pull down to refresh

Got tired of trusting VPN companies with my data. Decided to roll my own. Turns out it's easier than I thought, and you can pay for everything with Bitcoin through Tor. Full privacy from start to finish.

Why Bother?

Most VPN services log your data despite what they claim. Even the "no logs" ones can be compromised or forced to start logging. Plus they know who you are because you paid with a credit card tied to your identity.
Running your own VPN means you control everything. No third party to trust. No logs unless you make them. And if you're smart about it, nobody knows it's yours.

What You Need

  • Bitcoin (obviously)
  • Tor browser
  • Basic Linux knowledge (I'll walk you through it)
  • About 30 minutes
  • 5000 sats for hosting

Step 1: Get a VPS with Bitcoin

I used 1984 hosting because they're based in Iceland, accept Bitcoin, and don't ask for ID. Access their site through Tor.
Through Tor browser:
  1. Go to 1984hosting.com (they have an onion address too)
  2. Pick a VPS plan - their smallest one works fine for personal use
  3. At checkout, select Bitcoin payment
  4. They'll give you a Bitcoin address
  5. Send payment from your wallet (use a mixing service first if you're paranoid)
  6. Wait for confirmation
Takes about an hour to get your VPS details via email. They'll send you IP address, root password, etc.

Step 2: Secure Your VPS

First thing - change that root password and set up proper access.
SSH into your VPS:
ssh root@your-vps-ip
Update everything:
apt update && apt upgrade -y
Create a new user (don't use root for everything):
adduser yourusername
usermod -aG sudo yourusername
Set up SSH keys for secure access:
mkdir ~/.ssh
chmod 700 ~/.ssh
Copy your public key to the server, then disable password auth:
nano /etc/ssh/sshd_config
Change these lines:
PasswordAuthentication no
PermitRootLogin no
Restart SSH:
systemctl restart ssh

Step 3: Install WireGuard

WireGuard is fast, modern, and way simpler than OpenVPN.
apt install wireguard -y
Generate server keys:
cd /etc/wireguard
wg genkey | tee privatekey | wg pubkey > publickey
Create server config:
nano /etc/wireguard/wg0.conf
Put this in the file:
[Interface]
PrivateKey = [your server private key]
Address = 10.0.0.1/24
ListenPort = 51820
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
PublicKey = [your client public key - we'll generate this next]
AllowedIPs = 10.0.0.2/32

Step 4: Set Up Client

On your local machine, install WireGuard and generate client keys:
wg genkey | tee client_privatekey | wg pubkey > client_publickey
Create client config:
nano client.conf
[Interface]
PrivateKey = [your client private key]
Address = 10.0.0.2/24
DNS = 1.1.1.1

[Peer]
PublicKey = [your server public key]
Endpoint = your-vps-ip:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25

Step 5: Enable IP Forwarding

Back on the server:
echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.conf
sysctl -p
Add your client's public key to the server config, then start WireGuard:
systemctl enable wg-quick@wg0
systemctl start wg-quick@wg0

Step 6: Configure Firewall

Set up UFW to only allow what you need:
ufw allow ssh
ufw allow 51820/udp
ufw enable

Step 7: Connect

Import the client config into your WireGuard app and connect. Check your IP at whatismyipaddress.com - should show your VPS location now.

Random Tips

  • Change the default WireGuard port from 51820 to something random
  • Use different VPS providers for different purposes
  • Consider running your own DNS resolver too
  • Don't use the VPS for anything else that could identify you
  • Rotate servers periodically

Troubleshooting

If it's not working:
  • Check firewall rules on both ends
  • Make sure IP forwarding is enabled
  • Verify your keys are correct
  • Check if your ISP blocks WireGuard ports

Other Providers

1984 hosting works well but there are others:
  • Njalla (accepts Bitcoin, privacy focused)
  • BitLaunch (Bitcoin only, multiple providers)
  • VirMach (cheap, accepts crypto)

The Paranoid Version

Want maximum privacy?
  • Pay for VPS through multiple hops (exchange Bitcoin first)
  • Use Tails OS for the setup process
  • Route through multiple VPS servers
  • Change servers monthly

Is It Worth It?

For €5/month you get your own private VPN that nobody else controls. No logging policies to trust, no jurisdiction issues, no bandwidth sharing with sketchy users.
Setup takes maybe an hour. Maintenance is basically zero. And you learn how VPNs actually work instead of just clicking "connect" on some app.

Current Status

Been running mine for 6 months now. Zero issues. Fast speeds. Complete privacy as far as I can tell.
Cost about €30 total so far. Compare that to NordVPN or whatever charging €100/year for worse privacy.
Plus now I actually understand how this stuff works instead of just trusting some company's marketing.
175 sats \ 2 replies \ @ek 16h
They can still log at the network level, no?
reply
With this risk profile, I would suggest using Tails with a no KYC SIM or neighbors WiFi as your exit point, as it is what the Hosting might register from you. Of course they still can access the VPS. Paranoia is never ending, but this VPN use case is more Home intended.
BTW, thanks @ek for your contributions to the space!!!
reply
Of course. If that is your concern, multiple VPS'es could be a solution for you, proxychains and some Tor connection too. Performance on the floor but higher privacy. Trade off.
reply
50 sats \ 1 reply \ @unschooled 15h
Great! What do you think of obscura's model? They claim the "can't log" traffic. Are they just blowing smoke?
reply
They say they cannot log HTTP and DNS, they still can log IPs from your clients, the same as the physical owner of your rented VPS.
You can always log something.
reply
0 sats \ 1 reply \ @GregAsks 5h
Tailscale for free?
reply
Nothing of truly free Sir. Energy is not free.
reply
0 sats \ 0 replies \ @skhron 15h
There are few good VPS hosts available at https://bitcoin-vps.com/ including ones with .onion
reply
stackers have outlawed this. turn on wild west mode in your /settings to see outlawed content.