NordVPN, Surfshark, ExpressVPN - they all promise "No Logs". But who actually verifies that? Nobody.
The math: Commercial VPNs cost €3-12/month. A VPS (Virtual Private Server - your own server in the cloud) costs from €4/month - with full control over logging, unlimited devices, and no questionable promises. WireGuard needs minimal resources, so the smallest server is enough.
Why Self-Host a VPN?
| Commercial VPN | WireGuard Self-Hosted | |
|---|---|---|
| Price | €3-12/month | €4-6/month (VPS) |
| Logging | Trust the provider | You control everything |
| Speed | Variable (overloaded) | Full VPS bandwidth |
| Server Locations | Many | 1 (your VPS) |
| Devices | 5-10 simultaneously | Unlimited |
| Netflix etc. | Often blocked | Works |
A self-hosted VPN is perfect for: Secure access to your home network, encrypted browsing on public WiFi, and accessing self-hosted services like Paperless.
Prerequisites
You need:
- A VPS with root access – the smallest plan is enough. Watch out for traffic limits! Compare VPS offers →
- Ubuntu 22.04 or 24.04
- Docker installed
VPS Recommendation: Watch out for traffic limits! For VPN you need unlimited or high traffic allowance.
| Provider | Product | Traffic | Price |
|---|---|---|---|
| Hetzner | CX22 | 20 TB | €4.35/mo |
| Netcup | RS 1000 | Unlimited | €4.99/mo |
| IONOS | VPS S | Unlimited | €4/mo |
Hetzner offers 20 TB traffic, Netcup and IONOS unlimited traffic - important for VPN usage.
Looking for a server for your own VPN?
WireGuard needs minimal resources - the smallest server is enough. Make sure you have sufficient traffic allowance.
Compare VPSStep 1: Install Docker (if needed)
If Docker isn't installed yet:
curl -fsSL https://get.docker.com | sh
sudo usermod -aG docker $USER
# Log out and back in, or: newgrp docker
Step 2: Install wg-easy
wg-easy is WireGuard with a web interface - perfect for easy client management:
docker run -d \
--name wg-easy \
--restart unless-stopped \
-e WG_HOST=YOUR-SERVER-IP \
-e PASSWORD=your-secure-password \
-e WG_DEFAULT_DNS=1.1.1.1 \
-v ~/.wg-easy:/etc/wireguard \
-p 51820:51820/udp \
-p 51821:51821/tcp \
--cap-add NET_ADMIN \
--cap-add SYS_MODULE \
--sysctl net.ipv4.ip_forward=1 \
--sysctl net.ipv4.conf.all.src_valid_mark=1 \
ghcr.io/wg-easy/wg-easy
Important:
- Replace
YOUR-SERVER-IPwith your VPS's public IP - Replace
PASSWORDwith a secure password for the web UI - Port 51820/UDP is the WireGuard port - must be open in firewall
- Port 51821/TCP is the web UI
Step 3: Configure Firewall
Open the required ports:
sudo ufw allow 51820/udp # WireGuard
sudo ufw allow 51821/tcp # Web UI (optional: only from specific IPs)
sudo ufw enable
Tip: For more security: Allow port 51821 only from your IP:
sudo ufw allow from YOUR-IP to any port 51821
Step 4: Open Web Interface
Open http://YOUR-SERVER-IP:51821 in your browser:
- Log in with the password from Step 2
- You'll see an empty dashboard - no clients configured yet
Step 5: Create First Client
Click "New Client" and give it a name (e.g., "iPhone", "Laptop", etc.):
- Enter a name (e.g., "Phone")
- Client is created - you'll see a QR code
- This QR code contains the complete configuration
Step 6: Set Up Mobile Client (iOS/Android)
The easiest method - scan QR code:
- Install WireGuard app from App Store / Play Store
- Open app → "+" → "Scan QR Code"
- Scan QR code from the wg-easy dashboard
- Activate tunnel - done!
Tip: Enable "On Demand" for automatic VPN connection on unknown WiFi networks.
Step 7: Set Up Desktop Client
Windows/macOS
- Download WireGuard from wireguard.com/install
- In wg-easy: Client → click download icon (.conf file)
- Open WireGuard app → Import tunnel from file
- Connect
Linux
# wg-quick is pre-installed on modern distros
# Copy config file to /etc/wireguard/wg0.conf
sudo wg-quick up wg0
# For auto-start:
sudo systemctl enable wg-quick@wg0
Step 8: Test Connection
Check if the VPN works:
curl ifconfig.me
# Should show your VPS IP, not your home IP!
Tip: Websites like whatismyip.com or ipleak.net also show you DNS leaks.
Optional: Pi-hole as DNS (Ad Blocker)
Combine WireGuard with Pi-hole for ad blocking in VPN:
# Change in docker run:
-e WG_DEFAULT_DNS=10.8.0.1 # Pi-hole in WireGuard network
# Or external DNS:
-e WG_DEFAULT_DNS=1.1.1.1,8.8.8.8
Common Problems
Client Won't Connect
- Port 51820/UDP open in firewall?
- WG_HOST is the public IP (not localhost)?
- Provider blocking UDP? (rare, but possible)
Connected But No Internet
- IP forwarding active?
cat /proc/sys/net/ipv4/ip_forwardshould be 1 - NAT rule missing (wg-easy handles this automatically)
- DNS issue: Try different DNS in client config
Slow Speed
- VPS bandwidth too low?
- Adjust MTU: Set
MTU = 1280in config
Web UI Not Reachable
- Port 51821/TCP open in firewall?
- Container running?
docker ps - Check logs:
docker logs wg-easy
Advanced: Split-Tunneling & Multi-Server
Split-Tunneling
Route only specific traffic through VPN: In AllowedIPs, enter specific IPs/networks instead of 0.0.0.0/0.
VPN for Entire Home Network
Router as WireGuard client: OpenWrt, pfSense, or modern FritzBox support WireGuard natively.
Multi-Server Setup
Multiple VPS locations (e.g., DE + US): wg-easy on each server, configure different ports/IPs in clients.
Security Tips
- Make web UI accessible only through VPN (close port 51821 in firewall after setup)
- Strong password for web UI (>20 characters)
- SSH with key only, no password
- Enable automatic updates:
unattended-upgrades - Install Fail2ban for SSH
Conclusion
You now have your own VPN - fast, secure, and under your control.
Cost comparison: NordVPN costs €72-144/year depending on plan. A VPS with WireGuard costs ~€48/year - and you can also run Vaultwarden as a password manager, Immich for photos, or Ollama for AI chats on it.
Frequently Asked Questions
More Self-Hosting Guides
Looking for a VPS for your own VPN?
WireGuard needs minimal resources. Watch out for traffic limits - unlimited is ideal for VPN.
Compare All VPS
