Skip to content
Learn Security

Build Your Own Private VPN - The Ultimate WireGuard + VPS Guide

Build your own high-speed, log-free private VPN for under $10/year using WireGuard and a budget VPS. This step-by-step guide solves common low-RAM crashes and IPv6 errors to ensure total digital privacy.

Private VPN from VPS

Running your own VPN sounds complicated, but it really isn’t. With WireGuard and a cheap VPS, you can have a fast, private tunnel up and running in under an hour—with no commercial provider logging your traffic, no monthly subscription, and no third party between you and the internet.

This guide walks through the entire setup, including how to handle two problems that trip up most budget VPS users: low-RAM crashes during installation and broken IPv6 routing.

Prerequisites

Before you start, you’ll need three things:

  1. A Budget VPS — Annual deals under $10/year are easy to find on platforms like RackNerd or ColoCrossing. Go with a KVM-based VPS running Ubuntu 22.04 LTS or Ubuntu 24.04 LTS. Minimum specs: 1 vCPU and 512MB RAM (we’ll add swap to handle anything tighter than that).
  2. Basic Linux Terminal Skills — If you’re new to the command line, check out my guide on the Introduction to the Open-Source Operating System before continuing.
  3. Secure SSH Access — Make sure you can log into your VPS securely. I strongly recommend reading through How to Secure Your SSH Server before moving forward.

Privacy Architecture - How Traffic Flows Through Your Private VPN

Step 1: Setting Up Swap (Essential for Low-RAM Servers)

This step is non-negotiable if your VPS has 512MB of RAM or less. During installation, WireGuard’s compilation and network configuration can spike memory usage enough that the Linux kernel’s OOM (Out-Of-Memory) killer terminates the process mid-install—leaving you with a broken setup and no clear error message.

Adding swap gives the system breathing room by using a portion of your SSD as virtual memory. Run these commands in order:

# Create a 1GB swap file
sudo fallocate -l 1G /swapfile

# Lock it down so only root can access it
sudo chmod 600 /swapfile

# Format it as swap space
sudo mkswap /swapfile

# Activate it immediately
sudo swapon /swapfile

# Persist it across reboots
echo '/swapfile none swap sw 0 0' | sudo tee -a /etc/fstab

Verify it worked:

free -h

You should see roughly 1.0Gi listed under the Swap column. If it’s there, you’re good to move on.

Advertisement

Step 2: Install WireGuard Using an Automated Script

You could configure WireGuard manually, but the routing rules, firewall setup, and key generation are tedious to get right. The Angristan WireGuard installer is a well-maintained open-source script that handles all of it reliably.

sudo apt update && sudo apt install curl -y
curl -O https://raw.githubusercontent.com/angristan/wireguard-install/master/wireguard-install.sh
chmod +x wireguard-install.sh
sudo ./wireguard-install.sh

The installer walks you through a few prompts. For most settings, the defaults work perfectly:

  • Public IPv4 address — Press Enter. The script detects your server’s IP automatically.
  • Public IPv6 address — If your VPS doesn’t support IPv6, leave it blank or press Enter to skip.
  • Private interface — Press Enter to use the default (wg0).
  • WireGuard IPv4 — Press Enter (default: 10.66.66.1/24).
  • WireGuard IPv6 — Press Enter (default: fd42:42:42::1/64).
  • Port — Press Enter to use the standard UDP port 51820.
  • DNS servers — Pick your preferred provider. Cloudflare (1.1.1.1) and AdGuard DNS are both solid choices for privacy and speed.

Once the base installation finishes, the script will ask you to configure your first client. Give it a recognizable name like iphone or laptop and complete the setup.

Step 3: Fixing IPv6 Issues (The Most Common Failure Point)

Budget VPS hosts frequently disable IPv6 on their cheapest nodes, or require you to enable it manually. WireGuard’s default configuration tries to set up both IPv4 and IPv6 routing—so if IPv6 isn’t available, the service simply won’t start.

If you see Job for wg-quick@wg0.service failed, this is almost certainly why.

How to Fix It

Open the WireGuard server configuration file:

sudo nano /etc/wireguard/wg0.conf

Remove or comment out (with #) any lines referencing IPv6. Look under [Interface] for Address entries with IPv6 notation, ip6tables rules, and AllowedIPs containing ::/0.

Your cleaned configuration should look like this:

[Interface]
Address = 10.66.66.1/24
ListenPort = 51820
PrivateKey = <YOUR_SERVER_PRIVATE_KEY>

# IPv4 routing rules
PostUp = iptables -I INPUT -p udp --dport 51820 -j ACCEPT
PostUp = iptables -I FORWARD -i eth0 -o wg0 -j ACCEPT
PostUp = iptables -I FORWARD -i wg0 -j ACCEPT
PostUp = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

PostDown = iptables -D INPUT -p udp --dport 51820 -j ACCEPT
PostDown = iptables -D FORWARD -i eth0 -o wg0 -j ACCEPT
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT
PostDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[!NOTE] The interface name eth0 in the example above may differ on your server. Run ip route show | grep default to find your actual interface name and update the config accordingly.

Save with Ctrl+O, Enter, then exit with Ctrl+X.

Restart WireGuard to apply the changes:

sudo systemctl restart wg-quick@wg0

Installation Workflow - Troubleshooting & Configuration Logic

Step 4: Connecting Your Devices

Mobile (Android and iOS)

Phones and tablets are the easiest to set up thanks to QR code support.

  1. Run the installer again: 
    sudo ./wireguard-install.sh
  2. Select Add a new user and enter a name like phone.
  3. The script outputs a QR code directly in the terminal.
  4. Install the official WireGuard app from the Google Play Store or Apple App Store.
  5. Tap +, choose Scan from QR code, and point your camera at the terminal. The profile imports instantly.

Desktop (Windows, macOS, and Linux)

Desktops need the raw configuration file.

  1. Create a new client profile via the script (e.g., laptop).
  2. Find the generated config file—typically in the home directory of the user who ran the command (e.g., /root/wg0-client-laptop.conf).
  3. Display its contents: 
    cat ~/wg0-client-laptop.conf
  4. Copy the full output.
  5. If you disabled IPv6 on the server, edit the [Peer] section before importing:
    • Change: AllowedIPs = 0.0.0.0/0, ::/0
    • To: AllowedIPs = 0.0.0.0/0
  6. Open the WireGuard desktop client, add a new empty tunnel, paste the edited configuration, and click Activate.

Step 5: Verifying the Connection and Checking for Leaks

Don’t trust a green status indicator—verify everything manually. A VPN that routes traffic incorrectly is worse than no VPN because it creates a false sense of security.

Check your public IP: Visit whatismyip.com or ipinfo.io. The page should show your VPS’s IP address, not your home ISP’s.

Run a DNS leak test: Go to dnsleaktest.com and run the standard test. If you see your local ISP’s DNS servers in the results, your DNS queries are leaking outside the tunnel—which defeats the purpose. For a full walkthrough on preventing browser leaks, check out my guide on Essential Tools for Privacy in Daily Life.

Final Thoughts

Self-hosting your VPN gives you something commercial providers can’t match: actual control. No shared infrastructure, no logging policies to trust on faith, no business model built around your data. The whole thing costs less than a cup of coffee per month.

If you want to understand how these privacy and isolation concepts scale up to enterprise environments, my guide on Vulnerability Assessment and Management in Large-Scale Enterprise Networks covers exactly that.

Share article

Subscribe to my newsletter

Receive my case study and the latest articles on my WhatsApp Channel.

Warning