Why run your own WireGuard VPN
A commercial VPN asks you to trust a company you cannot audit. You pay them, route all your traffic through their servers, and take their word that they keep no logs. A self-hosted VPN inverts that: you rent a server, install the VPN yourself, and the only party who can see your traffic is you. There is no provider in the middle to log it, sell it, or be subpoenaed for it.
WireGuard is what makes this practical. It is a modern VPN protocol that is small, fast and simple — a few thousand lines of code rather than the hundreds of thousands in older stacks, which makes it easy to audit and hard to misconfigure. On a modest VPS it will saturate the connection with negligible CPU use. Combined with a no-KYC, offshore VPS, a self-hosted WireGuard tunnel gives you a private exit point that belongs to nobody but you — and this guide builds one from scratch.
What you need
The whole setup takes one server and about fifteen minutes:
- A VPS. Even the smallest plan is plenty — WireGuard is extremely light. Pick the jurisdiction you want your traffic to appear to come from. A ServPrivacy VPS from $7.50/mo with full root access is more than enough.
- A fresh Linux install. Any recent Debian or Ubuntu works well; the commands below assume one of those. Other distributions differ only in the package step.
- Root or sudo access and a few minutes at the command line.
You do not need a domain, a control panel, or any third-party VPN software. WireGuard ships inside the modern Linux kernel itself.
Step 1 — Install WireGuard on the server
Connect to your VPS over SSH and install the WireGuard tools. On Debian or Ubuntu that is a single command: apt update && apt install -y wireguard. The kernel module is already present on any modern kernel, so this installs only the user-space tools — wg and wg-quick — that you use to manage tunnels.
That is the entire installation. There is no separate daemon to configure, no account to create, and nothing extra to keep patched beyond normal system updates.
Step 2 — Generate keys and write the server config
WireGuard authenticates peers with public-key cryptography, so the first task is a key pair for the server. Generate one with wg genkey | tee server_private.key | wg pubkey > server_public.key. The private key stays on the server and is never shared; the public key will be handed to each client.
Next, create the tunnel configuration at /etc/wireguard/wg0.conf. The server section defines the tunnel's private address range, the port WireGuard listens on (51820 by default), and the server's private key. Each device you later connect is added as a [Peer] block holding that client's public key and its address inside the tunnel. Keep the file readable only by root — it contains the server's private key.
The configuration is deliberately short. A working server config is well under twenty lines, which is part of why WireGuard is hard to get dangerously wrong.
Step 3 — Enable forwarding and open the port
For the VPN to route your traffic out to the internet, the server has to forward packets. Enable IP forwarding by setting net.ipv4.ip_forward=1 in /etc/sysctl.conf and applying it with sysctl -p. The tunnel config also needs a firewall rule that masquerades outgoing traffic so it leaves with the server's own address — this is typically added as a PostUp line in wg0.conf so it applies automatically when the tunnel starts.
Then make sure the WireGuard port is reachable. If the VPS runs a firewall, allow UDP on your chosen port (51820 by default). WireGuard uses UDP only and — usefully for privacy — does not respond at all to unsolicited packets, so a port scan cannot even confirm the service is there.
Bring the tunnel up with wg-quick up wg0, and enable it at boot with systemctl enable wg-quick@wg0. The server side is now live.
Step 4 — Add a client and connect
Each device that uses the VPN — a laptop, a phone — needs its own key pair and a small client configuration. Generate a key pair for the client exactly as for the server, then write a client config containing the client's private key, its tunnel address, the server's public key, the server's public IP and port as the Endpoint, and an AllowedIPs of 0.0.0.0/0 so all traffic is routed through the tunnel.
Add the matching [Peer] block — with the client's public key — to the server's wg0.conf and reload. On the client, install the WireGuard app (it exists for every desktop and mobile platform), import the config — most apps accept a QR code, the easiest route for phones — and toggle the tunnel on. Within a second your device's traffic is exiting through your VPS. Confirm it by checking your public IP address: it should now be the server's.
Step 5 — Harden and maintain it
A working tunnel is most of the job; a few finishing touches make it solid:
- Lock down SSH. Use key-based login, disable password authentication, and consider moving SSH off port 22. The VPN is only as private as the server it runs on.
- Keep the system updated. WireGuard itself needs little attention, but the underlying OS should receive security updates — enable unattended upgrades.
- One key pair per device. Never share a single client config across devices. If a device is lost, you remove just its peer block instead of re-keying everything.
- Set DNS in the client config. Point the client at a privacy-respecting resolver so DNS queries also travel through the tunnel rather than leaking to a local network.
- Trust the defaults on logging. WireGuard stores nothing about the traffic it carries; there is simply nothing logged about what passes through, so there is nothing extra to disable.
Maintained this way, the server needs almost no ongoing attention — WireGuard is close to set-and-forget.
When a self-hosted VPN is the right call
A self-hosted WireGuard VPN is the right choice when you want a private exit point that answers to you alone — for securing your connection on untrusted networks, for keeping your browsing away from an ISP, or for appearing from a chosen jurisdiction. Because it is your server, there is no IP address shared with thousands of strangers and no provider logging policy to take on faith.
It is worth being clear about the one thing it does not do: a single-server VPN gives you privacy from your ISP and from the sites you visit, but the VPS provider could in principle observe traffic at the exit. That is exactly why the choice of host matters — a no-KYC, no-logs, offshore VPS means the exit point itself is held by a provider that collected no identity and keeps no records. Self-hosted WireGuard plus the right VPS is, for most people, the most honest privacy setup available: no trust required beyond infrastructure you control.