Skip to content
Learn Security

Build Your Own Private VPN - The Ultimate WireGuard + VPS Guide

Build your own high-speed, log-free private VPN for under $10/year using WireGuard and a budget VPS. This step-by-step guide solves common low-RAM crashes and IPv6 errors to ensure total digital privacy.

4 min read
Private VPN from VPS

In this guide, I will show you how to build a high-speed, private VPN using a cheap cloud VPS (as low as $10/year or even less) and WireGuard. We will tackle specific challenges like running this on low-RAM servers (300MB-512MB) and fixing common IPv6 errors that break standard installations.

Prerequisites

Before we start, you will need:

  1. A Cheap VPS: You can find annual deals for under $10 on sites like RackNerd or ColoCrossing. Look for KVM virtualization.
    • Minimum Specs: 1 CPU, 512MB RAM (we will make it work on 300MB!), Ubuntu 22.04 LTS.
  2. Basic Terminal Skills: If you are new to Linux, check out my [Introduction to the Open-Source Operating System] to get comfortable.
  3. SSH Access: Ensure you can log into your server securely. See my guide on [How to Secure Your SSH Server] before proceeding.

Privacy Architecture – How Traffic Flows Through Your Private VPN

Step 1: The “Secret Sauce” for Low-RAM Servers (Swap File)

Most VPN installers crash on cheap VPS instances because the installation process spikes memory usage. If you have less than 1GB of RAM, the system will kill the process to save itself.

We fix this by creating a Swap File—essentially “virtual RAM” on your hard drive.

Run these commands on your VPS:

# 1. Create a 1GB swap file
sudo fallocate -l 1G /swapfile

# 2. Secure the file permissions
sudo chmod 600 /swapfile

# 3. Mark it as swap space
sudo mkswap /swapfile

# 4. Enable it
sudo swapon /swapfile

# 5. Make it permanent (so it survives reboot)
echo '/swapfile none swap sw 0 0' | sudo tee -a /etc/fstab

Verification: Run free -m. You should now see ~1000MB of space in the “Swap” row.

Step 2: Install WireGuard via Automated Script

We will use the trusted Angristan WireGuard installer. It handles the complex key generation and routing rules automatically.

Run the installer:

sudo apt update && sudo apt install curl -y
curl -O https://raw.githubusercontent.com/angristan/wireguard-install/master/wireguard-install.sh
chmod +x wireguard-install.sh
sudo ./wireguard-install.sh

Follow the Prompts:

  • Public IP: Press Enter (It detects your VPS IP, e.g., 203.0.113.45).
  • Interface: Press Enter.
  • Port: Press Enter (Default: 51820).
  • DNS: Choose 1.1.1.1 (Cloudflare) or 8.8.8.8 (Google).

Once finished, the script will ask to create your first client. Enter a name like mobile_phone.

Step 3: The IPv6 Fix (Crucial)

This is where many setups fail. Many budget VPS providers disable IPv6 to save costs. However, WireGuard’s default configuration often assumes IPv6 is active.

If you try to start WireGuard and get an error like Job for wg-quick@wg0.service failed, it is likely because the config is trying to route IPv6 traffic that doesn’t exist.

The Fix: Open your configuration file:

sudo nano /etc/wireguard/wg0.conf

Delete or Comment out any line referring to ip6tables or IPv6 addresses. Your config should look clean like this:

[Interface]
Address = 10.66.66.1/24
ListenPort = 51820
PrivateKey = <YOUR_SERVER_PRIVATE_KEY>
PostUp = iptables -I INPUT -p udp --dport 51820 -j ACCEPT
PostUp = iptables -I FORWARD -i eth0 -o wg0 -j ACCEPT
PostUp = iptables -I FORWARD -i wg0 -j ACCEPT
PostUp = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D INPUT -p udp --dport 51820 -j ACCEPT
PostDown = iptables -D FORWARD -i eth0 -o wg0 -j ACCEPT
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT
PostDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

# Note: All IPv6 (ip6tables) lines have been removed!

Save the file (Ctrl+O, Enter, Ctrl+X) and restart the service:

sudo systemctl restart wg-quick@wg0

Installation Workflow – Troubleshooting & Configuration Logic

Step 4: Connecting Your Devices

For Android & iOS

  1. Run ./wireguard-install.sh and select “Add a new user”.
  2. Name it (e.g., iphone).
  3. A QR Code will appear in your terminal.
  4. Open the WireGuard app on your phone and scan it. Done.

For Windows & macOS

You cannot scan a QR code with a laptop. You need the raw configuration text.

  1. View the config file for your client (e.g., laptop): 
    cat /home/demo_user/wg0-client-laptop.conf
  2. Copy the output.
  3. Important: Before pasting it into your WireGuard desktop app, remove any IPv6 lines from the Address or AllowedIPs sections.
    • Bad: AllowedIPs = 0.0.0.0/0, ::/0
    • Good: AllowedIPs = 0.0.0.0/0
  4. Paste the cleaned text into the WireGuard app and click Activate.

Step 5: Verification and Safety

Never assume your VPN is working just because the app says “Connected.”

  1. Check your IP: Go to whatismyip.com. It should show your VPS IP (203.0.113.45), not your home IP.
  2. Check for DNS Leaks: Visit dnsleaktest.com. If you see your local ISP’s name, your DNS is leaking. Refer to my guide on [Essential Tools for Privacy in Daily Life] (https://rokibulroni.com/blog/essential-tools-for-privacy-in-daily-life) for browser hardening tips to prevent this.

Final Word

You now have a fully self-hosted, private VPN for the price of a few cups of coffee. No logging policies to read, no hidden fees, and complete control over your data.

If you are interested in taking your network skills further, check out my guide on [Vulnerability Assessment and Management in Large-Scale Enterprise Networks] to see how enterprises manage security on a much larger scale.

Share article

Subscribe to my newsletter

Receive my case study and the latest articles on my WhatsApp Channel.