How to Set Up Your Own VPN on a VPS
Running your own WireGuard VPN gives you a private network tunnel without trusting a commercial VPN provider. This guide walks you through the complete setup on a Strike.bz VPS.
Why Run a Self-Hosted VPN?
Commercial VPN services are convenient, but they require you to trust the provider. Even “no-logs” VPNs can be compelled by courts, can be acquired by companies with different policies, or can simply be dishonest.
A self-hosted WireGuard VPN on your own VPS has one user: you. No one else can be compelled to hand over your logs because no third party has them. The server is yours.
Additionally, self-hosted VPN is often cheaper than commercial VPN for single users. A Strike.bz Nano plan at €3/month provides more than enough capacity for personal VPN use – less than most commercial VPN subscriptions.
Get a VPS
You need a VPS running a Linux distribution. Debian 11/12 or Ubuntu 22.04/24.04 are the most straightforward choices for WireGuard.
A Nano plan (1 vCPU, 1 GB RAM) is sufficient for personal VPN use. If you plan to route multiple devices or significant traffic through it, consider a Micro or Starter plan.
Choose the VPS location that makes sense for your use case: • Poland – best for EU-based users wanting GDPR jurisdiction • USA – best for access to US services with low American latency • Singapore – best for Asia-Pacific users
Connect to Your Server
Once your VPS is provisioned, connect via SSH:
ssh root@YOUR_SERVER_IP
Replace YOUR_SERVER_IP with the IP address from your welcome email. Accept the host key fingerprint when prompted.
Update Your System
Always start with a system update:
apt update && apt upgrade -y
This ensures you have the latest security patches before installing anything.
Install WireGuard
WireGuard is in the standard Debian/Ubuntu repositories:
apt install wireguard -y
WireGuard requires Linux kernel 5.6+ or backported modules. Recent Debian and Ubuntu LTS versions include it by default.
Generate Server Keys
Generate the server's private and public key pair:
cd /etc/wireguard wg genkey | tee server_private.key | wg pubkey > server_public.key chmod 600 server_private.key
The private key is your server's secret – never share it. The public key is what clients use to authenticate to your server.
Create the Server Configuration
Create /etc/wireguard/wg0.conf:
[Interface] Address = 10.0.0.1/24 ListenPort = 51820 PrivateKey = $(cat /etc/wireguard/server_private.key) PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
Replace eth0 with your network interface name (run 'ip link' to see it – often ens3, eth0, or similar).
Enable IP Forwarding
For the VPN to route traffic, the kernel must forward packets:
echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.conf sysctl -p
This allows your VPS to forward packets from VPN clients to the internet.
Start WireGuard
Enable and start WireGuard:
systemctl enable wg-quick@wg0 systemctl start wg-quick@wg0
Verify it is running:
wg show
You should see interface wg0 listed with your public key and listen port.
Add a Client
On your client device (laptop, phone), install WireGuard and generate a key pair:
wg genkey | tee client_private.key | wg pubkey > client_public.key
Then on the server, add the client as a peer in /etc/wireguard/wg0.conf:
[Peer] PublicKey = CLIENT_PUBLIC_KEY AllowedIPs = 10.0.0.2/32
Reload the config:
wg syncconf wg0 <(wg-quick strip wg0)
Configure the Client
Create a WireGuard config on your device:
[Interface] Address = 10.0.0.2/32 PrivateKey = CLIENT_PRIVATE_KEY DNS = 1.1.1.1
[Peer] PublicKey = SERVER_PUBLIC_KEY Endpoint = YOUR_SERVER_IP:51820 AllowedIPs = 0.0.0.0/0 PersistentKeepalive = 25
Import this into the WireGuard app on your device and toggle the connection on.
Troubleshooting
Cannot connect from client
Check that UDP port 51820 is open in your VPS firewall: ufw allow 51820/udp
Connected but no internet access
Verify IP forwarding is enabled (sysctl net.ipv4.ip_forward should return 1) and that the iptables PostUp rules fired correctly.
DNS leaks
Ensure your client config includes DNS = 1.1.1.1 or another resolver, and test with dnsleaktest.com.
Get Your VPS for WireGuard
Strike.bz VPS from €3/mo. No KYC, full root access, instant setup. Perfect for self-hosted VPN.
Get Nano VPS – €3/mo