Commercial VPNs make promises they can't keep. "No logs" until a court order arrives. "Private" until they get acquired. "Secure" until they get breached. The only VPN you can truly trust is one you control completely. And thanks to cloud platform free tiers, you can build one for $0.
This guide walks you through setting up your own private WireGuard VPN server using free cloud credits. Total time: about 30 minutes. Total cost: nothing (using free tier credits). Result: a VPN that only you control, with no third-party logging your traffic.
What You'll Get
- Complete privacy: No third party sees your traffic
- True no-logs: You control the server, you decide what's logged (nothing)
- Fast speeds: WireGuard is the fastest VPN protocol available
- Multiple devices: Connect your phone, laptop, tablet - all at once
- Cost: Free for 60+ days, then ~$4-6/month if you continue
How It Works: The Big Picture
Here's what we're building:
- Get free cloud credits from DigitalOcean, Vultr, or Oracle Cloud
- Deploy a small virtual server (VPS) in your chosen location
- Run a one-line install script that sets up WireGuard VPN
- Download your config file and connect from any device
That's it. No Docker required (though we'll cover that option too). No complex networking. Just a server running WireGuard that encrypts all your traffic.
Step 1: Get Free Cloud Credits
Multiple cloud platforms offer generous free tiers or signup credits. Here are the best options ranked by value:
| Provider | Free Credits | Duration | Best For | Signup Link |
|---|---|---|---|---|
| Oracle Cloud | Always Free Tier | Forever | Permanent free VPN | Get Started |
| DigitalOcean | $200 credit | 60 days | Easy setup, great docs | Get $200 Credit |
| Vultr | $100 credit | 30 days | Global locations | Get $100 Credit |
| Linode | $100 credit | 60 days | Reliable, good support | Get $100 Credit |
| Google Cloud | $300 credit | 90 days | Best credit amount | Get $300 Credit |
| AWS | Free tier | 12 months | Already have account | Free Tier |
Best Choice: Oracle Cloud Always Free
Oracle's Always Free tier includes 2 AMD VMs with 1GB RAM each - forever. This is enough to run a WireGuard VPN indefinitely at zero cost. The catch? Slightly more complex setup than DigitalOcean.
For beginners, we recommend DigitalOcean for ease of use. You can always migrate to Oracle later.
Recommended: DigitalOcean Setup
- Click the signup link above and create an account
- Add a payment method (required for credits, won't be charged during free period)
- Your $200 credit is automatically applied
Step 2: Deploy Your VPS
A VPS (Virtual Private Server) is a small computer in the cloud that runs 24/7. You'll install WireGuard on it.
DigitalOcean Instructions
- Create a Droplet (that's what DigitalOcean calls VPS instances)
- Click "Create" → "Droplets"
- Choose Ubuntu 22.04 LTS as the image
- Select Basic plan
- Choose Regular SSD, $4/month (smallest option)
- Choose a datacenter region
- Pick somewhere close to you for best speed
- Or pick a different country if you want to appear from there
- Popular choices: NYC, Amsterdam, Singapore, Frankfurt
- Authentication
- Choose SSH Key (more secure) or Password (easier)
- If using password, make it strong and save it somewhere safe
- Create Droplet - wait 30-60 seconds for it to deploy
- Copy the IP address shown on your dashboard (e.g., 143.198.xxx.xxx)
Vultr/Linode Instructions
The process is nearly identical:
- Vultr: Deploy → Cloud Compute → Ubuntu 22.04 → $5/month plan → Deploy
- Linode: Create Linode → Ubuntu 22.04 → Nanode 1GB ($5/month) → Create
Step 3: Connect to Your Server
Now you need to access your server's command line to install WireGuard.
On Mac/Linux
Open Terminal and run:
ssh root@YOUR_SERVER_IP Replace YOUR_SERVER_IP with the IP address from Step 2. Accept the fingerprint warning (type "yes"), then enter your password.
On Windows
Download and install PuTTY, then:
- Enter your server IP in "Host Name"
- Click "Open"
- Login as "root" with your password
You should now see a command prompt like root@your-server:~#
Step 4: Install WireGuard (One Command)
We'll use the excellent wireguard-install script that automates everything.
Run this single command:
curl -O https://raw.githubusercontent.com/angristan/wireguard-install/master/wireguard-install.sh && chmod +x wireguard-install.sh && ./wireguard-install.sh The script will ask you some questions. For most, just press Enter to accept defaults:
- IPv4 address: Press Enter (auto-detected)
- Public interface: Press Enter (auto-detected)
- WireGuard interface name: Press Enter (wg0)
- Server WireGuard IPv4: Press Enter (10.66.66.1)
- Server WireGuard IPv6: Press Enter
- Server port: Press Enter (random) or type
51820 - First DNS: Type
1for AdGuard DNS (blocks ads) or3for Cloudflare - Client name: Type a name like
phoneorlaptop
The script will generate a config file and show you a QR code.
Save Your Config File
The config file is saved at /root/wg0-client-YOURNAME.conf
You'll need this file to connect your devices. Download it before closing the terminal:
cat /root/wg0-client-YOURNAME.conf Copy the entire output (from [Interface] to the end).
Step 5: Connect Your Devices
iPhone/Android
- Install the WireGuard app from App Store or Play Store
- Open the app and tap "+" → "Create from QR code"
- Scan the QR code shown in your terminal (scroll up to find it)
- Give the tunnel a name and tap "Create Tunnel"
- Toggle the switch to connect
Mac/Windows/Linux
- Download WireGuard client for your platform
- Create a new file called
vpn.confand paste your config - In WireGuard app: "Import tunnel(s) from file" → select your .conf file
- Click "Activate" to connect
Verify It's Working
Visit whatismyipaddress.com - you should see your VPS's IP address, not your home IP.
Adding More Devices
Want to connect more devices? SSH back into your server and run the script again:
./wireguard-install.sh Choose option 1 to add a new client. Each device needs its own config file.
Alternative: Docker Setup (wg-easy)
If you prefer a web interface to manage your VPN, use wg-easy:
Install Docker
curl -fsSL https://get.docker.com | sh Run wg-easy
docker run -d \
--name=wg-easy \
-e WG_HOST=YOUR_SERVER_IP \
-e PASSWORD=YOUR_ADMIN_PASSWORD \
-v ~/.wg-easy:/etc/wireguard \
-p 51820:51820/udp \
-p 51821:51821/tcp \
--cap-add=NET_ADMIN \
--cap-add=SYS_MODULE \
--sysctl="net.ipv4.conf.all.src_valid_mark=1" \
--sysctl="net.ipv4.ip_forward=1" \
--restart unless-stopped \
ghcr.io/wg-easy/wg-easy Replace YOUR_SERVER_IP with your VPS IP and YOUR_ADMIN_PASSWORD with a strong password.
Access the web UI at http://YOUR_SERVER_IP:51821 to create and manage clients with a nice interface.
Security Hardening (Optional)
Your VPN is functional, but here are some extra security steps:
Enable Automatic Updates
apt update && apt install unattended-upgrades -y
dpkg-reconfigure -plow unattended-upgrades Set Up a Firewall
# Allow SSH and WireGuard only
ufw allow 22/tcp
ufw allow 51820/udp
ufw enable Disable Password Authentication (SSH Keys Only)
If you set up SSH keys, disable password login:
sed -i 's/PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config
systemctl restart sshd Troubleshooting
Can't Connect to VPN
- Check firewall: Make sure port 51820/UDP is open
- Check WireGuard is running:
systemctl status wg-quick@wg0 - Restart WireGuard:
systemctl restart wg-quick@wg0
Slow Speeds
- Choose a datacenter closer to your physical location
- Try a different DNS server in the config
- Upgrade to a larger VPS (more bandwidth)
Connection Drops
Add this to your client config under [Interface]:
PersistentKeepalive = 25 Cost Breakdown
What This Actually Costs
- First 60 days: $0 (using free credits)
- After free credits: $4-6/month for smallest VPS
- Oracle Cloud: $0 forever (Always Free tier)
Compare to commercial VPNs at $10-15/month, and you're getting a faster, more private solution for less.
Privacy Advantages Over Commercial VPNs
| Feature | Your Own VPN | Commercial VPN |
|---|---|---|
| Logs | You control (none) | Trust their claim |
| Speed | Dedicated bandwidth | Shared with thousands |
| Subpoena risk | Your server, your rules | They comply with courts |
| IP reputation | Clean, unique IP | Often blacklisted |
| Trust required | Only yourself | Third-party company |
Limitations to Know
Self-hosted VPNs aren't perfect for everything:
- Single location: You only have one server IP (can't switch countries easily)
- Not anonymous: Cloud provider knows who you are (your payment info)
- Maintenance: You're responsible for updates and security
- Streaming: May not work with Netflix/streaming services (they block datacenter IPs)
For true anonymity, you'd need to pay with cryptocurrency and use a provider that doesn't verify identity. For everyday privacy from ISPs and public WiFi, a self-hosted VPN is excellent.
Next Steps
Once you're comfortable with this setup, consider:
- Multiple servers: Deploy VPS in different regions for location flexibility
- Pi-hole integration: Block ads and trackers at the VPN level
- Split tunneling: Route only specific traffic through VPN
- Automated backups: Backup your WireGuard configs
Related Guides
- Home VPN Server Setup - Access your home network securely from anywhere
- VPN Strategy Guide: When and How to Use VPNs
- Pi-hole Setup: Network-Wide Ad Blocking
- Tor Bridges for Censorship Resistance
References
- WireGuard. "WireGuard: Fast, Modern, Secure VPN Tunnel." wireguard.com
- Angristan. "WireGuard Installer Script." github.com
- wg-easy. "WireGuard Easy - Web UI for WireGuard." github.com
- DigitalOcean. "How To Set Up WireGuard on Ubuntu 22.04." digitalocean.com
- Oracle Cloud. "Always Free Resources." oracle.com