VPN · no KYC
Host WireGuard on an Offshore VPS
Run your own WireGuard VPN on an offshore ChainVPS instance and get a fast, modern encrypted tunnel that answers to no one but you.
What it is
WireGuard is a lightweight, high-performance VPN protocol built into the Linux kernel that establishes encrypted point-to-point tunnels using modern cryptography (Curve25519, ChaCha20, Poly1305). Self-hosting it on a VPS turns that server into a personal VPN exit node you fully control, routing your traffic through the server's IP instead of a shared commercial provider.
Why host it offshore
A self-hosted VPN is only as private as the box it runs on, so a no-KYC, crypto-paid host in a privacy-friendly jurisdiction removes the identity trail that commercial VPNs and mainstream clouds keep on file. ChainVPS's unmetered bandwidth and privacy-tier locations (NL/CH/RO/IS/MD/LU) let the tunnel carry real traffic without metering surprises or a paper trail linking the exit IP to you.
The deploy
A working reference setup
Copy this onto a fresh ChainVPS instance. Replace the placeholders, then bring it up.
# wg-easy: WireGuard + web admin UI. Docker + compose plugin required.
# 1) Generate a bcrypt admin password hash first:
# docker run --rm ghcr.io/wg-easy/wg-easy:14 wgpw 'ChooseAStrongPassword'
# -> copy the PASSWORD_HASH value into the file below.
# NOTE: in docker-compose, every '$' in the hash MUST be doubled to '$$'.
# 2) Replace WG_HOST with your server's public IP (or a DNS name pointing to it).
# 3) docker compose up -d then open http://SERVER_IP:51821
services:
wg-easy:
image: ghcr.io/wg-easy/wg-easy:14
container_name: wg-easy
restart: unless-stopped
environment:
- WG_HOST=YOUR.SERVER.PUBLIC.IP
- PASSWORD_HASH=$$2a$$12$$REPLACE_WITH_YOUR_BCRYPT_HASH
- WG_PORT=51820
- WG_DEFAULT_DNS=1.1.1.1
- WG_DEFAULT_ADDRESS=10.8.0.x
- WG_ALLOWED_IPS=0.0.0.0/0, ::/0
volumes:
- ./wg-data:/etc/wireguard
ports:
- "51820:51820/udp" # WireGuard tunnel
- "51821:51821/tcp" # Web admin UI
cap_add:
- NET_ADMIN
- SYS_MODULE
sysctls:
- net.ipv4.ip_forward=1
- net.ipv4.conf.all.src_valid_mark=1
Firewall
Ports to open
| Port | Protocol | Purpose |
|---|---|---|
| 51820 | UDP | WireGuard tunnel (data plane) - must be open to the internet |
| 51821 | TCP | wg-easy web admin UI - keep firewalled, reach it over SSH tunnel or a reverse proxy with auth |
Right-sizing
Which plan you need
VPS Nano / Small (1 vCPU, 1-2 GB RAM)
1-3 personal devices, general browsing and geo-shifting. WireGuard is kernel-fast; CPU is rarely the limit at this tier.
VPS Pro (2-4 vCPU, 4-8 GB RAM)
A household or small team, 10-25 peers, steady streaming/downloads. Unmetered bandwidth matters more than cores here.
Dedicated (or top VPS with dedicated cores)
50+ peers, gigabit-saturating throughput or a site-to-site gateway. Dedicated CPU avoids noisy-neighbor jitter on the encryption path.
Best locations: Pick a ChainVPS privacy-tier location for a VPN exit: Switzerland (CH), Iceland (IS), and Netherlands (NL) offer strong data-protection regimes and good European transit, while Romania (RO), Moldova (MD), and Luxembourg (LU) round out jurisdictions outside common surveillance-sharing pressure. Choose the one physically closest to where you actually browse to minimize tunnel latency, since every packet round-trips through the exit.
Lock it down
Hardening checklist
- Never expose the wg-easy web UI (51821) to the internet - bind it to localhost and reach it via 'ssh -L 51821:localhost:51821 user@server', or put it behind a reverse proxy with TLS and HTTP auth. Only 51820/udp should be publicly reachable.
- Front the box with a real firewall: 'ufw default deny incoming', allow only your SSH port and 51820/udp, and let Docker's forwarding handle the rest. Confirm net.ipv4.ip_forward=1 persists across reboots.
- Pin the image to a specific tag (e.g. :14) rather than :latest so an upstream change can't silently alter behavior, and rebuild deliberately after reviewing release notes. Store the ./wg-data directory with 0600 configs - it holds every peer's private keys.
- Harden SSH before anything else: key-only auth, disable password and root login, and change or protect the port. The VPN's privacy is bounded by whoever can log into the host.
- Set WG_DEFAULT_DNS to a resolver you trust (or run your own on the box) so clients don't leak DNS outside the tunnel, and verify with an IP/DNS leak test after connecting. Rotate or revoke peer configs from the UI when a device is lost.
Deploy it on
The right ChainVPS product
Questions
Hosting WireGuard — FAQ
Is a self-hosted WireGuard VPN more private than a commercial VPN?
It trades a shared exit IP for exclusive control. A commercial VPN blends you with thousands of users but you must trust their no-logs claim; a self-hosted endpoint on a no-KYC VPS means no third party holds your account identity or logs, though the exit IP is yours alone. Pairing it with crypto payment and a privacy-tier location removes the identity trail entirely.
Do I need the web UI, or can I run plain WireGuard?
The wg-easy image above is the fastest path because it generates peer configs and QR codes for you. If you prefer no web surface at all, install the 'wireguard' package directly on Ubuntu 24.04 and manage /etc/wireguard/wg0.conf by hand - same kernel module, just manual key and peer management.
Will unmetered bandwidth really cover heavy VPN use?
Yes - ChainVPS VPS plans include unmetered bandwidth, which is exactly what a VPN needs since every byte you browse, stream, or download passes through the tunnel twice. There are no per-gigabyte overage charges to worry about.
Why is UDP 51820 the only port I should open publicly?
WireGuard's data plane runs entirely over that one UDP port. The web admin port (51821/tcp) is management-only and should stay firewalled and reached over an SSH tunnel, so the public attack surface is a single UDP listener that silently drops unauthenticated packets.
Can I use this for multiple devices and family members?
Yes. Each device gets its own peer config from the UI, and a VPS Pro-class plan comfortably handles a household of 10-25 peers. Scale to a Dedicated plan only when you need to saturate a gigabit link or run a site-to-site gateway.
Does DDoS protection matter for a VPN endpoint?
It helps - a VPN's public UDP port can attract volumetric floods, and ChainVPS includes DDoS mitigation so a burst of junk traffic doesn't knock your tunnel offline. It won't defeat an attacker who already has valid peer keys, so keep those keys tightly controlled.
More to self-host
Other one-click stacks
Spin up WireGuard
in the next 60 seconds.
Unmetered bandwidth · DDoS included · 21 cryptocurrencies · no KYC.