a self-hosted VPN make me anonymous?"
- "How much bandwidth does a VPN use (does traffic count twice)?"
- "What if a network blocks my WireGuard connection?"