VPNs (Virtual Private Networks) are one of the most misunderstood tools in security. Most people think of commercial VPN services like NordVPN or ExpressVPN — but for businesses and security-conscious individuals, running your own VPN server is far more secure, private, and often cheaper. This guide explains how VPNs work and gets you up and running with WireGuard or OpenVPN.
What Does a VPN Actually Do?
A VPN creates an encrypted tunnel between your device and a server you control. All your internet traffic routes through that tunnel — protecting it from snooping on the local network (coffee shop Wi-Fi, hotel networks), hiding your real IP address from websites, and allowing secure access to remote resources (your home or office network) as if you were physically there.
What a VPN does NOT do: make you anonymous (your VPN server knows your real IP), protect you from malware, or substitute for other security controls. It’s a specific tool for a specific job — encrypting transit traffic.
Why Run Your Own VPN Instead of Using a Commercial One?
- You control the logs — commercial VPN providers may log activity despite “no-log” claims (several have been subpoenaed and revealed logs)
- No subscription fees — a VPS for your VPN server costs $5-6/month vs $10-15/month for commercial VPN
- Business use case — commercial VPNs don’t give you access to your own internal network resources
- Better performance — your dedicated server isn’t shared with thousands of other users
- No trust required in a third party — the VPN provider is the biggest privacy risk in a commercial VPN
WireGuard vs. OpenVPN
WireGuard
WireGuard is a modern VPN protocol written in ~4,000 lines of code (compared to OpenVPN’s ~100,000). Less code means a smaller attack surface and faster security audits. It uses modern cryptography (ChaCha20, Curve25519, BLAKE2) and is built into the Linux kernel since 5.6.
- Speed: 2-3x faster than OpenVPN in most benchmarks
- Setup complexity: Simpler configuration files
- Battery impact: Lower on mobile devices
- Connection time: Nearly instant reconnection
- Firewall traversal: Uses UDP — can be blocked by strict firewalls
- Best for: Personal use, road warrior VPN, modern infrastructure
OpenVPN
The battle-tested standard for enterprise VPN since 2001. Uses OpenSSL and can run over both UDP and TCP, making it more firewall-friendly.
- Speed: Slower than WireGuard, especially on older hardware
- Setup complexity: More complex, especially PKI certificate management
- Firewall traversal: Can run on TCP port 443 — bypasses almost all firewalls
- Compatibility: Supported on virtually every platform and device
- Best for: Enterprise deployments, environments with strict firewalls, high compatibility requirements
Setting Up WireGuard (Step by Step)
Prerequisites
- A VPS (DigitalOcean, Linode, Vultr, Hetzner) running Ubuntu 22.04 or Debian 12 — from $5/month
- SSH access to the server
- A client device (Windows, Mac, Linux, iOS, Android)
Server Setup
# 1. Install WireGuard
sudo apt update && sudo apt install wireguard -y
# 2. Generate server keys
wg genkey | sudo tee /etc/wireguard/server_private.key | wg pubkey | sudo tee /etc/wireguard/server_public.key
# 3. Generate client keys
wg genkey | tee client_private.key | wg pubkey | tee client_public.key
# 4. Enable IP forwarding
echo "net.ipv4.ip_forward=1" | sudo tee -a /etc/sysctl.conf
sudo sysctl -p
# 5. Create server config
# Replace eth0 with your server's network interface name
sudo nano /etc/wireguard/wg0.confServer config (/etc/wireguard/wg0.conf):
[Interface]
PrivateKey = <paste contents of server_private.key>
Address = 10.0.0.1/24
ListenPort = 51820
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
[Peer]
PublicKey = <paste contents of client_public.key>
AllowedIPs = 10.0.0.2/32# 6. Start and enable WireGuard
sudo systemctl enable --now wg-quick@wg0
# 7. Open firewall port
sudo ufw allow 51820/udpClient Config
[Interface]
PrivateKey = <paste contents of client_private.key>
Address = 10.0.0.2/24
DNS = 1.1.1.1
[Peer]
PublicKey = <paste contents of server_public.key>
Endpoint = YOUR_SERVER_IP:51820
AllowedIPs = 0.0.0.0/0 # Route all traffic through VPN
PersistentKeepalive = 25Import this config file into the WireGuard app (available free on all platforms) and connect. That’s it — you have a private VPN.
Even Easier: Use a Setup Script
The WireGuard installer script by angristan automates the entire server setup process:
# Review the script before running it
curl -O https://raw.githubusercontent.com/angristan/wireguard-install/master/wireguard-install.sh
cat wireguard-install.sh # Read before running
chmod +x wireguard-install.sh
sudo ./wireguard-install.shThe script handles everything interactively — keys, config, firewall rules — and generates a QR code you can scan with the mobile WireGuard app.
Use Cases for Self-Hosted VPN
- Remote worker access: Replace expensive commercial VPN licenses with a self-hosted WireGuard server on a $5/month VPS
- Secure public Wi-Fi: Route all traffic through your VPN when on untrusted networks
- Secure access to home/office network: Access internal resources (NAS, printers, development servers) securely from anywhere
- Bypassing network restrictions: Access geo-restricted content or bypass overly restrictive corporate filtering
VPN Security Hardening Tips
- Keep your VPN server updated:
sudo apt update && sudo apt upgradeweekly - Use a non-standard port to reduce automated scanning noise
- Restrict SSH access to specific IP addresses in your VPS firewall
- Monitor your VPN server logs for unusual connection patterns
- Use DNS-over-HTTPS or a trusted DNS resolver (Cloudflare 1.1.1.1, Quad9) rather than your ISP’s DNS
Summary
Running your own WireGuard VPN server is one of the best privacy and security decisions you can make. It’s faster than most commercial VPNs, costs $5/month, and puts you in complete control of your data. The setup takes about 20 minutes following this guide. For businesses, it eliminates dependency on a third-party VPN provider who could be breached, subpoenaed, or simply dishonest about their logging practices.