own-your-vpn/README.md

Own Your VPN

A complete guide to building your own private VPN with exit nodes around the world. No third-party VPN provider. No logs. No trust required. You own everything.

What you'll get: A VPN you fully control, with the ability to make your internet traffic appear to come from any country you choose — Switzerland, Japan, the US, Brazil, or anywhere else — with a single tap on your phone or click on your laptop.

Cost: About $3-5 USD per month per country you want to exit from.

Time: About 30-60 minutes for your first exit node. 10 minutes for each additional one.

Technical skill required: Basic comfort with a terminal/command line. This guide explains every step in detail.

---

Table of Contents

1. What is this and why would I want it?
2. How it works — the big picture
3. What you'll need before you start
4. Step 1: Create a Tailscale account
5. Step 2: Install Tailscale on your devices
6. Step 3: Choose your VPS provider and location
7. Step 4: Create a VPS
8. Step 5: Connect to your VPS
9. Step 6: Install Tailscale on your VPS
10. Step 7: Enable the exit node
11. Step 8: Use your VPN
12. Adding more countries
13. Optional: WireGuard fallback
14. Privacy and jurisdiction guide
15. Troubleshooting
16. FAQ

---

1. What is this and why would I want it?

The problem with commercial VPN providers

When you use a VPN service like NordVPN, ExpressVPN, or Surfshark, you're trusting that company with all of your internet traffic. They can see every website you visit, every service you connect to, and every piece of data you send that isn't separately encrypted.

These companies promise "no logs" — but you have no way to verify that. They're black boxes. Several have been caught logging user data despite their promises. Some have been acquired by advertising companies. Others have been compelled by governments to hand over data they claimed they didn't have.

The solution: own your VPN

Instead of trusting a company, you rent a small server (called a VPS — Virtual Private Server) in the country of your choice and run your own VPN software on it. Your internet traffic goes through that server and exits to the internet from there.

You control the server. You control the software. You control the logs (or lack thereof). There is no third party to trust.

What you can do with this

• Privacy: Your internet service provider (ISP) can't see which websites you visit — they only see encrypted traffic going to your VPS
• Location: Websites see your VPS's IP address, not your real one. If your VPS is in Switzerland, websites think you're in Switzerland
• Access: Reach content that's restricted to certain countries
• Security: Protect your traffic on public Wi-Fi networks (coffee shops, airports, hotels)
• Multiple countries: Set up servers in different countries and switch between them with one tap

---

2. How it works — the big picture

Here's what happens when you browse the internet normally (without a VPN):

Your phone/laptop  →  Your ISP  →  The internet  →  Website
     (you)          (can see        (various        (sees your
                    everything)     routers)         real IP)

Your ISP can see every website you visit. The website can see your real IP address (and therefore your approximate location).

Here's what happens with your own VPN:

Your phone/laptop  →  Encrypted tunnel  →  Your VPS in Switzerland  →  Website
     (you)            (ISP sees only        (decrypts and forwards     (sees Swiss
                      encrypted data)        your traffic)              IP address)

Your ISP only sees encrypted data going to one IP address. They can't see what websites you're visiting. The website sees the Swiss IP address, not yours.

The technology: Tailscale

This guide uses Tailscale — a modern, easy-to-use VPN tool. Tailscale creates an encrypted network between your devices. When you mark one of your servers as an "exit node", all your internet traffic is routed through that server.

Tailscale is:

• Free for personal use (up to 100 devices)
• Easy to install on every platform (Windows, Mac, Linux, iOS, Android)
• Secure — uses the WireGuard protocol (the gold standard in VPN security)
• Simple — switching your exit country is one tap on your phone

---

3. What you'll need before you start

A computer with a terminal

• Mac: Open the "Terminal" app (search for it in Spotlight with Cmd+Space)
• Windows: Install Windows Terminal from the Microsoft Store, or use PowerShell
• Linux: You already know where your terminal is

An SSH key

An SSH key is like a digital password that lets you securely connect to your server. You probably already have one. To check, open your terminal and type:

ls ~/.ssh/id_ed25519.pub

If you see a file path, you already have one. If you see "No such file", create one:

ssh-keygen -t ed25519 -C "your@email.com"

Press Enter to accept the default location, and Enter twice more to skip the passphrase (or set one if you prefer). Your key is now at ~/.ssh/id_ed25519.pub.

A credit card or PayPal (or Bitcoin)

You'll need this to pay for your VPS. The cheapest options are about $3-5 USD per month per server.

---

Step 1: Create a Tailscale account

1. Go to https://tailscale.com
2. Click "Get Started"
3. Sign in with your Google, Microsoft, GitHub, or Apple account
4. You now have a Tailscale account — this is your private network (called a "tailnet")

Tailscale is free for personal use. You don't need to enter any payment details.

---

Step 2: Install Tailscale on your devices

Install Tailscale on every device you want to use the VPN from.

iPhone / iPad

1. Open the App Store
2. Search for "Tailscale"
3. Install the app
4. Open it and sign in with the same account from Step 1

Android

1. Open the Google Play Store
2. Search for "Tailscale"
3. Install the app
4. Open it and sign in

Mac

1. Open the App Store
2. Search for "Tailscale"
3. Install the app
4. Open it — it will appear in your menu bar (top-right of your screen)
5. Click the Tailscale icon and sign in

Windows

1. Go to https://tailscale.com/download/windows
2. Download and install
3. Open Tailscale from the system tray and sign in

Linux

curl -fsSL https://tailscale.com/install.sh | sh
sudo tailscale up

Follow the link it gives you to authenticate in your browser.

---

Step 3: Choose your VPS provider and location

A VPS is a small virtual computer running in a data centre somewhere in the world. You'll rent one and use it as your VPN exit point.

Recommended providers

Provider	Best for	Cheapest plan	Signup
Vultr	Most countries (33 locations)	$3.50/month	vultr.com
Exoscale	Switzerland (strongest privacy)	~$5/month	exoscale.com
Hetzner	Best value in Europe	~$4/month	hetzner.com
DigitalOcean	Beginner-friendly interface	$4/month	digitalocean.com

Choosing a location

Pick based on what you need:

I want to...	Choose a server in...
Maximum privacy	Switzerland (Exoscale) — strongest privacy laws, no data retention
Access US streaming content	Los Angeles or New York (Vultr)
Access UK content	London (Vultr) — note: UK has strong surveillance laws
Access Japanese content	Tokyo (Vultr) — good privacy laws, no data retention
General privacy + good speed	Netherlands (Vultr Amsterdam) — data retention laws struck down
Access Australian content from overseas	Sydney (Vultr)

See the Privacy and jurisdiction guide at the end for detailed information on each country's surveillance laws.

Creating your account

Vultr (recommended for most people):

1. Go to vultr.com
2. Click "Sign Up"
3. Enter your email and password
4. Add a payment method (credit card, PayPal, or Bitcoin)
5. Minimum deposit: $10 USD

Exoscale (recommended for Switzerland):

1. Go to portal.exoscale.com
2. Click "Sign up"
3. Enter your details and add a payment method
4. No minimum deposit

---

Step 4: Create a VPS

Option A: Vultr

1. Log in to my.vultr.com
2. Click the blue "+" button → "Deploy New Server"
3. Choose "Cloud Compute — Shared CPU"
4. Select your desired location (e.g., Tokyo, Amsterdam, etc.)
5. Select "Ubuntu 24.04 LTS x64" as the operating system
6. Select the $5/month plan (1 vCPU, 1 GB RAM, 25 GB SSD) — this is more than enough for a VPN
7. Under "SSH Keys", click "Add New":
   • Copy the contents of your SSH key: cat ~/.ssh/id_ed25519.pub
   • Paste it into the box and give it a name
8. Under "Server Hostname & Label", enter something like vpn-exit-tokyo or vpn-switzerland
9. Click "Deploy Now"
10. Wait 1-2 minutes for the server to be created
11. Note the IP address shown on the server details page — you'll need it next

Option B: Exoscale (Switzerland)

1. Log in to portal.exoscale.com
2. Click "Compute" in the left menu
3. Click "Create an Instance"
4. Zone: Select CH-GVA-2 (Geneva) or CH-DK-2 (Zurich)
5. Template: Choose "Ubuntu 24.04 LTS 64-bit"
6. Instance type: Select "Micro" (1 vCPU, 512 MB RAM) — enough for a VPN
7. Disk: 10 GB is fine
8. SSH Key: Click "Add" and paste your public key from cat ~/.ssh/id_ed25519.pub
9. Security Group: Select "default"
10. Click "Create"
11. Wait for the instance to show "Running"
12. Note the public IP address

Important — Exoscale firewall: Exoscale blocks all incoming connections by default. You need to open SSH:

1. Click "Compute" → "Security Groups" → "default"
2. Click "Add Rule"
3. Add: Protocol: TCP, Port: 22, Source: 0.0.0.0/0, Description: SSH
4. Click "Add"

---

Step 5: Connect to your VPS

Open your terminal and connect to your new server using SSH.

For Vultr (root user):

ssh root@YOUR_SERVER_IP

For Exoscale (ubuntu user):

ssh ubuntu@YOUR_SERVER_IP

Replace YOUR_SERVER_IP with the IP address from Step 4.

The first time you connect, you'll see a message like:

The authenticity of host '198.13.34.199 (198.13.34.199)' can't be established.
ED25519 key fingerprint is SHA256:xxxxxx.
Are you sure you want to continue connecting (yes/no)?

Type yes and press Enter. This is normal — it's asking you to confirm the identity of your new server.

You should now see a command prompt on your server. You're in!

---

Step 6: Install Tailscale on your VPS

Now you'll install Tailscale on your server and tell it to act as a VPN exit node.

If you're connected as root (Vultr):

# Install Tailscale
curl -fsSL https://tailscale.com/install.sh | sh

# Start Tailscale and advertise as an exit node
tailscale up --advertise-exit-node

If you're connected as ubuntu (Exoscale):

# Install Tailscale
curl -fsSL https://tailscale.com/install.sh | sudo sh

# Start Tailscale and advertise as an exit node
sudo tailscale up --advertise-exit-node

Tailscale will print a URL like:

To authenticate, visit:
    https://login.tailscale.com/a/abc123def456

Copy this URL and open it in your web browser. Sign in with the same Tailscale account from Step 1. This connects your server to your personal Tailscale network.

Enable IP forwarding

Your server needs to forward network traffic for the VPN to work. Run these commands:

As root (Vultr):

echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf
echo 'net.ipv6.conf.all.forwarding = 1' >> /etc/sysctl.conf
sysctl -p

As ubuntu (Exoscale):

echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.conf
echo 'net.ipv6.conf.all.forwarding = 1' | sudo tee -a /etc/sysctl.conf
sudo sysctl -p

---

Step 7: Enable the exit node

Your server is now advertising itself as an available exit node, but you need to approve it in the Tailscale admin console.

1. Go to https://login.tailscale.com/admin/machines
2. Find your server in the list (it will have the hostname you set, like vpn-exit-tokyo)
3. Click the three dots menu (⋯) next to it
4. Click "Edit route settings..."
5. You'll see "Use as exit node" — toggle it ON
6. Click "Save"

Your VPN exit node is now live!

Optional: Disable key expiry

By default, Tailscale keys expire after 180 days and you'd need to re-authenticate. To disable this:

1. On the same admin/machines page
2. Click the three dots menu (⋯) next to your server
3. Click "Disable key expiry"

---

Step 8: Use your VPN

On iPhone / iPad

1. Open the Tailscale app
2. Tap "Exit Node" (near the top of the screen)
3. You'll see your server listed (e.g., vpn-exit-tokyo)
4. Tap it to activate
5. Your internet traffic is now routed through that server

To stop using the VPN:

1. Open Tailscale
2. Tap "Exit Node"
3. Tap "None"

On Android

Same as iPhone — open Tailscale, tap "Exit Node", select your server.

On Mac

1. Click the Tailscale icon in your menu bar (top-right of screen)
2. Hover over "Exit Node"
3. Select your server from the list
4. A checkmark appears next to it — your VPN is active

To stop: click the Tailscale icon → "Exit Node" → "None".

On Windows

1. Click the Tailscale icon in your system tray (bottom-right)
2. Click "Exit Node"
3. Select your server

On Linux

# Activate VPN through your Tokyo server
sudo tailscale set --exit-node=vpn-exit-tokyo

# Deactivate VPN
sudo tailscale set --exit-node=

Verify it's working

1. Activate your exit node
2. Open your web browser
3. Go to https://whatismyipaddress.com
4. It should show the IP address and location of your VPS, not your real location

If you see your server's country — congratulations, your VPN is working!

---

Adding more countries

Want to exit from more countries? Repeat Steps 3-7 for each new location. Each additional server takes about 10 minutes to set up.

For example, you might have:

• vpn-exit-gva — Geneva, Switzerland (maximum privacy)
• vpn-exit-nrt — Tokyo, Japan (Asian content, strong privacy)
• vpn-exit-ams — Amsterdam, Netherlands (European content)
• vpn-exit-lax — Los Angeles, USA (US streaming)

Switch between them instantly from the Tailscale exit node menu on any of your devices.

Naming convention

Use a consistent naming pattern so you can easily identify your exit nodes:

vpn-exit-{airport-code}

Common codes: lhr (London), nrt (Tokyo), ams (Amsterdam), gva (Geneva), lax (Los Angeles), sao (São Paulo), sgp (Singapore), fra (Frankfurt).

---

Optional: WireGuard fallback

The Tailscale approach above is the easiest way to use your VPN. However, you can also set up WireGuard directly on your server as a fallback — useful if you want to connect without Tailscale, or share access with someone who isn't on your Tailscale network.

Install WireGuard on your VPS

SSH into your server and run:

# Install WireGuard and QR code generator
sudo apt update
sudo apt install -y wireguard qrencode

# Generate server keys
cd /etc/wireguard
sudo bash -c 'umask 077; wg genkey | tee server_private.key | wg pubkey > server_public.key'

# Generate a client key pair
sudo bash -c 'umask 077; wg genkey | tee client_private.key | wg pubkey > client_public.key'

# Detect your server's public IP and network interface
PUBLIC_IP=$(curl -s ifconfig.me)
IFACE=$(ip route show default | awk '{print $5}' | head -1)

echo "Your server IP: $PUBLIC_IP"
echo "Your network interface: $IFACE"

Configure WireGuard server

# Read the keys
SERVER_PRIVKEY=$(sudo cat /etc/wireguard/server_private.key)
CLIENT_PUBKEY=$(sudo cat /etc/wireguard/client_public.key)
IFACE=$(ip route show default | awk '{print $5}' | head -1)

# Create the server config
sudo tee /etc/wireguard/wg0.conf > /dev/null << EOF
[Interface]
Address = 10.66.66.1/24
ListenPort = 51820
PrivateKey = $SERVER_PRIVKEY
PostUp = iptables -t nat -A POSTROUTING -o $IFACE -j MASQUERADE
PostDown = iptables -t nat -D POSTROUTING -o $IFACE -j MASQUERADE

[Peer]
PublicKey = $CLIENT_PUBKEY
AllowedIPs = 10.66.66.2/32
EOF

sudo chmod 600 /etc/wireguard/wg0.conf

Create the client config

SERVER_PUBKEY=$(sudo cat /etc/wireguard/server_public.key)
CLIENT_PRIVKEY=$(sudo cat /etc/wireguard/client_private.key)
PUBLIC_IP=$(curl -s ifconfig.me)

# Create the client config file
sudo tee /etc/wireguard/client.conf > /dev/null << EOF
[Interface]
PrivateKey = $CLIENT_PRIVKEY
Address = 10.66.66.2/24
DNS = 1.1.1.1, 9.9.9.9

[Peer]
PublicKey = $SERVER_PUBKEY
Endpoint = $PUBLIC_IP:51820
AllowedIPs = 0.0.0.0/0, ::/0
PersistentKeepalive = 25
EOF

# Show a QR code you can scan with the WireGuard app on your phone
sudo qrencode -t ansiutf8 < /etc/wireguard/client.conf

Start WireGuard

sudo systemctl enable wg-quick@wg0
sudo systemctl start wg-quick@wg0

Make sure port 51820 is open

Vultr: No firewall by default — WireGuard port is already accessible.

Exoscale: Add a security group rule:

1. Go to Compute → Security Groups → default
2. Add: Protocol: UDP, Port: 51820, Source: 0.0.0.0/0

Use WireGuard on your phone

1. Install the WireGuard app from the App Store or Play Store
2. Tap "+" → "Create from QR code"
3. Scan the QR code displayed in your terminal
4. Name the tunnel (e.g., "VPN Switzerland")
5. Toggle it on to activate

Use WireGuard on your laptop

1. Install WireGuard: brew install wireguard-tools (Mac) or download from wireguard.com
2. Copy the client config from your server: scp root@YOUR_SERVER_IP:/etc/wireguard/client.conf ~/vpn-switzerland.conf
3. Import it: sudo wg-quick up ~/vpn-switzerland.conf
4. To disconnect: sudo wg-quick down ~/vpn-switzerland.conf

Note: On iOS, you cannot use Tailscale and WireGuard at the same time (Apple only allows one VPN). The Tailscale exit node approach is recommended for daily use, with WireGuard as a fallback.

---

Privacy and jurisdiction guide

Not all countries are equal when it comes to privacy. Where your VPN server is located matters because that country's laws apply to it.

Best jurisdictions for VPN exit nodes

Country	Why it's good	Risks	Vultr	Exoscale
Switzerland	Strongest privacy laws in Europe. No mandatory data retention. Not in EU, Five Eyes, Nine Eyes, or Fourteen Eyes.	Expensive hosting.	No	Yes (Geneva, Zurich)
Netherlands	Data retention law struck down by courts in 2015. Strong GDPR protections.	EU member (subject to EU court orders).	Yes (ams)	No
Japan	No mandatory data retention for VPN operators. Strong privacy culture. Not Five Eyes.	Government can request data in criminal cases.	Yes (nrt, itm)	No
Iceland	Extremely strong privacy protections. No data retention. Not in the EU.	Limited hosting options, no API-driven providers.	No	No
Romania	No mandatory data retention (struck down by Constitutional Court).	EU member. Less established legal framework.	No	No
Brazil	Marco Civil da Internet has privacy protections. Outside Western intelligence alliances.	Government instability can affect legal protections.	Yes (sao)	No

Jurisdictions to be cautious about

Country	Concern
United Kingdom	Investigatory Powers Act ("Snoopers' Charter") — providers can be compelled to retain data and assist with interception. Five Eyes member.
United States	Five Eyes member. NSA mass surveillance programs. National Security Letters can compel data disclosure with gag orders.
Australia	Five Eyes member. Mandatory data retention law. Assistance and Access Act can compel providers to build interception capabilities.
Canada	Five Eyes member.
New Zealand	Five Eyes member.
France	Mandatory 1-year metadata retention.
Sweden	Metadata retention in force. Fourteen Eyes member.

What are the "Eyes" alliances?

These are intelligence-sharing agreements between countries. If your VPN is in a "Five Eyes" country, data could be shared with all five member nations.

• Five Eyes: US, UK, Canada, Australia, New Zealand
• Nine Eyes: Five Eyes + Denmark, France, Netherlands, Norway
• Fourteen Eyes: Nine Eyes + Germany, Belgium, Italy, Sweden, Spain

Being in a Nine or Fourteen Eyes country is less concerning than Five Eyes — the data sharing is less comprehensive. The Netherlands, for example, is in the Nine Eyes but has some of the best privacy protections in practice.

---

Troubleshooting

"I can't SSH into my server"

Check the IP address: Make sure you're using the right IP. Log into your VPS provider's dashboard to confirm.

Exoscale users: Did you open port 22 in the security group? (See Step 4, Option B)

Check your SSH key: Run ssh -v root@YOUR_IP — the -v flag shows detailed connection info that can help identify the problem.

"Tailscale says 'not connected'"

Make sure the Tailscale service is running on your server:

sudo systemctl status tailscaled

If it's not running:

sudo systemctl start tailscaled
sudo tailscale up --advertise-exit-node

"Exit node doesn't appear in the list"

1. Check that you approved the exit node in the Tailscale admin console
2. Make sure the server is online: tailscale status (on the server)
3. On your device, try toggling Tailscale off and on

"VPN is slow"

VPN will always add some latency because your traffic takes a longer path. Tips:

• Choose a server geographically close to you for speed, or close to the content you're accessing
• A server in Tokyo will be faster for accessing Japanese websites than a server in London
• The cheapest VPS plans are fine for browsing and streaming — you don't need a powerful server

"Websites detect I'm using a VPN"

Some websites block known VPS IP ranges. This is a limitation of any VPN approach. Options:

• Try a different VPS provider or location
• Some providers offer "residential" IP addresses (more expensive)
• This is less common with smaller providers like Exoscale

"My VPS was deleted/crashed"

VPS instances are disposable. If something goes wrong, just create a new one following this guide from Step 4. The whole process takes about 15 minutes. There's no data to lose — the VPS is just a relay point.

---

FAQ

Is this legal?

Using a VPN is legal in most countries including Australia, the US, the UK, and all EU countries. However, using a VPN to do something illegal doesn't make it legal. The VPN is a tool — like a car. Legal to drive, but not legal to use as a getaway vehicle.

Some countries restrict or ban VPN use: China, Russia, UAE, Turkey, Belarus, North Korea, Iraq, Oman. Do not set up VPN exit nodes in these countries, and be cautious about using a VPN while physically in these countries.

Is this truly private?

Nothing is perfect, but this is significantly better than a commercial VPN:

• Your VPS provider can see that traffic flows through the server, but not the content (it's encrypted end-to-end by HTTPS)
• Your ISP can see that you're connected to Tailscale, but not what you're doing
• No third party has access to your browsing history
• You control the server — there are no logs unless you create them

Can I share my VPN with family/friends?

With Tailscale: Yes. Invite them to your Tailscale network and they can use the same exit nodes. Go to Tailscale admin → invite users.

With WireGuard: Yes. Generate additional client configs (additional key pairs) on your server and share them. Each person gets their own config file/QR code.

How much bandwidth do I get?

Most VPS plans include 1-2 TB of monthly bandwidth. For typical browsing and streaming, you'll use a fraction of this. If you watch a lot of 4K video through the VPN, you might use more — check your VPS provider's dashboard.

Can I run other things on the same server?

Yes! Your VPN uses very few resources. You could also run a personal website, a DNS resolver (like Pi-hole for ad blocking), or other lightweight services on the same VPS.

What happens if the VPS goes down?

Your internet still works — it just goes directly through your ISP instead of through the VPN. Tailscale will show the exit node as unavailable, and your traffic will route normally. No action needed on your part.

Do I need to update/maintain anything?

Your VPS runs Ubuntu, which automatically installs security updates. Tailscale also auto-updates. You should check on your server every few months to make sure it's still running:

ssh root@YOUR_SERVER_IP
sudo apt update && sudo apt upgrade -y
tailscale status

How is this different from Tor?

Tor routes your traffic through three random relays run by volunteers. It's good for anonymity but very slow and many websites block it. A personal VPN is much faster and doesn't get blocked, but provides less anonymity (the VPS is rented in your name). For most people, a personal VPN is the better choice for daily use.

---

Cost summary

Item	Cost	Notes
Tailscale	Free	Free for personal use, up to 100 devices
VPS (per location)	$3-5/month	Vultr $3.50-5, Exoscale ~$5, Hetzner ~$4
Total for 1 country	~$5/month
Total for 3 countries	~$15/month	e.g., Switzerland + Japan + Netherlands
Total for 5 countries	~$25/month	Full global coverage

Compare this to:

• NordVPN: $13/month (and you don't own anything)
• ExpressVPN: $13/month (and you don't own anything)
• You: $5-25/month (and you own everything)

---

About

This guide was created by Mineracks — a Bitcoin infrastructure and self-hosting company based in Brisbane, Australia. We believe in owning your own infrastructure and not trusting third parties with your data.

The tools and MCPs used to automate this process are open source:

• vultr-mcp — Vultr API automation
• exoscale-mcp — Exoscale API automation

---

Last updated: April 2026