TLDR: This blog shows you how to set up your own VPN on a remote VPS via wireguard and openvpn to increase your privacy by hiding where you're connecting from your ISP. This method increases privacy compared to using a VPN provider but you do lose some anomonynity

Serverside Remote Privacy - Running your own VPN (With OpenVPN & Wireguard)

In this tutorial we're going to explain how one can install, run, and connect to a self hosted VPN on a VPS to hide where they're connecting from their ISP.

This blogpost reuses elements from these other tutorials:

Why host your own VPN on a VPS?

In any opsec scenario, it's never a good idea to connect to any network with your plain device with no VPN. There are many VPN providers that range in privacy practices, but regardless of which you choose, you are just moving the trust from your ISP to your provider. Mullvad is a good option since they've proven to respect privacy, but at the end of the day if you wish to be 100% private, hosting your own VPN on a deniability rented VPS is a good option.

The trade off here is that your losing the anomonynity you get when using a VPN that has thousands of users, as explained in the Tor through VPN article. This is a concious tradeoff that you have to make on your own, but self hosting if set up right will be the most private option you can have for any service.

What is the solution ?

Set up a selfhosted VPN server on your anonymous VPS to connect securely and privately to the public internet with the IP of your deniably rented VPS.

Prerequisites: - Aquire a VPS. Can be done anonymously with enough deniability through this tutorial

How can I implement the solution ?

There are 2 solutions when it comes to self hosting your own VPN: OpenVPN and Wireguard. Each of them have their own benefits and restraints which we'll cover deeper.

OpenVPN Solution

What is OpenVPN? OpenVPN is a secure way to host your own VPN by providing password protected configuration files which you can use on the client side to establish a connection. OpenVPN allows both a TCP and/or UDP connection, making it a trusted way to establish a secure connection.

How to set up an OpenVPN server

Connect to your VPS server using ssh ssh anon@<server ip or domain>

Download and run angristran's script The script can be installed from this git repo. Running it with sudo and the interactive mode is the easiest way to set it up. Straight forward with all the default options gets you a simple openVPN server running within minutes.

anon@remote-vps:~/openVPN$ curl -O https://raw.githubusercontent.com/angristan/openvpn-install/master/openvpn-install.sh % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current Dload  Upload   Total   Spent    Left  Speed
100  143k  100  143k    0     0   768k      0 --:--:-- --:--:-- --:--:--  769k
anon@remote-vps:~/openVPN$ chmod +x openvpn-install.sh
anon@remote-vps:~/openVPN$ ls
openvpn-install.sh
anon@remote-vps:~/openVPN$ sudo ./openvpn-install.sh interactive

There are only a few reccomendation. First is that you should create a client with a password. This is to add extra security incase your ovpn fie is ever compromised. Second is that you should make the server listen with TCP on port 443; this is to take full advantage of the openVPN system and use TCP over UDP.

What port do you want OpenVPN to listen to?
   1) Default: 1194
   2) Custom
   3) Random [49152-65535]
Port choice [1-3]: 2
Custom port [1-65535]: 443 

What protocol do you want OpenVPN to use?
UDP is faster. Unless it is not available, you shouldnt use TCP.
   1) UDP
   2) TCP
Protocol [1-2]: 2

....

Tell me a name for the client.
The name must consist of alphanumeric characters, underscores, or dashes (max 64 characters).
Client name: nobody

How many days should the client certificate be valid for?
Certificate validity (days): 3650

Do you want to protect the configuration file with a password?
(e.g. encrypt the private key with a password)
   1) Add a passwordless client
   2) Use a password for the client
Select an option [1-2]: 2
[INFO] Generating client certificate...
[WARN] You will be asked for the client password below
Using Easy-RSA 'vars' configuration:
* /etc/openvpn/server/easy-rsa/vars
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:

After running and creating your first user, you should have a file called nobody.ovpn in your home directory as well as some certification files created. You can leave the certification files as is, the configuration is what you'll need.

Set up OpenVPN client on your home machine and make sure it starts on every boot

Back on your home desktop, download the configuration file

To set up the openVpn client in your host machine you'll need the following packages. openvpn, scp You can install them via sudo apt install openvpn scp if you don't have them already

First get the configuration file from your server onto your host machine. There are many ways to do this, I will use scp in this demonstration:

[nullee@nullee-pc ~]$ scp anon@<remote-vps-domain>:nobody.ovpn .
anon@<remote-vps-domain>'s password: 
nobody.ovpn                                                                                                                                            100% 3140     1.0MB/s   00:00    
[nullee@nullee-pc ~]$ ls
nobody.ovpn
[nullee@nullee-pc ~]$

To activate the actual configuration you will first need to do a couple things to the file.
1. Create a file containing your credentials for the account created
  - This is the passphrase you entered when you chose to make a client with a password. I name it something like nobody-credentials to make it easy to identify later. The contents should be just the following:
```
<password>
```
2. Add your credentials to the .ovpn file
  - In your .ovpn you'll want to add a line that states askpass and put the path to this credential file here. To keep this in a easy to find place for your machine we will move it to the /etc/openvpn/ directory in the next step
```
...
ignore-unknown-option block-outside-dns
setenv opt block-outside-dns # Prevent Windows 10 DNS leak
verb 3
askpass /etc/openvpn/nobody-credentials
...
```
3. Move the configuration file and your credential file to the /etc/openvpn directory, rename the .ovpn file to a .conf file for easy identification [optional just remember the extention for step iv]
```
[nullee@nullee-pc ~]$ sudo mv nobody.ovpn /etc/openvpn/nobody.conf
[nullee@nullee-pc ~]$ sudo mv nobody-credentials /etc/openvpn
```

Create a systemd file to start up the vpn on boot

In order to make the vpn start on boot you'll need to create a systemd file and start it up.
Create a file called /etc/systemd/system/openvpn@.service

Paste the following:

[Unit]
Description=OpenVPN connection to %i
After=network.target

[Service]
ExecStart=openvpn --config /etc/openvpn/%i.conf --log /etc/openvpn/%i.log
Restart=always

[Install]
WantedBy=multi-user.target

Enable the service, in my case the configuration file is nobody.conf so I'm using the words nobody but remember to use your configuration name. If you run to any problems, the log located at /etc/openvpn/<configuration>.log should contain any errors or warnings encountered
```
[nullee@nullee-pc ~]$ sudo systemctl enable openvpn@nobody
Created symlink '/etc/systemd/system/multi-user.target.wants/openvpn@nobody.service' → '/etc/systemd/system/openvpn@.service'.
[nullee@nullee-pc ~]$ sudo systemctl start openvpn@nobody
```

Your VPN should now be up and running. You can confirm this by checking your ip route and see what IP you receive when curling ifconfig:

[nullee@nullee-pc ~]$ ip route
0.0.0.0/1 via 10.96.0.1 dev tun0 
default via 10.20.188.1 dev enp37s0 proto dhcp src 10.20.188.21 metric 100 
10.20.188.0/24 dev enp37s0 proto kernel scope link src 10.20.188.21 metric 100 
10.96.0.0/16 dev tun0 proto kernel scope link src 10.96.0.30 
<home IP address> via 10.20.188.1 dev enp37s0 
128.0.0.0/1 via 10.96.0.1 dev tun0 
[nullee@nullee-pc ~]$ curl ifconfig.me
<Remote VPS> 158.122.101.101

This should route all your internet through your VPS now so your remote VPS IP should be what's received instead of your local home IP. OpenVPN uses tun0 to route your traffic which is seen above.

Wireguard Solution

Why use Wireguard over OpenVPN? Wireguard is another big VPN service in the self hosting and privacy community. The biggest difference in using wireguard over openvpn is it's speed: wireguard is a UDP only protocol, which makes it have a lot faster speeds, speeds up to your normal at home internet speeds. This makes it a simpler and more convenient choice to use over openvpn.

Set up Wireguard Server

We will use angristan's script once again for this. 1. First you 'll want to connect to your remote VPS via ssh again:

[nullee@nullee-pc ~]$ ssh anon@<remote vps domain>

2. Download the script from the github repo or just use the following commands:

anon@anon:~$ curl -O https://raw.githubusercontent.com/angristan/wireguard-install/master/wireguard-install.sh
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 21103  100 21103    0     0   131k      0 --:--:-- --:--:-- --:--:--  131k
anon@anon:~$ chmod +x wireguard-install.sh

3. Run the script, this one is much simpler and you can stick with all the defaults

anon@anon:~$ ./wireguard-install.sh

4. After finishing the installation you should be greeted with a QR code and the following message:

Your client config file is in /home/anon/wg0-client-nobody.conf
If you want to add more clients, you simply need to run this script another time!

WireGuard is running.
You can check the status of WireGuard with: systemctl status wg-quick@wg0


If you don't have internet connectivity from your client, try to reboot the server.

You can use the QR code to connect to the VPN via your phone if you wish, I will show you how to use the configuration file in the next step.

Set up Wireguard client on your home desktop to start up on boot

Wireguard client is much simpler to set up on your home machine compared to openvpn since there's no credentials needed.

Install the wireguard packages on your machine

[nullee@nullee-pc ~]$ sudo apt install wireguard-tools

Copy the configuration file from your server back into your home machine via scp (or any other remote transfer method you have set up). I also prefer to rename it something easier to identify like home.conf

[nullee@nullee-pc ~]$ scp anon@<remote-vps-domain>:wg0-client-nobody.conf .
anon@<remote-vps-domain>'s password: 
wg0-client-nobody.conf                                                                                                                                            100% 3140     1.0MB/s   00:00    
[nullee@nullee-pc ~]$ ls
wg0-client-nobody.conf
[nullee@nullee-pc ~]$ mv wg0-client-nobody.conf home.conf

Move the file the /etc/wireguard/ directory so the wireguard service can find it
```
[nullee@nullee-pc ~]$ sudo mv home.conf /etc/wireguard
```

Set up the systemd service to start the vpn on boot

[nullee@nullee-pc ~]$ sudo systemctl enable wg-quick@home
[sudo] password for nullee: 
Created symlink '/etc/systemd/system/multi-user.target.wants/wg-quick@home.service' → '/usr/lib/systemd/system/wg-quick@.service'.
[nullee@nullee-pc ~]$ sudo systemctl start wg-quick@home

Your internet should now all be routed through your wireguard tunnel. You can confrim this by running the following:

[nullee@nullee-pc ~]$ ip a
        {redacted}
        8: home: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
        {redacted}    
[nullee@nullee-pc ~]$ curl ifconfig.me
<Remote VPS> 158.122.101.101

home should be the name of your configuration and the returned IP should be the VPS IP.

Conclusion

And now you have a VPN set up in your own VPS connected to every boot from your home computer using either wireguard or openvpn. Your path to the internet should now be like below, completly private from your ISP routed through your remote VPS. Sacrificing a bit of anomonynity to secure your privacy.

Suggest changes

nullee

2026-02-11

Donate XMR to the author:
44b4YXuq2mrW8gZZt5ZBgZjPykCbd1Gmk1V5wu9W6rMSaxHs7GQ9e2vKuAHnsTqoAh8fD2mR1bwB1VDyXTJ3xWf3BLahqkk