A commercial VPN moves the trust problem one provider sideways. Self-hosting WireGuard on a KYC-free Nordic VPS replaces trust with arithmetic — your keys, your box, your exit IP, and nobody's recurring credit-card charge.
Sub-millisecond kernel-native WireGuard — no userspace bridge, no TUN bottleneck, several gigabits of plaintext per core.
Nordic exit IPs your devices can actually trust — Stockholm, Helsinki, Oslo or Reykjavík, jurisdictions with no data-retention mandate for hosters.
Built on a $5.90/mo VPS that owes nobody an identity — paid in Bitcoin or Monero, no card on file, no recurring auto-charge.
A commercial VPN provider sells you a promise: "we do not log". You verify that promise by reading their marketing site, their last audit (if there was one), and trusting that neither the company nor its parent has changed hands since. The promise is unverifiable from the outside — the only entity that can confirm "no logs" is the one with everything to lose by admitting otherwise.
A self-hosted WireGuard server replaces the promise with structure. You install the daemon, you generate the keys, you write the peer list. The keys never leave the box. There is no upstream provider to log anything because there is no upstream provider — there is a Linux kernel module and a single config file.
The trade-off is operational. You become the on-call. If the VPS reboots and your wg0 unit is not enabled-at-boot, your tunnel does not come back without you. If a kernel update changes a sysctl default, you debug it. For one person and a handful of devices this is a 90-minute setup and ~10 minutes a quarter of upkeep; for a family of five or a small team, the maths still works in your favour.
The right question is not "self-host or commercial" in the abstract — it is "do I trust myself with an SSH key more than I trust a marketing page". If the answer is yes, the rest of this page is the recipe.
For a personal VPN — your laptop, your phone, a tablet, a couple of devices that are always tunnelled — the Sentinel ($5.90/mo, 2 vCPU, 4 GB) is the sweet spot. WireGuard's in-kernel data path is so light that the CPU is not the constraint; the constraint is the 1 Gbps unmetered uplink, which is generous for a single household.
Five or more devices on the tunnel, a partner or family who also lives behind it, or a use case that pushes serious download volume (a homelab pulling backups, a torrent client living in the tunnel) — that's when the Garrison ($11.90/mo, 4 vCPU, 8 GB) earns its keep. The extra RAM is not for WireGuard — it is for whatever else you will inevitably co-host on the same box (a Pi-hole, a small Mastodon, an Uptime-Kuma).
A small team — 10–25 peers, persistent road-warriors, a site-to-site link to a homelab — wants the Ravelin ($23.90/mo, 8 vCPU, 16 GB). Beyond that, the bottleneck stops being the VPS and starts being the 1 Gbps uplink itself, and the right move is to upgrade the bastion-region or split into two regional gateways.
What none of these are: a thousand-peer corporate concentrator. NordBastion is built for one operator with their own devices and people they actually know — not for selling subscriptions to strangers.
A skeleton sketch — the full step-by-step guide covers the firewall, the per-device QR codes, and the kill-switch reading list.
Debian/Ubuntu image, pre-baked on every NordBastion VPS. One apt line, no extra repos.
# on the VPS, as rootapt install wireguardA private key for the server, one per peer. The private key never leaves the box that owns it.
wg genkey | tee privkey \
| wg pubkey > pubkeyThe interface stanza: server private key, listen port 51820, and the 10.66.66.0/24 tunnel subnet you will hand out to peers.
nano /etc/wireguard/wg0.conf
# [Interface] Address, PrivateKey,
# ListenPort, PostUp NAT rulesSystemd unit shipped with the package. Survives reboots and panel-initiated rescue cycles.
systemctl enable \
--now wg-quick@wg0One [Peer] block per device, with that device's public key and its allotted tunnel IP. Live-reload, no restart needed.
wg set wg0 peer <PUBKEY> \
allowed-ips 10.66.66.2/32We sign you up with email + password, you top up in Bitcoin or Monero, you boot a VPS. There is no credit-card issuer in the middle who has done KYC on you, no PSP cross-referencing your billing identity with the IP you just lit up. The box belongs to "the prepaid balance under this email", and that is the end of the linkage.
Sweden, Finland, Norway and Iceland have no data-retention mandate for hosters — there is no equivalent of a UK Investigatory Powers Act asking us to keep connection logs "just in case". On top of that legal floor we publish a monthly PGP-signed warrant canary and a rolling transparency report; the absence of logs is auditable, not just claimed.
No transfer cap, no bandwidth overage line, no creeping fair-use ceiling. The Sentinel ships the same 1 Gbps uplink as the dedicated tiers — which means your VPN throughput is bounded by WireGuard's kernel data path (several Gbps per core) and the upstream peering, not by an accountant's spreadsheet.
Self-hosting a WireGuard VPN is one of the highest leverage things you can do on a small VPS. For the price of a single commercial VPN subscription you get a general-purpose Nordic Linux box that also happens to expose a kernel-fast encrypted tunnel for every device you own.
NordBastion is opinionated about the parts that matter for this specific job — KYC-free signup, crypto-only billing, Nordic jurisdiction, unmetered uplink — and deliberately ordinary about the rest. The VPS is a VPS. The kernel is a kernel. WireGuard runs the same way it would anywhere else; what differs is who can ask polite questions about who is on the other end.
If you are coming from a commercial VPN, the migration is one afternoon. If you are starting from scratch, the step-by-step guide picks up where this editorial leaves off.
The eight questions operators actually ask before standing up their own WireGuard VPN on a Nordic VPS.
A commercial VPN moves the trust problem one step sideways: instead of trusting your ISP, you trust the VPN provider not to log, not to be subpoenaed, and not to be bought by a company that will. Self-hosting on a KYC-free Nordic VPS replaces that trust with arithmetic — the only person with shell on the box is you, the only person paying for the box is you, and the host (NordBastion) does not know who that "you" is in the first place. The trade-off is you become the operator: when it breaks at 23:00 on a Sunday, the on-call rotation is one person deep.
Comfortably. WireGuard runs in the Linux kernel, which means a single Sentinel core (Intel Xeon, 3.4 GHz boost) can encrypt and forward in the order of 5–8 Gbps of plaintext at line rate before the CPU becomes the bottleneck. Five concurrent devices, even all streaming 4K, will not register on the load average. The reason to upgrade is not throughput — it is whether the VPS is also hosting something else (a Pi-hole, a media server, a Matrix server) that wants the cores for itself.
Yes — Netflix and a handful of streaming services geofence on ASN, and "this IP belongs to a hosting network" is enough to redirect you to the regional catalogue or the captive 403. Banks are more nuanced: most accept the connection but raise the fraud-score and may trigger a step-up MFA prompt. If your VPN's job is privacy + Nordic egress for browsing and work, this is invisible to you. If its job is Netflix-US, a self-hosted VPS will not solve that — no commercial VPN solves it reliably either; the cat-and-mouse moves faster than anyone's deploy pipeline.
Mandatory, and not the VPS's job. Configure the client side: on Linux/Android the wg-quick post-up firewall hooks (or a simple iptables/nftables rule denying default-route traffic that does not egress wg0); on iOS/macOS the official WireGuard app exposes "On-Demand" + "Exclude routes"; on Windows the official client has a "Block untunneled traffic (kill-switch)" toggle. The VPS holds the keys and forwards packets; refusing to leak when the tunnel is down is the client's job.
A Sentinel at $5.90/mo is roughly the same monthly cost as a commercial VPN subscription (NordVPN, Mullvad, IVPN are all in the $5–12/mo bracket). What changes is the surface area: you get one Nordic exit IP rather than 50 countries, and you get a full general-purpose Linux box rather than only a tunnel endpoint. If your only need is "appear from another country to bypass a geoblock", commercial is the right tool. If you want a private VPN that doubles as your jump-host, monitoring box and personal Pi-hole, the VPS wins.
No — and this is structural, not a promise. WireGuard wraps every IP packet in a ChaCha20-Poly1305 envelope keyed off your private key, which never leaves your VPS. NordBastion sees the same thing your ISP sees on its uplink: encrypted UDP between two IPs. There is no in-line decryption point, no managed-VPN service plane, no key-escrow. The warrant canary and the published transparency report describe what would happen if someone tried to make us decrypt it (we cannot).
Yes, and it is a common pattern: WireGuard listens on UDP/51820 as your entry point, the VPS routes selected traffic into a local Tor SOCKS5 (port 9050) for onion-egress workloads, and everything else exits via the regular Nordic IP. The Sentinel is enough; the only operational note is to give Tor its own systemd unit and rate-limit it so the VPN throughput is not eaten by Tor circuit bursts. The Garrison tier ($11.90/mo, 4 vCPU/8 GB) is the comfortable home for this combo.
NordBastion is Nordic-only by doctrine — Stockholm, Helsinki, Oslo, Reykjavík. If the use case requires "appears from Singapore" or "appears from Brazil", a NordBastion VPS is the wrong tool for that specific exit. Most people who land here want the opposite — a stable, well-peered, low-log-pressure Nordic egress — and that is exactly what the platform optimises for.