March 2024, a hotel room in Pune with WiFi I didn’t trust an inch. That was the night I finally cancelled my last commercial VPN subscription, two years after I’d started doubting whether I needed it at all. The services aren’t bad, to be fair. But for what I actually do, securing traffic on sketchy hotel WiFi, reaching my Patna homelab from wherever I happen to be, keeping my browsing out of ISP logs, a ₹350-a-month VPS running WireGuard handles all of it. No renewal-price games. Zero trust-me-bro marketing. And you can have the exact same thing live tonight, in under an hour.
The only thing I’m assuming here is that you can paste commands into a terminal. That’s it. Never rented a VPS before? Skim my VPS beginner guide first and then circle back.
should you even bother
Be honest with yourself about the trade-offs before any money leaves your account.
| Factor | Self-hosted WireGuard | Commercial VPN |
|---|---|---|
| Monthly cost | ≈₹350–₹500 (one VPS) | ≈₹150–₹500 |
| Who sees your traffic metadata | Your VPS provider | The VPN company |
| Locations | One (wherever your VPS is) | Dozens of countries |
| Shared IP crowd to blend into | No, the IP is yours alone | Yes, thousands per server |
| Streaming library switching | Poor, datacentre IPs often blocked | Hit and miss but tries |
| CERT-In logging rules | Not a VPN service provider issue for personal use; pick a foreign VPS if it worries you | Big providers exited India over it |
| Learning value | Enormous | Zero |
There’s one catch worth sitting with: the anonymity question. A personal VPN buys you privacy from your ISP and from whatever random network you’re on. The exit IP, though, is uniquely yours. So a website can still stitch your visits together over time. If disappearing into a crowd is the actual goal, a shared commercial service does that better, no contest. For pretty much everything else, self-hosting wins on plain transparency.
step 1: rent a small VPS
WireGuard barely sips resources. Barely. The cheapest tier from almost any provider is plenty: 1 vCPU, somewhere between 512 MB and 1 GB of RAM. What genuinely matters is a decent bandwidth allowance, because on some providers every byte you tunnel gets counted twice in their accounting.
- Singapore region is the sweet spot for Indian users: typically 40 to 90 ms from most Indian cities and outside Indian jurisdiction if that matters to you.
- Indian regions (Mumbai, Bengaluru) from international or local providers give the lowest latency, around 10 to 40 ms, good if your goal is just securing public WiFi rather than moving your apparent location.
- Entry plans from providers like DigitalOcean, Vultr, Hetzner (Singapore via partners or use their European regions) and Indian hosts work out to roughly ₹350 to ₹550 a month. Hetzner’s cheapest European boxes are famously good value if 130 ms latency is acceptable.
Go with Ubuntu 24.04 LTS for the OS. Add your SSH key while you’re creating the box, and jot down the public IP. One thing I’d never skip: harden the server before you install anything fun on it. My Ubuntu server security checklist walks through SSH keys, fail2ban, and unattended upgrades, ten minutes, tops.
step 2: install wireguard
SSH in and run:
sudo apt update && sudo apt upgrade -y
sudo apt install wireguard -yNow generate the server’s key pair. The private key stays put on the server. Always. No exceptions, no “just this once”.
wg genkey | sudo tee /etc/wireguard/server_private.key | wg pubkey | sudo tee /etc/wireguard/server_public.key
sudo chmod 600 /etc/wireguard/server_private.keystep 3: configure the server
Open up /etc/wireguard/wg0.conf in whatever editor you like. Swap SERVER_PRIVATE_KEY for the actual contents of that key file. One gotcha: the interface name. eth0 needs to match your VPS’s main network interface, so check it with ip a if you’re not sure.
[Interface]
Address = 10.8.0.1/24
ListenPort = 51820
PrivateKey = SERVER_PRIVATE_KEY
PostUp = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADEThat PostUp line is doing the heavy lifting. Your tunnelled packets get rewritten so they leave with the VPS’s own IP, and that’s the whole difference between a real internet gateway and a glorified private network. Right. Time to turn on packet forwarding and bring the tunnel up:
echo 'net.ipv4.ip_forward=1' | sudo tee /etc/sysctl.d/99-wireguard.conf
sudo sysctl --system
sudo systemctl enable --now wg-quick@wg0
sudo wg showGot a cloud firewall on the VPS? Open UDP port 51820. At this point sudo wg show should print the interface with no peers attached yet, which is exactly what you want.
step 4: add your first device
Every device, or peer in WireGuard-speak, needs its own key pair and its own address inside the 10.8.0.0/24 range. It’s easiest to generate the phone’s keys right on the box itself:
wg genkey | tee phone_private.key | wg pubkey > phone_public.keyTack a peer block onto /etc/wireguard/wg0.conf:
[Peer]
# Anurag's phone
PublicKey = PHONE_PUBLIC_KEY
AllowedIPs = 10.8.0.2/32Then build the phone’s own config file, phone.conf:
[Interface]
PrivateKey = PHONE_PRIVATE_KEY
Address = 10.8.0.2/32
DNS = 1.1.1.1
[Peer]
PublicKey = SERVER_PUBLIC_KEY
Endpoint = YOUR_VPS_IP:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25The AllowedIPs = 0.0.0.0/0 on the phone’s side is shorthand for “shove everything through the tunnel”. That DNS line keeps your queries from leaking out to whatever network you’ve connected to. Restart the server tunnel with sudo systemctl restart wg-quick@wg0, then you just need to get this config onto the phone. Easiest path: import it by QR code, which is genuinely the neat bit:
sudo apt install qrencode -y
qrencode -t ansiutf8 < phone.confGrab the official WireGuard app from the Play Store or App Store, hit the plus button, and scan the QR code straight off your terminal. Toggle it on. Pull up any what-is-my-IP site and it should be showing the VPS’s address now. Last thing: the key files should be deleted off the server once they’ve been imported.
Same dance for your laptop, just use 10.8.0.3/32, and so on down the line. Five family devices sit happily on one tiny VPS without it breaking a sweat.
step 5: actually test it
- Check your public IP from the device; it must match the VPS.
- Run a DNS leak test in the browser; only your configured DNS (1.1.1.1 here) should appear, never your ISP’s resolvers.
- On the server,
sudo wg showshould list your peer with a recent handshake and rising transfer counters. - Switch your phone between WiFi and mobile data mid-video-call. WireGuard’s roaming should survive the hop without dropping.
Real numbers rather than a promise. On my Airtel fibre line, the Singapore tunnel holds roughly 70 to 85 Mbps out of my 100 Mbps plan. Over Jio 5G the bottleneck is almost always the mobile network itself, not WireGuard. Your mileage will vary, but that’s what mine does.
the india-specific stuff nobody mentions
Running your own VPN is legal in India. You’re a person running software on a server you rented, not a VPN service provider signing up customers, and that distinction is the whole ballgame. The 2022 CERT-In directions that pushed commercial outfits to pull their Indian servers were aimed squarely at companies offering VPN services to the public. There’s one line you shouldn’t cross, though. Don’t turn your box into a free VPN for strangers. Partly because of those rules, partly because whatever anyone does through it gets traced right back to your VPS account.
One more wrinkle. On mobile networks, UDP over unusual ports sometimes gets flaky during evening congestion, Jio is the usual culprit in my experience. If your handshakes start timing out at night, try moving ListenPort to 443 (UDP) on the server and matching it in the client Endpoint. It tends to slip through where 51820 keeps stalling.
small things that make it nicer
- Back up
/etc/wireguard/somewhere safe. Rebuilding a VPS takes minutes; regenerating and redistributing keys to every family member takes an evening. - Use the app’s split tunnelling to exclude banking and UPI apps, which sometimes sulk at datacentre IPs.
- Point DNS at your Pi-hole if you run one; set the client DNS to your Pi-hole’s WireGuard IP and you get ad blocking everywhere you go. My Pi-hole guide pairs beautifully with this setup.
- Watch your bandwidth quota. Heavy streaming through the tunnel can eat a 1 TB allowance faster than you expect.
- Want a friendlier admin layer? Projects like wg-easy give you a web UI for adding devices, handy when you are managing configs for parents.
FAQ
Can I run this at home instead of on a VPS?
You can, and honestly it’s a lovely way to reach your home network when you’re out. The thing that trips people up on Indian connections is CGNAT. Jio and a lot of Airtel plans simply don’t hand you a publicly reachable IP, so inbound connections just die on the doorstep. There are workarounds, a small VPS acting as a relay, or paying Airtel extra for a static IP, but as a first project a VPS is far less fuss.
Will this get me past streaming geo-blocks?
Mostly no, and I’d set expectations low here. Streaming services keep lists of datacentre IP ranges and block them in bulk, and a single-user VPS IP lands squarely inside those ranges. Build this for privacy and remote access. Not for swapping Netflix libraries.
How is this different from Tailscale?
Tailscale runs on WireGuard under the hood, but it’s solving a different problem: wiring your own devices together with basically zero configuration. It won’t give you an internet exit IP unless you go and set up an exit node. Plain WireGuard on a VPS is the right tool when “exit to the internet from my server” is the goal. For homelab access, Tailscale wins.
What does this actually cost per year?
A ₹350-a-month VPS comes to about ₹4,200 a year. That’s roughly a mid-range commercial VPN’s introductory price, except nothing leaps up at renewal, and the server moonlights as a playground for hosting automation tools or a personal site.
wrapping up
One small VPS, six commands of actual substance, and you own your VPN end to end, with keys no one else has ever laid eyes on. Anonymous, it won’t make you. It will make you informed, and I’d take that over a subscription any day. Which, now that I think about it, is more or less the same reason I ended up running my own DNS and a homelab full of services I could’ve just paid someone for, but that’s a rabbit hole for another evening.
Join the discussion