Logo
Bearhost Logo
Knowledge BaseVPS & Dedicated Servers

How to Set Up a VPN on Your VPS

By Elliot, BearHost·

Hosting your own VPN gives you complete control over your privacy, avoids third-party logging, and lets you access the internet securely from any network. WireGuard is the modern, fast, and simple choice.

Why Host Your Own VPN?

  • Privacy: No third-party VPN provider logging your traffic
  • Speed: Direct connection to your VPS with minimal overhead
  • Cost: Already included with your VPS — no extra subscription
  • Control: You own the server and can audit everything

Install WireGuard

sudo apt update && sudo apt upgrade -y
sudo apt install wireguard -y

Generate Server Keys

cd /etc/wireguard
umask 077
wg genkey | tee server_private.key | wg pubkey > server_public.key

Generate Client Keys

wg genkey | tee client1_private.key | wg pubkey > client1_public.key

Configure the Server

sudo nano /etc/wireguard/wg0.conf

[Interface]
Address = 10.0.0.1/24
ListenPort = 51820
PrivateKey = SERVER_PRIVATE_KEY_HERE
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
# Client 1
PublicKey = CLIENT1_PUBLIC_KEY_HERE
AllowedIPs = 10.0.0.2/32

Replace eth0 with your actual network interface (check with ip route show default).

Enable IP Forwarding

echo "net.ipv4.ip_forward = 1" | sudo tee -a /etc/sysctl.conf
sudo sysctl -p

Open the Firewall

sudo ufw allow 51820/udp
sudo ufw reload

Start WireGuard

sudo systemctl enable wg-quick@wg0
sudo systemctl start wg-quick@wg0
sudo wg show

Client Configuration

Create a configuration file on your local device:

[Interface]
Address = 10.0.0.2/24
PrivateKey = CLIENT1_PRIVATE_KEY_HERE
DNS = 1.1.1.1, 8.8.8.8

[Peer]
PublicKey = SERVER_PUBLIC_KEY_HERE
Endpoint = YOUR_VPS_IP:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25
  • Windows/Mac: Install the WireGuard app and import the config file.
  • Linux: Save as /etc/wireguard/wg0.conf and run sudo wg-quick up wg0.
  • iOS/Android: Install the WireGuard app from your app store.

Generate a QR Code for Mobile

sudo apt install qrencode -y
qrencode -t ansiutf8 < /etc/wireguard/client1.conf

Scan the QR code with the WireGuard mobile app to connect instantly.

Adding More Clients

For each new client, generate a key pair and add a [Peer] section to wg0.conf:

wg genkey | tee client2_private.key | wg pubkey > client2_public.key

Add to server config:

[Peer]
# Client 2
PublicKey = CLIENT2_PUBLIC_KEY_HERE
AllowedIPs = 10.0.0.3/32

Reload without downtime:

sudo wg syncconf wg0 <(wg-quick strip wg0)

Verify Your VPN

Once connected, check your public IP:

curl ifconfig.me

It should show your VPS IP, not your local IP.

OpenVPN Alternative

If you need OpenVPN compatibility (some networks block WireGuard), use the angristan install script:

curl -O https://raw.githubusercontent.com/angristan/openvpn-install/master/openvpn-install.sh
chmod +x openvpn-install.sh
sudo ./openvpn-install.sh

The script walks you through setup interactively and generates .ovpn client files.

Security Tips

  • Rotate keys periodically — regenerate client keys every 6–12 months
  • Use unique keys per device — never share a key pair across multiple devices
  • Monitor connections with sudo wg show to spot unauthorised peers
  • Keep WireGuard updated: sudo apt update && sudo apt upgrade wireguard
Tags:#vpn#wireguard#openvpn#privacy#security#networking#vps

Related Articles

Back to VPS & Dedicated Servers