Self-host a WireGuard VPN on a VPS.
Fifteen minutes to your own personal VPN.
Five steps from "no server" to "my own personal VPN" — KYC-free at signup, crypto-paid, no third-party VPN provider in the trust chain. Tested on Debian 12 with WireGuard 1.0+ in mainline kernel.
- 01
Provision
A Nordic VPS
- 02
Install
apt install wireguard
- 03
Configure
Keys + wg0.conf
- 04
Firewall
UDP 51820 + forwarding
- 05
Connect
wg-quick up wg0
Pick a Nordic bastion close to where you live.
In the panel: Order → VPS → Sentinel ($5.90/mo, 2 vCPU / 4 GB / 120 GB NVMe). The Sentinel has unlimited bandwidth and a 1 Gbps uplink — plenty for a personal VPN even at full streaming. Pick the bastion closest to where you physically are, because every byte you send goes through the VPS before reaching its destination. A European customer picks Stockholm or Helsinki; an Americas / Asia customer picks Reykjavík (lowest transatlantic latency) or Oslo.
OS image: Debian 12 is the recommendation. Ubuntu 22.04+ works identically. Alpine works but uses different package names (apk add wireguard-tools). FreeBSD also works but the config syntax diverges. Server boots in about 90 seconds; root credentials are shown once in the panel.
One package, already in the kernel.
SSH in as root. Then:
apt update
apt install -y wireguard qrencode
That is it. WireGuard has been in the mainline Linux kernel since 5.6 (March 2020), so apt only installs the user-space tools (wg, wg-quick) — no module compilation, no DKMS, no kernel rebuild. The qrencode package will be useful in step 5 to push the client config to a phone as a QR.
Enable IP forwarding now so we do not forget at step 4:
echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
echo "net.ipv6.conf.all.forwarding=1" >> /etc/sysctl.conf
sysctl -p
Generate keys, write wg0.conf. Two minutes.
Generate a server key pair:
cd /etc/wireguard
umask 077
wg genkey | tee server_private.key | wg pubkey > server_public.key
Now generate one client key pair per device:
wg genkey | tee laptop_private.key | wg pubkey > laptop_public.key
wg genkey | tee phone_private.key | wg pubkey > phone_public.key
Create /etc/wireguard/wg0.conf with the server settings + one [Peer] block per client:
[Interface]
PrivateKey = <contents of server_private.key>
Address = 10.66.66.1/24, fd00:66::1/64
ListenPort = 51820
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
[Peer]
# laptop
PublicKey = <contents of laptop_public.key>
AllowedIPs = 10.66.66.2/32
[Peer]
# phone
PublicKey = <contents of phone_public.key>
AllowedIPs = 10.66.66.3/32
Open UDP 51820. Lock the rest.
If you use UFW (default on Ubuntu):
ufw default deny incoming
ufw default allow outgoing
ufw allow 22/tcp # SSH (consider port-knocking or VPN-only in production)
ufw allow 51820/udp # WireGuard
ufw enable
NordBastion bastions also have an upstream firewall managed from the panel — you can replicate the same rules there for defence in depth. The bastion-level firewall blocks before the packet reaches the VPS, which saves CPU on volumetric scanning.
A privacy tip worth following: change the WireGuard ListenPort from 51820 (the default, which scanners look for) to a random port between 1024 and 65535. It does not improve security against a determined adversary but reduces the noise from random scanners.
Bring up the tunnel. First client connected in seconds.
On the server:
systemctl enable --now wg-quick@wg0
wg # status: should show interface up
Build a client config (laptop.conf) on the server, then copy it to the laptop:
[Interface]
PrivateKey = <contents of laptop_private.key>
Address = 10.66.66.2/24, fd00:66::2/64
DNS = 1.1.1.1, 9.9.9.9 # or your favourite privacy resolver
[Peer]
PublicKey = <contents of server_public.key>
Endpoint = <server-ip>:51820
AllowedIPs = 0.0.0.0/0, ::/0
PersistentKeepalive = 25
For mobile, pipe the config through qrencode and scan with the WireGuard app:
qrencode -t ansiutf8 < phone.conf
That is it. The client connects, the tunnel comes up, and the laptop / phone is now reaching the internet through the Nordic bastion. Verify with: curl https://api.ipify.org — the IP returned is the VPS's public IP, not your home one.
Questions, answered.
Eight questions a first-time self-hosted-VPN customer asks.
Why self-host a WireGuard VPN instead of using NordVPN / Mullvad / ProtonVPN?
Three real reasons. (1) Trust chain shrinks. A commercial VPN is "trust this company not to log you"; a self-hosted one is "trust this VPS provider not to log you" — one fewer party. (2) The VPN endpoint is yours alone. Commercial VPN exit IPs are shared across thousands of users and blocked by many services; your self-hosted endpoint is a fresh clean IP nobody has flagged. (3) Cost. A NordBastion Sentinel is $5.90/month and runs an unlimited-bandwidth VPN; commercial VPNs are $5-$15/month for shared infra.
Why WireGuard rather than OpenVPN?
WireGuard is smaller (4,000 lines of kernel code vs OpenVPN's ~100,000), faster (often 3-5× higher throughput on the same hardware), simpler to configure (a single config file rather than CA/cert/dhparam plumbing), and audit-friendly. It is in the mainline Linux kernel since 5.6 (2020) so no compilation step. OpenVPN remains useful for legacy compatibility and TCP-based traffic; for everything else WireGuard is the modern default.
Does my ISP know I am running a VPN?
Your ISP sees encrypted UDP traffic on port 51820 going to a NordBastion IP. That pattern is recognisable as VPN traffic; what is on the other side is not. If "running a VPN at all" is sensitive in your context, run WireGuard on port 443 (it speaks UDP not TCP, but the port is the same as HTTPS), and consider an obfuscation wrapper like udp2raw if the ISP actively blocks WireGuard handshakes.
Can I use the VPS as a VPN AND a server for other things?
Yes, common pattern. The VPS runs WireGuard plus whatever else you need — a personal website, a Bitcoin node, a Mastodon instance. The firewall rules keep the VPN traffic and the public-facing services isolated; iptables/nft can route VPN clients to specific local services and not to others.
What about IP geolocation — will sites think I am in Sweden?
Yes — your exit IP is the NordBastion bastion you picked. Streaming services that geofence by IP will treat you as Swedish (Stockholm bastion), Finnish (Helsinki), Norwegian (Oslo) or Icelandic (Reykjavík). Banking sites that flag "logged in from new country" will trigger their fraud rules; that is the normal behaviour, not a VPN problem.
How many clients can one WireGuard server handle?
Practically unlimited for personal use. Each peer adds a few KB of memory. The constraint is bandwidth and the bastion's uplink, not the WireGuard daemon itself. The Sentinel tier with unlimited bandwidth and a 1 Gbps uplink will saturate well before the WireGuard process notices.
Should I run this on a dedicated VPS or share with other workloads?
A dedicated VPS is cleaner from an OPSEC perspective — the only thing the IP is associated with is "my personal VPN." If you mix workloads, the VPN traffic and the other workload's traffic share an outgoing IP, and any reputational issue from either spills to the other. For $5.90/month it is reasonable to keep them separate.
Is self-hosted WireGuard kill-switch capable?
Yes, client-side. WireGuard configs support a PostUp / PostDown block where you add iptables rules that drop non-VPN traffic when the tunnel is up; you can also set the client OS to refuse non-VPN connections by default. Several open-source manager apps (wg-easy, WireGuard-UI, Pi-VPN) wrap this for you.
Order a Sentinel and start your own VPN.
Last reviewed · 2026-05-20 · Tested · Debian 12 · WireGuard 1.0.20210914
Anonymous VPS hosting in 2026 — the cluster.
This guide is one spoke of a larger series. The pillar walks the three privacy layers end to end — the sibling spokes below dive into the specifics.
Three independent layers — signup, payment, network — explained, legal context included, common mistakes flagged.
A v3 .onion address that survives reboots and IP changes.
What “no KYC” actually means — and what it does not.
Why Sweden, Finland, Norway and Iceland — the legal floor of each.
XMR end-to-end — wallet, transfer, confirmations, change.