mineracks/own-your-vpn
mineracks/own-your-vpn
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

docs: complete self-hosted VPN guide for non-technical users

Browse Source 
Covers Tailscale exit nodes, WireGuard fallback, provider selection,
jurisdiction/privacy analysis, step-by-step setup, troubleshooting, and FAQ.
Written for an audience with no prior VPN or server experience.
This commit is contained in:
mineracks 2026-04-26 09:44:02 +10:00
commit f057bae5e3
1 changed files with 724 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

724
README.md Normal file
View File

@ -0,0 +1,724 @@
# Own Your VPN
A complete guide to building your own private VPN with exit nodes around the world. No third-party VPN provider. No logs. No trust required. You own everything.
**What you'll get:** A VPN you fully control, with the ability to make your internet traffic appear to come from any country you choose — Switzerland, Japan, the US, Brazil, or anywhere else — with a single tap on your phone or click on your laptop.
**Cost:** About $3-5 USD per month per country you want to exit from.
**Time:** About 30-60 minutes for your first exit node. 10 minutes for each additional one.
**Technical skill required:** Basic comfort with a terminal/command line. This guide explains every step in detail.
---
## Table of Contents
1. [What is this and why would I want it?](#1-what-is-this-and-why-would-i-want-it)
2. [How it works — the big picture](#2-how-it-works--the-big-picture)
3. [What you'll need before you start](#3-what-youll-need-before-you-start)
4. [Step 1: Create a Tailscale account](#step-1-create-a-tailscale-account)
5. [Step 2: Install Tailscale on your devices](#step-2-install-tailscale-on-your-devices)
6. [Step 3: Choose your VPS provider and location](#step-3-choose-your-vps-provider-and-location)
7. [Step 4: Create a VPS](#step-4-create-a-vps)
8. [Step 5: Connect to your VPS](#step-5-connect-to-your-vps)
9. [Step 6: Install Tailscale on your VPS](#step-6-install-tailscale-on-your-vps)
10. [Step 7: Enable the exit node](#step-7-enable-the-exit-node)
11. [Step 8: Use your VPN](#step-8-use-your-vpn)
12. [Adding more countries](#adding-more-countries)
13. [Optional: WireGuard fallback](#optional-wireguard-fallback)
14. [Privacy and jurisdiction guide](#privacy-and-jurisdiction-guide)
15. [Troubleshooting](#troubleshooting)
16. [FAQ](#faq)
---
## 1. What is this and why would I want it?
### The problem with commercial VPN providers
When you use a VPN service like NordVPN, ExpressVPN, or Surfshark, you're trusting that company with *all* of your internet traffic. They can see every website you visit, every service you connect to, and every piece of data you send that isn't separately encrypted.
These companies promise "no logs" — but you have no way to verify that. They're black boxes. Several have been caught logging user data despite their promises. Some have been acquired by advertising companies. Others have been compelled by governments to hand over data they claimed they didn't have.
### The solution: own your VPN
Instead of trusting a company, you rent a small server (called a VPS — Virtual Private Server) in the country of your choice and run your own VPN software on it. Your internet traffic goes through that server and exits to the internet from there.
**You control the server. You control the software. You control the logs (or lack thereof). There is no third party to trust.**
### What you can do with this
- **Privacy**: Your internet service provider (ISP) can't see which websites you visit — they only see encrypted traffic going to your VPS
- **Location**: Websites see your VPS's IP address, not your real one. If your VPS is in Switzerland, websites think you're in Switzerland
- **Access**: Reach content that's restricted to certain countries
- **Security**: Protect your traffic on public Wi-Fi networks (coffee shops, airports, hotels)
- **Multiple countries**: Set up servers in different countries and switch between them with one tap
---
## 2. How it works — the big picture
Here's what happens when you browse the internet normally (without a VPN):
```
Your phone/laptop → Your ISP → The internet → Website
(you) (can see (various (sees your
everything) routers) real IP)
```
Your ISP can see every website you visit. The website can see your real IP address (and therefore your approximate location).
Here's what happens with your own VPN:
```
Your phone/laptop → Encrypted tunnel → Your VPS in Switzerland → Website
(you) (ISP sees only (decrypts and forwards (sees Swiss
encrypted data) your traffic) IP address)
```
Your ISP only sees encrypted data going to one IP address. They can't see what websites you're visiting. The website sees the Swiss IP address, not yours.
### The technology: Tailscale
This guide uses [Tailscale](https://tailscale.com) — a modern, easy-to-use VPN tool. Tailscale creates an encrypted network between your devices. When you mark one of your servers as an "exit node", all your internet traffic is routed through that server.
Tailscale is:
- **Free** for personal use (up to 100 devices)
- **Easy to install** on every platform (Windows, Mac, Linux, iOS, Android)
- **Secure** — uses the WireGuard protocol (the gold standard in VPN security)
- **Simple** — switching your exit country is one tap on your phone
---
## 3. What you'll need before you start
### A computer with a terminal
- **Mac**: Open the "Terminal" app (search for it in Spotlight with Cmd+Space)
- **Windows**: Install [Windows Terminal](https://aka.ms/terminal) from the Microsoft Store, or use PowerShell
- **Linux**: You already know where your terminal is
### An SSH key
An SSH key is like a digital password that lets you securely connect to your server. You probably already have one. To check, open your terminal and type:
```bash
ls ~/.ssh/id_ed25519.pub
```
If you see a file path, you already have one. If you see "No such file", create one:
```bash
ssh-keygen -t ed25519 -C "your@email.com"
```
Press Enter to accept the default location, and Enter twice more to skip the passphrase (or set one if you prefer). Your key is now at `~/.ssh/id_ed25519.pub`.
### A credit card or PayPal (or Bitcoin)
You'll need this to pay for your VPS. The cheapest options are about $3-5 USD per month per server.
---
## Step 1: Create a Tailscale account
1. Go to [https://tailscale.com](https://tailscale.com)
2. Click **"Get Started"**
3. Sign in with your Google, Microsoft, GitHub, or Apple account
4. You now have a Tailscale account — this is your private network (called a "tailnet")
Tailscale is **free** for personal use. You don't need to enter any payment details.
---
## Step 2: Install Tailscale on your devices
Install Tailscale on every device you want to use the VPN from.
### iPhone / iPad
1. Open the App Store
2. Search for **"Tailscale"**
3. Install the app
4. Open it and sign in with the same account from Step 1
### Android
1. Open the Google Play Store
2. Search for **"Tailscale"**
3. Install the app
4. Open it and sign in
### Mac
1. Open the App Store
2. Search for **"Tailscale"**
3. Install the app
4. Open it — it will appear in your menu bar (top-right of your screen)
5. Click the Tailscale icon and sign in
### Windows
1. Go to [https://tailscale.com/download/windows](https://tailscale.com/download/windows)
2. Download and install
3. Open Tailscale from the system tray and sign in
### Linux
```bash
curl -fsSL https://tailscale.com/install.sh | sh
sudo tailscale up
```
Follow the link it gives you to authenticate in your browser.
---
## Step 3: Choose your VPS provider and location
A VPS is a small virtual computer running in a data centre somewhere in the world. You'll rent one and use it as your VPN exit point.
### Recommended providers
| Provider | Best for | Cheapest plan | Signup |
|----------|----------|---------------|--------|
| **[Vultr](https://vultr.com)** | Most countries (33 locations) | $3.50/month | [vultr.com](https://vultr.com) |
| **[Exoscale](https://exoscale.com)** | Switzerland (strongest privacy) | ~$5/month | [exoscale.com](https://exoscale.com) |
| **[Hetzner](https://hetzner.com)** | Best value in Europe | ~$4/month | [hetzner.com](https://hetzner.com) |
| **[DigitalOcean](https://digitalocean.com)** | Beginner-friendly interface | $4/month | [digitalocean.com](https://digitalocean.com) |
### Choosing a location
Pick based on what you need:
| I want to... | Choose a server in... |
|-------------|----------------------|
| Maximum privacy | **Switzerland** (Exoscale) — strongest privacy laws, no data retention |
| Access US streaming content | **Los Angeles** or **New York** (Vultr) |
| Access UK content | **London** (Vultr) — note: UK has strong surveillance laws |
| Access Japanese content | **Tokyo** (Vultr) — good privacy laws, no data retention |
| General privacy + good speed | **Netherlands** (Vultr Amsterdam) — data retention laws struck down |
| Access Australian content from overseas | **Sydney** (Vultr) |
See the [Privacy and jurisdiction guide](#privacy-and-jurisdiction-guide) at the end for detailed information on each country's surveillance laws.
### Creating your account
**Vultr** (recommended for most people):
1. Go to [vultr.com](https://vultr.com)
2. Click **"Sign Up"**
3. Enter your email and password
4. Add a payment method (credit card, PayPal, or Bitcoin)
5. Minimum deposit: $10 USD
**Exoscale** (recommended for Switzerland):
1. Go to [portal.exoscale.com](https://portal.exoscale.com)
2. Click **"Sign up"**
3. Enter your details and add a payment method
4. No minimum deposit
---
## Step 4: Create a VPS
### Option A: Vultr
1. Log in to [my.vultr.com](https://my.vultr.com)
2. Click the blue **"+"** button → **"Deploy New Server"**
3. Choose **"Cloud Compute — Shared CPU"**
4. Select your desired **location** (e.g., Tokyo, Amsterdam, etc.)
5. Select **"Ubuntu 24.04 LTS x64"** as the operating system
6. Select the **$5/month plan** (1 vCPU, 1 GB RAM, 25 GB SSD) — this is more than enough for a VPN
7. Under **"SSH Keys"**, click **"Add New"**:
- Copy the contents of your SSH key: `cat ~/.ssh/id_ed25519.pub`
- Paste it into the box and give it a name
8. Under **"Server Hostname & Label"**, enter something like `vpn-exit-tokyo` or `vpn-switzerland`
9. Click **"Deploy Now"**
10. Wait 1-2 minutes for the server to be created
11. Note the **IP address** shown on the server details page — you'll need it next
### Option B: Exoscale (Switzerland)
1. Log in to [portal.exoscale.com](https://portal.exoscale.com)
2. Click **"Compute"** in the left menu
3. Click **"Create an Instance"**
4. **Zone**: Select `CH-GVA-2` (Geneva) or `CH-DK-2` (Zurich)
5. **Template**: Choose **"Ubuntu 24.04 LTS 64-bit"**
6. **Instance type**: Select **"Micro"** (1 vCPU, 512 MB RAM) — enough for a VPN
7. **Disk**: 10 GB is fine
8. **SSH Key**: Click "Add" and paste your public key from `cat ~/.ssh/id_ed25519.pub`
9. **Security Group**: Select "default"
10. Click **"Create"**
11. Wait for the instance to show "Running"
12. Note the **public IP address**
**Important — Exoscale firewall**: Exoscale blocks all incoming connections by default. You need to open SSH:
1. Click **"Compute"** → **"Security Groups"** → **"default"**
2. Click **"Add Rule"**
3. Add: **Protocol:** TCP, **Port:** 22, **Source:** 0.0.0.0/0, **Description:** SSH
4. Click **"Add"**
---
## Step 5: Connect to your VPS
Open your terminal and connect to your new server using SSH.
**For Vultr** (root user):
```bash
ssh root@YOUR_SERVER_IP
```
**For Exoscale** (ubuntu user):
```bash
ssh ubuntu@YOUR_SERVER_IP
```
Replace `YOUR_SERVER_IP` with the IP address from Step 4.
The first time you connect, you'll see a message like:
```
The authenticity of host '198.13.34.199 (198.13.34.199)' can't be established.
ED25519 key fingerprint is SHA256:xxxxxx.
Are you sure you want to continue connecting (yes/no)?
```
Type **`yes`** and press Enter. This is normal — it's asking you to confirm the identity of your new server.
You should now see a command prompt on your server. You're in!
---
## Step 6: Install Tailscale on your VPS
Now you'll install Tailscale on your server and tell it to act as a VPN exit node.
**If you're connected as root (Vultr):**
```bash
# Install Tailscale
curl -fsSL https://tailscale.com/install.sh | sh
# Start Tailscale and advertise as an exit node
tailscale up --advertise-exit-node
```
**If you're connected as ubuntu (Exoscale):**
```bash
# Install Tailscale
curl -fsSL https://tailscale.com/install.sh | sudo sh
# Start Tailscale and advertise as an exit node
sudo tailscale up --advertise-exit-node
```
Tailscale will print a URL like:
```
To authenticate, visit:
https://login.tailscale.com/a/abc123def456
```
**Copy this URL and open it in your web browser.** Sign in with the same Tailscale account from Step 1. This connects your server to your personal Tailscale network.
### Enable IP forwarding
Your server needs to forward network traffic for the VPN to work. Run these commands:
**As root (Vultr):**
```bash
echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf
echo 'net.ipv6.conf.all.forwarding = 1' >> /etc/sysctl.conf
sysctl -p
```
**As ubuntu (Exoscale):**
```bash
echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.conf
echo 'net.ipv6.conf.all.forwarding = 1' | sudo tee -a /etc/sysctl.conf
sudo sysctl -p
```
---
## Step 7: Enable the exit node
Your server is now advertising itself as an available exit node, but you need to approve it in the Tailscale admin console.
1. Go to [https://login.tailscale.com/admin/machines](https://login.tailscale.com/admin/machines)
2. Find your server in the list (it will have the hostname you set, like `vpn-exit-tokyo`)
3. Click the **three dots menu** (⋯) next to it
4. Click **"Edit route settings..."**
5. You'll see **"Use as exit node"** — toggle it **ON**
6. Click **"Save"**
Your VPN exit node is now live!
### Optional: Disable key expiry
By default, Tailscale keys expire after 180 days and you'd need to re-authenticate. To disable this:
1. On the same [admin/machines](https://login.tailscale.com/admin/machines) page
2. Click the **three dots menu** (⋯) next to your server
3. Click **"Disable key expiry"**
---
## Step 8: Use your VPN
### On iPhone / iPad
1. Open the **Tailscale** app
2. Tap **"Exit Node"** (near the top of the screen)
3. You'll see your server listed (e.g., `vpn-exit-tokyo`)
4. **Tap it** to activate
5. Your internet traffic is now routed through that server
To stop using the VPN:
1. Open Tailscale
2. Tap **"Exit Node"**
3. Tap **"None"**
### On Android
Same as iPhone — open Tailscale, tap "Exit Node", select your server.
### On Mac
1. Click the **Tailscale icon** in your menu bar (top-right of screen)
2. Hover over **"Exit Node"**
3. Select your server from the list
4. A checkmark appears next to it — your VPN is active
To stop: click the Tailscale icon → "Exit Node" → "None".
### On Windows
1. Click the **Tailscale icon** in your system tray (bottom-right)
2. Click **"Exit Node"**
3. Select your server
### On Linux
```bash
# Activate VPN through your Tokyo server
sudo tailscale set --exit-node=vpn-exit-tokyo
# Deactivate VPN
sudo tailscale set --exit-node=
```
### Verify it's working
1. Activate your exit node
2. Open your web browser
3. Go to [https://whatismyipaddress.com](https://whatismyipaddress.com)
4. It should show the IP address and location of your VPS, **not** your real location
If you see your server's country — congratulations, your VPN is working!
---
## Adding more countries
Want to exit from more countries? Repeat Steps 3-7 for each new location. Each additional server takes about 10 minutes to set up.
For example, you might have:
- `vpn-exit-gva` — Geneva, Switzerland (maximum privacy)
- `vpn-exit-nrt` — Tokyo, Japan (Asian content, strong privacy)
- `vpn-exit-ams` — Amsterdam, Netherlands (European content)
- `vpn-exit-lax` — Los Angeles, USA (US streaming)
Switch between them instantly from the Tailscale exit node menu on any of your devices.
### Naming convention
Use a consistent naming pattern so you can easily identify your exit nodes:
```
vpn-exit-{airport-code}
```
Common codes: `lhr` (London), `nrt` (Tokyo), `ams` (Amsterdam), `gva` (Geneva), `lax` (Los Angeles), `sao` (São Paulo), `sgp` (Singapore), `fra` (Frankfurt).
---
## Optional: WireGuard fallback
The Tailscale approach above is the easiest way to use your VPN. However, you can also set up WireGuard directly on your server as a fallback — useful if you want to connect without Tailscale, or share access with someone who isn't on your Tailscale network.
### Install WireGuard on your VPS
SSH into your server and run:
```bash
# Install WireGuard and QR code generator
sudo apt update
sudo apt install -y wireguard qrencode
# Generate server keys
cd /etc/wireguard
sudo bash -c 'umask 077; wg genkey | tee server_private.key | wg pubkey > server_public.key'
# Generate a client key pair
sudo bash -c 'umask 077; wg genkey | tee client_private.key | wg pubkey > client_public.key'
# Detect your server's public IP and network interface
PUBLIC_IP=$(curl -s ifconfig.me)
IFACE=$(ip route show default | awk '{print $5}' | head -1)
echo "Your server IP: $PUBLIC_IP"
echo "Your network interface: $IFACE"
```
### Configure WireGuard server
```bash
# Read the keys
SERVER_PRIVKEY=$(sudo cat /etc/wireguard/server_private.key)
CLIENT_PUBKEY=$(sudo cat /etc/wireguard/client_public.key)
IFACE=$(ip route show default | awk '{print $5}' | head -1)
# Create the server config
sudo tee /etc/wireguard/wg0.conf > /dev/null << EOF
[Interface]
Address = 10.66.66.1/24
ListenPort = 51820
PrivateKey = $SERVER_PRIVKEY
PostUp = iptables -t nat -A POSTROUTING -o $IFACE -j MASQUERADE
PostDown = iptables -t nat -D POSTROUTING -o $IFACE -j MASQUERADE
[Peer]
PublicKey = $CLIENT_PUBKEY
AllowedIPs = 10.66.66.2/32
EOF
sudo chmod 600 /etc/wireguard/wg0.conf
```
### Create the client config
```bash
SERVER_PUBKEY=$(sudo cat /etc/wireguard/server_public.key)
CLIENT_PRIVKEY=$(sudo cat /etc/wireguard/client_private.key)
PUBLIC_IP=$(curl -s ifconfig.me)
# Create the client config file
sudo tee /etc/wireguard/client.conf > /dev/null << EOF
[Interface]
PrivateKey = $CLIENT_PRIVKEY
Address = 10.66.66.2/24
DNS = 1.1.1.1, 9.9.9.9
[Peer]
PublicKey = $SERVER_PUBKEY
Endpoint = $PUBLIC_IP:51820
AllowedIPs = 0.0.0.0/0, ::/0
PersistentKeepalive = 25
EOF
# Show a QR code you can scan with the WireGuard app on your phone
sudo qrencode -t ansiutf8 < /etc/wireguard/client.conf
```
### Start WireGuard
```bash
sudo systemctl enable wg-quick@wg0
sudo systemctl start wg-quick@wg0
```
### Make sure port 51820 is open
**Vultr**: No firewall by default — WireGuard port is already accessible.
**Exoscale**: Add a security group rule:
1. Go to Compute → Security Groups → default
2. Add: Protocol: UDP, Port: 51820, Source: 0.0.0.0/0
### Use WireGuard on your phone
1. Install the **WireGuard** app from the App Store or Play Store
2. Tap **"+"** → **"Create from QR code"**
3. Scan the QR code displayed in your terminal
4. Name the tunnel (e.g., "VPN Switzerland")
5. Toggle it on to activate
### Use WireGuard on your laptop
1. Install WireGuard: `brew install wireguard-tools` (Mac) or download from [wireguard.com](https://www.wireguard.com/install/)
2. Copy the client config from your server: `scp root@YOUR_SERVER_IP:/etc/wireguard/client.conf ~/vpn-switzerland.conf`
3. Import it: `sudo wg-quick up ~/vpn-switzerland.conf`
4. To disconnect: `sudo wg-quick down ~/vpn-switzerland.conf`
**Note**: On iOS, you cannot use Tailscale and WireGuard at the same time (Apple only allows one VPN). The Tailscale exit node approach is recommended for daily use, with WireGuard as a fallback.
---
## Privacy and jurisdiction guide
Not all countries are equal when it comes to privacy. Where your VPN server is located matters because that country's laws apply to it.
### Best jurisdictions for VPN exit nodes
| Country | Why it's good | Risks | Vultr | Exoscale |
|---------|--------------|-------|-------|----------|
| **Switzerland** | Strongest privacy laws in Europe. No mandatory data retention. Not in EU, Five Eyes, Nine Eyes, or Fourteen Eyes. | Expensive hosting. | No | Yes (Geneva, Zurich) |
| **Netherlands** | Data retention law struck down by courts in 2015. Strong GDPR protections. | EU member (subject to EU court orders). | Yes (`ams`) | No |
| **Japan** | No mandatory data retention for VPN operators. Strong privacy culture. Not Five Eyes. | Government can request data in criminal cases. | Yes (`nrt`, `itm`) | No |
| **Iceland** | Extremely strong privacy protections. No data retention. Not in the EU. | Limited hosting options, no API-driven providers. | No | No |
| **Romania** | No mandatory data retention (struck down by Constitutional Court). | EU member. Less established legal framework. | No | No |
| **Brazil** | Marco Civil da Internet has privacy protections. Outside Western intelligence alliances. | Government instability can affect legal protections. | Yes (`sao`) | No |
### Jurisdictions to be cautious about
| Country | Concern |
|---------|---------|
| **United Kingdom** | Investigatory Powers Act ("Snoopers' Charter") — providers can be compelled to retain data and assist with interception. Five Eyes member. |
| **United States** | Five Eyes member. NSA mass surveillance programs. National Security Letters can compel data disclosure with gag orders. |
| **Australia** | Five Eyes member. Mandatory data retention law. Assistance and Access Act can compel providers to build interception capabilities. |
| **Canada** | Five Eyes member. |
| **New Zealand** | Five Eyes member. |
| **France** | Mandatory 1-year metadata retention. |
| **Sweden** | Metadata retention in force. Fourteen Eyes member. |
### What are the "Eyes" alliances?
These are intelligence-sharing agreements between countries. If your VPN is in a "Five Eyes" country, data could be shared with all five member nations.
- **Five Eyes**: US, UK, Canada, Australia, New Zealand
- **Nine Eyes**: Five Eyes + Denmark, France, Netherlands, Norway
- **Fourteen Eyes**: Nine Eyes + Germany, Belgium, Italy, Sweden, Spain
Being in a Nine or Fourteen Eyes country is less concerning than Five Eyes — the data sharing is less comprehensive. The Netherlands, for example, is in the Nine Eyes but has some of the best privacy protections in practice.
---
## Troubleshooting
### "I can't SSH into my server"
**Check the IP address**: Make sure you're using the right IP. Log into your VPS provider's dashboard to confirm.
**Exoscale users**: Did you open port 22 in the security group? (See Step 4, Option B)
**Check your SSH key**: Run `ssh -v root@YOUR_IP` — the `-v` flag shows detailed connection info that can help identify the problem.
### "Tailscale says 'not connected'"
Make sure the Tailscale service is running on your server:
```bash
sudo systemctl status tailscaled
```
If it's not running:
```bash
sudo systemctl start tailscaled
sudo tailscale up --advertise-exit-node
```
### "Exit node doesn't appear in the list"
1. Check that you approved the exit node in the [Tailscale admin console](https://login.tailscale.com/admin/machines)
2. Make sure the server is online: `tailscale status` (on the server)
3. On your device, try toggling Tailscale off and on
### "VPN is slow"
VPN will always add some latency because your traffic takes a longer path. Tips:
- Choose a server **geographically close** to you for speed, or close to the content you're accessing
- A server in Tokyo will be faster for accessing Japanese websites than a server in London
- The cheapest VPS plans are fine for browsing and streaming — you don't need a powerful server
### "Websites detect I'm using a VPN"
Some websites block known VPS IP ranges. This is a limitation of any VPN approach. Options:
- Try a different VPS provider or location
- Some providers offer "residential" IP addresses (more expensive)
- This is less common with smaller providers like Exoscale
### "My VPS was deleted/crashed"
VPS instances are disposable. If something goes wrong, just create a new one following this guide from Step 4. The whole process takes about 15 minutes. There's no data to lose — the VPS is just a relay point.
---
## FAQ
### Is this legal?
Using a VPN is legal in most countries including Australia, the US, the UK, and all EU countries. However, using a VPN to do something illegal doesn't make it legal. The VPN is a tool — like a car. Legal to drive, but not legal to use as a getaway vehicle.
Some countries restrict or ban VPN use: China, Russia, UAE, Turkey, Belarus, North Korea, Iraq, Oman. Do not set up VPN exit nodes in these countries, and be cautious about using a VPN while physically in these countries.
### Is this truly private?
Nothing is perfect, but this is significantly better than a commercial VPN:
- **Your VPS provider** can see that traffic flows through the server, but not the content (it's encrypted end-to-end by HTTPS)
- **Your ISP** can see that you're connected to Tailscale, but not what you're doing
- **No third party** has access to your browsing history
- **You control the server** — there are no logs unless you create them
### Can I share my VPN with family/friends?
**With Tailscale**: Yes. Invite them to your Tailscale network and they can use the same exit nodes. Go to [Tailscale admin](https://login.tailscale.com/admin) → invite users.
**With WireGuard**: Yes. Generate additional client configs (additional key pairs) on your server and share them. Each person gets their own config file/QR code.
### How much bandwidth do I get?
Most VPS plans include 1-2 TB of monthly bandwidth. For typical browsing and streaming, you'll use a fraction of this. If you watch a lot of 4K video through the VPN, you might use more — check your VPS provider's dashboard.
### Can I run other things on the same server?
Yes! Your VPN uses very few resources. You could also run a personal website, a DNS resolver (like Pi-hole for ad blocking), or other lightweight services on the same VPS.
### What happens if the VPS goes down?
Your internet still works — it just goes directly through your ISP instead of through the VPN. Tailscale will show the exit node as unavailable, and your traffic will route normally. No action needed on your part.
### Do I need to update/maintain anything?
Your VPS runs Ubuntu, which automatically installs security updates. Tailscale also auto-updates. You should check on your server every few months to make sure it's still running:
```bash
ssh root@YOUR_SERVER_IP
sudo apt update && sudo apt upgrade -y
tailscale status
```
### How is this different from Tor?
Tor routes your traffic through three random relays run by volunteers. It's good for anonymity but very slow and many websites block it. A personal VPN is much faster and doesn't get blocked, but provides less anonymity (the VPS is rented in your name). For most people, a personal VPN is the better choice for daily use.
---
## Cost summary
| Item | Cost | Notes |
|------|------|-------|
| Tailscale | Free | Free for personal use, up to 100 devices |
| VPS (per location) | $3-5/month | Vultr $3.50-5, Exoscale ~$5, Hetzner ~$4 |
| Total for 1 country | ~$5/month | |
| Total for 3 countries | ~$15/month | e.g., Switzerland + Japan + Netherlands |
| Total for 5 countries | ~$25/month | Full global coverage |
Compare this to:
- NordVPN: $13/month (and you don't own anything)
- ExpressVPN: $13/month (and you don't own anything)
- You: $5-25/month (and you own everything)
---
## About
This guide was created by [Mineracks](https://mineracks.com) — a Bitcoin infrastructure and self-hosting company based in Brisbane, Australia. We believe in owning your own infrastructure and not trusting third parties with your data.
The tools and MCPs used to automate this process are open source:
- [vultr-mcp](https://git.mineracks.com/mineracks/vultr-mcp) — Vultr API automation
- [exoscale-mcp](https://git.mineracks.com/mineracks/exoscale-mcp) — Exoscale API automation
---
*Last updated: April 2026*