Running your own VPN on a VPS is one of the best value-per-effort projects in self-hosting. Twenty minutes of setup gets you encrypted traffic from your phone and laptop through a server you control, in a region you choose, with no logs you have to take a company's word about. This guide covers what specs you actually need (less than you'd think), which region to pick (matters more than you'd expect), and how a self-hosted VPN actually compares to commercial ones like Mullvad and Proton.
What's in this guide
Self-hosted VPN vs commercial VPN
The two genuinely solve different problems. Picking the wrong tool produces frustration.
Commercial VPNs (Mullvad, Proton, Nord, etc.) are good at:
- Anonymity through crowd. You share an IP with thousands of other users. Tracking individual users is harder.
- Avoiding ISP-level monitoring. Your ISP sees encrypted traffic to a VPN provider, not your actual destinations.
- Geo-shifting for streaming. Some services maintain large IP pools that haven't been blocked by Netflix/Hulu.
- One-click connect from anywhere. Polished apps for every platform.
Self-hosted VPNs are good at:
- Privacy through ownership. You control the server. No third party logs (or doesn't log) your traffic; you do or don't.
- Stable, dedicated IP. Useful for accessing services that flag VPN IPs (banks, work tools, captcha-heavy sites).
- Encrypted traffic on hostile networks. Coffee shop wifi, hotel networks, sketchy mobile hotspots.
- Accessing your own home network from anywhere. The Tailscale/WireGuard "personal mesh" use case.
- Cost. $4/mo for unlimited bandwidth and traffic vs $5-12/mo for commercial.
Pick commercial VPN if your primary need is anonymity through shared IPs. Pick self-hosted if your primary needs are control, a stable dedicated IP, or accessing your own resources.
What VPN VPS actually needs
VPN workloads are wonderfully light. Specifically:
- RAM: WireGuard uses ~10MB regardless of client count. OpenVPN uses 30-100MB. A 1GB VPS handles 50+ concurrent VPN clients trivially.
- CPU: WireGuard is CPU-light (single-digit % per Gbps of traffic on modern hardware). OpenVPN is heavier (10-20% per Gbps). 1 vCPU is enough for personal use.
- Bandwidth: The dominant resource. Every byte your VPN clients receive passes through the VPS twice (in and out). Heavy users (4K streaming via VPN, big downloads) push real bandwidth.
- Disk: Negligible. The VPN config files are tiny.
- KVM virtualization: WireGuard requires kernel module loading, which only works on KVM (not OpenVZ). Why →
The constraint is bandwidth. Pick a host that gives you generous transfer with cheap overage rates.
Sizing
| Use case | RAM | vCPU | Transfer | Plan |
|---|---|---|---|---|
| Personal VPN, 1-3 devices, modest use | 1GB | 1 vCPU | 4TB | Starter ($3.99/mo) |
| Family VPN, 5-10 devices, regular streaming | 1-2GB | 1 vCPU | 4-8TB | Starter or Pro |
| Heavy use, 10+ devices, 4K streaming | 2GB | 1-2 vCPU | 8-15TB | Pro ($7.99/mo) |
| Small team / community VPN, 30+ users | 4GB | 2 vCPU | 15-30TB | Premium ($15.99/mo) |
The Starter plan handles personal use comfortably. Bandwidth is what scales — heavy streamers and torrent users push more transfer than light users by orders of magnitude.
Bandwidth math. Watching 4K Netflix uses 15-25 GB/hour. If everyone in your family streams Netflix through your VPN for 3 hours/day, that's 1.3-2.3 TB/month. Sizing a "VPS for VPN" is mostly sizing for bandwidth, not CPU.
Region selection
For most personal-VPN use cases, you want a region close to where you physically are. Why:
- Latency: All your traffic detours through the VPN. A close VPS adds ~5-15ms; a distant one adds 100-300ms. The distant one makes web browsing feel slow.
- Bandwidth: Most modern networks reach 200+ Mbps inbound; that throughput requires reasonable proximity.
Special cases where you might pick a distant region:
- Geo-shifting for content access. Want a UK IP for BBC iPlayer? Pick London regardless of where you are. Want US streaming? New York or Los Angeles.
- Bypassing local restrictions. If your country restricts certain services, picking a region in a permissive jurisdiction makes sense.
- Privacy preferences. Some users prefer hosts in specific jurisdictions (Switzerland, Iceland) for legal protection.
OliveVPS has 20 regions including Mumbai, Tokyo, Singapore, London, Frankfurt, Dubai, São Paulo, New York, and others. All locations →
WireGuard vs OpenVPN
WireGuard (recommended)
Modern, fast, simple. ~4000 lines of code (vs OpenVPN's hundreds of thousands). Faster throughput, lower CPU use, simpler config. Standard on Linux kernels 5.6+. Setup guide →
Quirks: identifies your traffic as WireGuard (some restrictive networks block UDP traffic on WireGuard's default port). Uses persistent connections — handles network changes gracefully but can be detected via traffic analysis.
OpenVPN
Mature, battle-tested, configurable. Runs on TCP 443 (looks like HTTPS, harder to block). Compatible with restrictive networks where WireGuard fails. Slower than WireGuard, more CPU-intensive, fiddlier config.
Use OpenVPN if WireGuard fails on networks you actually use (some hotel/airport wifi, some corporate networks, some restrictive countries). Otherwise, WireGuard is the better default.
Other protocols (Tailscale, IKEv2)
Tailscale is built on WireGuard with automatic NAT traversal — different product (mesh networking) than a traditional VPN endpoint. IKEv2/IPsec is older but supported natively by iOS/macOS without third-party apps.
AUP and bandwidth considerations
Two host-side considerations:
Acceptable Use Policies
Most hosts are fine with personal VPNs. Some restrict commercial VPN services (selling VPN access to others), Tor exit nodes, or anything that consistently generates abuse complaints. Read your host's AUP before launching anything that could trigger it.
OliveVPS allows personal and small-team VPNs without restriction. Public Tor exits are not permitted (they generate too many abuse complaints). Selling VPN-as-a-service requires a chat with us first.
Bandwidth and overage
VPNs push real bandwidth. Pick a host with generous transfer allowances:
- OliveVPS: 4-30 TB included depending on plan, $0.01/GB overage.
- Hetzner: 20 TB included on most plans, ~$0.001/GB overage. Cheapest if you exceed.
- DigitalOcean / Vultr: 1-5 TB included, $0.01/GB overage.
- AWS Lightsail: 1-7 TB included, $0.09/GB overage. Avoid for VPN — egress costs add up fast.
Multiple regions for one user
A neat use case: run two or three small VPS instances in different regions, each running WireGuard. Use one as your default; switch to the others for content access or specific use cases.
Cost: 3 × $4/mo = $12/mo. You get a US, EU, and Asia endpoint. Cheaper than commercial multi-region VPN subscriptions, more reliable than single-VPS setups, and you switch regions in one click.
The WireGuard mobile app supports multiple tunnel profiles. Tap to switch.
Personal VPN from $3.99/mo
20 regions worldwide, real KVM (so WireGuard actually works), generous bandwidth allowances, $0.01/GB overage. Set up in 20 minutes following our guide.
See VPS Plans →Common mistakes
Buying a VPS plan with shared CPU "to save money." WireGuard barely uses CPU; the savings are imaginary. Get the real plan.
Picking a host without KVM. WireGuard needs to load a kernel module. OpenVZ "VPS" plans don't allow this. Verify with systemd-detect-virt on a fresh deploy.
Hosting in a far-away region. A VPN in Tokyo for a user in New York adds 200ms latency to every connection. Pick a close region unless you specifically want geo-shifting.
Forgetting to enable IP forwarding. The most common WireGuard "tunnel works but no internet" issue. net.ipv4.ip_forward=1 in sysctl.conf — covered in our WireGuard setup guide.
Generating one keypair and reusing it across devices. Generate a separate keypair per device. If one device is compromised, you can revoke its access without affecting the others.
Not using PersistentKeepalive on mobile. Mobile networks aggressively kill idle UDP flows. Without keepalive, WireGuard goes silent and reconnects only when you generate traffic. Set PersistentKeepalive = 25 on mobile clients.
FAQ
Is self-hosted VPN actually private?
Privacy depends on your threat model. Self-hosted: your ISP can't see your traffic, your VPS host technically could (they have access to the underlying server), and you trust your VPS host. Commercial VPN: you trust the VPN company's no-log claims. Both are private from your ISP and from public networks. Pick based on who you'd rather trust.
Can I torrent through my self-hosted VPN?
Technically yes, legally depends on what you're torrenting. DMCA notices for copyright infringement get sent to whoever owns the IP, which is your VPS host — they'll forward the complaint to you. Repeated abuse complaints can get your account suspended. Torrent legal content; for anything else, commercial VPNs designed for it (Mullvad, Proton) are better suited.
Will my self-hosted VPN unblock Netflix?
Maybe. Netflix actively blocks IP ranges associated with VPN providers. A residential-class VPS IP that hasn't been used by other VPN customers may work; an IP in a known VPS range may be blocked. Hit-or-miss. Commercial VPNs that specifically maintain Netflix-unblocked pools have better odds for streaming.
Can multiple people use the same self-hosted VPN?
Easily. Each person gets a separate keypair (under their own [Peer] block on the server). 5-10 family members on one VPS works smoothly. The constraint is bandwidth, not connections — WireGuard scales to hundreds of peers per server.
How much bandwidth does a typical VPN user use?
Light use (occasional browsing, minimal streaming): 50-200GB/month. Moderate use (daily browsing, regular streaming): 500GB-1TB/month. Heavy use (4K streaming through VPN, large downloads): 2-5TB/month. Choose a plan with transfer allowance to match.