Setting up a VPN on a VPS allows you to create a private and secure connection for browsing, bypassing geo-restrictions, or enhancing privacy. Below are the steps to set up a VPN on a VPS:
- WireGuard (Fast & Modern)
- OpenVPN (Reliable & Widely Used)
- Shadowsocks (For bypassing censorship)
- L2TP/IPsec (Built-in support on many devices)
WireGuard VPN Setup (Recommended)
WireGuard is lightweight, fast, and easy to configure.
Steps:
-
Connect to your VPS via SSH:
ssh root@your_vps_ip
-
Install WireGuard:
sudo apt update && sudo apt install wireguard -y # Ubuntu/Debian sudo yum install wireguard-tools -y # CentOS/RHEL
-
Generate Keys:
umask 077 wg genkey | tee privatekey | wg pubkey > publickey
-
Configure WireGuard Server (
/etc/wireguard/wg0.conf):[Interface] PrivateKey = (Your_Private_Key) Address = 10.0.0.1/24 ListenPort = 51820 PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE [Peer] PublicKey = (Client_Public_Key) AllowedIPs = 10.0.0.2/32
-
Enable IP Forwarding:
echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf sysctl -p
-
Start WireGuard:
wg-quick up wg0 systemctl enable wg-quick@wg0
OpenVPN Setup (Traditional)
OpenVPN is more complex but widely supported.
Steps:
- Install OpenVPN & Easy-RSA:
sudo apt install openvpn easy-rsa -y
- Set up PKI (Certificates):
make-cadir ~/openvpn-ca cd ~/openvpn-ca ./easyrsa init-pki ./easyrsa build-ca ./easyrsa gen-req server nopass ./easyrsa sign-req server server
- Generate TLS Key:
openvpn --genkey --secret ta.key
- Configure Server (
/etc/openvpn/server.conf):port 1194 proto udp dev tun ca ca.crt cert server.crt key server.key dh dh.pem server 10.8.0.0 255.255.255.0 push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 8.8.8.8" keepalive 10 120 tls-auth ta.key 0 cipher AES-256-CBC user nobody group nogroup persist-key persist-tun status openvpn-status.log verb 3
- Start OpenVPN:
systemctl start openvpn@server systemctl enable openvpn@server
Firewall & Security
- UFW (Ubuntu):
sudo ufw allow 51820/udp # WireGuard sudo ufw allow 1194/udp # OpenVPN sudo ufw enable
- IPTables (Manual):
iptables -A INPUT -p udp --dport 51820 -j ACCEPT # WireGuard iptables -A INPUT -p udp --dport 1194 -j ACCEPT # OpenVPN
Connect from Client
-
WireGuard:
-
Install WireGuard on your device.
-
Add a config like this:
[Interface] PrivateKey = (Client_Private_Key) Address = 10.0.0.2/24 DNS = 8.8.8.8 [Peer] PublicKey = (Server_Public_Key) Endpoint = your_vps_ip:51820 AllowedIPs = 0.0.0.0/0 PersistentKeepalive = 25
-
-
OpenVPN:
- Use the
.ovpnconfig file generated by the server.
- Use the
Recommended VPS Providers
- DigitalOcean ($5/month)
- Linode ($5/month)
- Vultr ($2.50/month for IPv6-only)
- Hetzner (Cheap & powerful)
Final Notes
- Encryption: WireGuard is faster, OpenVPN is more flexible.
- Port Forwarding: Ensure your VPS firewall allows VPN traffic.
- Multiple Users: Add more peers (WireGuard) or clients (OpenVPN).
Would you like a script to automate the setup? 🚀
