Commercial VPNs make promises they can't keep. "No logs" until a court order arrives. "Private" until they get acquired. "Secure" until they get breached. The only VPN you can truly trust is one you control completely. And thanks to cloud platform free tiers, you can build one for $0.

This guide walks you through setting up your own private WireGuard VPN server using free cloud credits. Total time: about 30 minutes. Total cost: nothing (using free tier credits). Result: a VPN that only you control, with no third-party logging your traffic.

What You'll Get

  • Complete privacy: No third party sees your traffic
  • True no-logs: You control the server, you decide what's logged (nothing)
  • Fast speeds: WireGuard is the fastest VPN protocol available
  • Multiple devices: Connect your phone, laptop, tablet - all at once
  • Cost: Free for 60+ days, then ~$4-6/month if you continue

How It Works: The Big Picture

Here's what we're building:

  1. Get free cloud credits from DigitalOcean, Vultr, or Oracle Cloud
  2. Deploy a small virtual server (VPS) in your chosen location
  3. Run a one-line install script that sets up WireGuard VPN
  4. Download your config file and connect from any device

That's it. No Docker required (though we'll cover that option too). No complex networking. Just a server running WireGuard that encrypts all your traffic.

Step 1: Get Free Cloud Credits

Multiple cloud platforms offer generous free tiers or signup credits. Here are the best options ranked by value:

Provider Free Credits Duration Best For Signup Link
Oracle Cloud Always Free Tier Forever Permanent free VPN Get Started
DigitalOcean $200 credit 60 days Easy setup, great docs Get $200 Credit
Vultr $100 credit 30 days Global locations Get $100 Credit
Linode $100 credit 60 days Reliable, good support Get $100 Credit
Google Cloud $300 credit 90 days Best credit amount Get $300 Credit
AWS Free tier 12 months Already have account Free Tier

Best Choice: Oracle Cloud Always Free

Oracle's Always Free tier includes 2 AMD VMs with 1GB RAM each - forever. This is enough to run a WireGuard VPN indefinitely at zero cost. The catch? Slightly more complex setup than DigitalOcean.

For beginners, we recommend DigitalOcean for ease of use. You can always migrate to Oracle later.

Recommended: DigitalOcean Setup

  1. Click the signup link above and create an account
  2. Add a payment method (required for credits, won't be charged during free period)
  3. Your $200 credit is automatically applied

Step 2: Deploy Your VPS

A VPS (Virtual Private Server) is a small computer in the cloud that runs 24/7. You'll install WireGuard on it.

DigitalOcean Instructions

  1. Create a Droplet (that's what DigitalOcean calls VPS instances)
    • Click "Create" → "Droplets"
    • Choose Ubuntu 22.04 LTS as the image
    • Select Basic plan
    • Choose Regular SSD, $4/month (smallest option)
  2. Choose a datacenter region
    • Pick somewhere close to you for best speed
    • Or pick a different country if you want to appear from there
    • Popular choices: NYC, Amsterdam, Singapore, Frankfurt
  3. Authentication
    • Choose SSH Key (more secure) or Password (easier)
    • If using password, make it strong and save it somewhere safe
  4. Create Droplet - wait 30-60 seconds for it to deploy
  5. Copy the IP address shown on your dashboard (e.g., 143.198.xxx.xxx)

Vultr/Linode Instructions

The process is nearly identical:

  • Vultr: Deploy → Cloud Compute → Ubuntu 22.04 → $5/month plan → Deploy
  • Linode: Create Linode → Ubuntu 22.04 → Nanode 1GB ($5/month) → Create

Step 3: Connect to Your Server

Now you need to access your server's command line to install WireGuard.

On Mac/Linux

Open Terminal and run:

ssh root@YOUR_SERVER_IP

Replace YOUR_SERVER_IP with the IP address from Step 2. Accept the fingerprint warning (type "yes"), then enter your password.

On Windows

Download and install PuTTY, then:

  1. Enter your server IP in "Host Name"
  2. Click "Open"
  3. Login as "root" with your password

You should now see a command prompt like root@your-server:~#

Step 4: Install WireGuard (One Command)

We'll use the excellent wireguard-install script that automates everything.

Run this single command:

curl -O https://raw.githubusercontent.com/angristan/wireguard-install/master/wireguard-install.sh && chmod +x wireguard-install.sh && ./wireguard-install.sh

The script will ask you some questions. For most, just press Enter to accept defaults:

  1. IPv4 address: Press Enter (auto-detected)
  2. Public interface: Press Enter (auto-detected)
  3. WireGuard interface name: Press Enter (wg0)
  4. Server WireGuard IPv4: Press Enter (10.66.66.1)
  5. Server WireGuard IPv6: Press Enter
  6. Server port: Press Enter (random) or type 51820
  7. First DNS: Type 1 for AdGuard DNS (blocks ads) or 3 for Cloudflare
  8. Client name: Type a name like phone or laptop

The script will generate a config file and show you a QR code.

Save Your Config File

The config file is saved at /root/wg0-client-YOURNAME.conf

You'll need this file to connect your devices. Download it before closing the terminal:

cat /root/wg0-client-YOURNAME.conf

Copy the entire output (from [Interface] to the end).

Step 5: Connect Your Devices

iPhone/Android

  1. Install the WireGuard app from App Store or Play Store
  2. Open the app and tap "+" → "Create from QR code"
  3. Scan the QR code shown in your terminal (scroll up to find it)
  4. Give the tunnel a name and tap "Create Tunnel"
  5. Toggle the switch to connect

Mac/Windows/Linux

  1. Download WireGuard client for your platform
  2. Create a new file called vpn.conf and paste your config
  3. In WireGuard app: "Import tunnel(s) from file" → select your .conf file
  4. Click "Activate" to connect

Verify It's Working

Visit whatismyipaddress.com - you should see your VPS's IP address, not your home IP.

Adding More Devices

Want to connect more devices? SSH back into your server and run the script again:

./wireguard-install.sh

Choose option 1 to add a new client. Each device needs its own config file.

Alternative: Docker Setup (wg-easy)

If you prefer a web interface to manage your VPN, use wg-easy:

Install Docker

curl -fsSL https://get.docker.com | sh

Run wg-easy

docker run -d \
  --name=wg-easy \
  -e WG_HOST=YOUR_SERVER_IP \
  -e PASSWORD=YOUR_ADMIN_PASSWORD \
  -v ~/.wg-easy:/etc/wireguard \
  -p 51820:51820/udp \
  -p 51821:51821/tcp \
  --cap-add=NET_ADMIN \
  --cap-add=SYS_MODULE \
  --sysctl="net.ipv4.conf.all.src_valid_mark=1" \
  --sysctl="net.ipv4.ip_forward=1" \
  --restart unless-stopped \
  ghcr.io/wg-easy/wg-easy

Replace YOUR_SERVER_IP with your VPS IP and YOUR_ADMIN_PASSWORD with a strong password.

Access the web UI at http://YOUR_SERVER_IP:51821 to create and manage clients with a nice interface.

Security Hardening (Optional)

Your VPN is functional, but here are some extra security steps:

Enable Automatic Updates

apt update && apt install unattended-upgrades -y
dpkg-reconfigure -plow unattended-upgrades

Set Up a Firewall

# Allow SSH and WireGuard only
ufw allow 22/tcp
ufw allow 51820/udp
ufw enable

Disable Password Authentication (SSH Keys Only)

If you set up SSH keys, disable password login:

sed -i 's/PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config
systemctl restart sshd

Troubleshooting

Can't Connect to VPN

  • Check firewall: Make sure port 51820/UDP is open
  • Check WireGuard is running: systemctl status wg-quick@wg0
  • Restart WireGuard: systemctl restart wg-quick@wg0

Slow Speeds

  • Choose a datacenter closer to your physical location
  • Try a different DNS server in the config
  • Upgrade to a larger VPS (more bandwidth)

Connection Drops

Add this to your client config under [Interface]:

PersistentKeepalive = 25

Cost Breakdown

What This Actually Costs

  • First 60 days: $0 (using free credits)
  • After free credits: $4-6/month for smallest VPS
  • Oracle Cloud: $0 forever (Always Free tier)

Compare to commercial VPNs at $10-15/month, and you're getting a faster, more private solution for less.

Privacy Advantages Over Commercial VPNs

Feature Your Own VPN Commercial VPN
Logs You control (none) Trust their claim
Speed Dedicated bandwidth Shared with thousands
Subpoena risk Your server, your rules They comply with courts
IP reputation Clean, unique IP Often blacklisted
Trust required Only yourself Third-party company

Limitations to Know

Self-hosted VPNs aren't perfect for everything:

  • Single location: You only have one server IP (can't switch countries easily)
  • Not anonymous: Cloud provider knows who you are (your payment info)
  • Maintenance: You're responsible for updates and security
  • Streaming: May not work with Netflix/streaming services (they block datacenter IPs)

For true anonymity, you'd need to pay with cryptocurrency and use a provider that doesn't verify identity. For everyday privacy from ISPs and public WiFi, a self-hosted VPN is excellent.

Next Steps

Once you're comfortable with this setup, consider:

  • Multiple servers: Deploy VPS in different regions for location flexibility
  • Pi-hole integration: Block ads and trackers at the VPN level
  • Split tunneling: Route only specific traffic through VPN
  • Automated backups: Backup your WireGuard configs

Related Guides

References

  1. WireGuard. "WireGuard: Fast, Modern, Secure VPN Tunnel." wireguard.com
  2. Angristan. "WireGuard Installer Script." github.com
  3. wg-easy. "WireGuard Easy - Web UI for WireGuard." github.com
  4. DigitalOcean. "How To Set Up WireGuard on Ubuntu 22.04." digitalocean.com
  5. Oracle Cloud. "Always Free Resources." oracle.com