VPS for VPN Hosting: Self-Hosted vs Commercial

A self-hosted VPN provides a private network tunnel from the user's devices to a server the user controls. Traffic between the user and the VPN server is encrypted. Traffic from the VPN server to the broader internet is unencrypted from the VPS provider's perspective — the provider can see what IP addresses the server connects to, and may log this depending on their data retention practices. The VPS provider's data is also subject to legal process in their jurisdiction.

The legitimate reasons to self-host a VPN are different from the reasons to use a commercial VPN for privacy. Self-hosted VPN is appropriate for: accessing resources on a private network remotely, encrypting traffic on untrusted networks (public WiFi) to a trusted server, providing a static IP address for services that require IP allowlisting, and giving family members or team members secure remote access to shared resources. It is not a privacy tool in the same sense that Mullvad or a similarly positioned commercial VPN is.

Compute requirements for a personal or small-team VPN are minimal. WireGuard — the modern, high-performance VPN protocol — runs on a single vCPU and handles personal and small-team traffic without measurable CPU load. OpenVPN is more CPU-intensive per connection but still well within the capacity of any entry-level VPS. For a VPN serving a handful of users, the smallest available plan from any provider is more than adequate.

Bandwidth is the meaningful variable. A VPN routes all user traffic through the server — every streaming video, every web request, every download. A user watching 4K video generates 15-25Mbps of sustained traffic. A family sharing a VPN with multiple simultaneous users can saturate a server's network allocation quickly. Checking the provider's monthly bandwidth allocation and overage pricing before provisioning for a bandwidth-intensive use case prevents bill surprises.

KVM virtualization is required. WireGuard and OpenVPN both need kernel modules that container-based VPS (OpenVZ) restricts or blocks. Any provider running OpenVZ will be incompatible. Most modern cloud providers run KVM; budget providers using OpenVZ are the common failure case here.

A VPS IP address used as a VPN exit node will be identified as a data center IP by most services that check for VPN usage — Netflix, streaming platforms, financial services, some corporate firewalls. Commercial VPN providers rotate IPs and invest in maintaining residential-looking address pools. A static VPS IP becomes a known data center address quickly. For use cases that require appearing as a residential user, self-hosted VPS-based VPN doesn't work.

Commercial VPNs with strong no-log policies — Mullvad and ProtonVPN are the most credibly audited — provide a privacy posture that self-hosted VPS cannot replicate. The commercial provider has an infrastructure optimized for privacy, a business incentive to not retain logs, audited policies, and IP address pools that rotate across many users. The trade-off is trusting the commercial provider rather than the VPS provider. For privacy-focused use cases, this trade typically favors the commercial VPN.

Self-hosted VPN provides infrastructure control, fixed cost, and flexibility for use cases that commercial providers don't serve: private network access, team VPN with custom routing, VPN-as-a-gateway to specific internal resources. For these use cases, commercial VPNs aren't alternatives — they serve different purposes. The decision between self-hosted and commercial VPN depends on what problem is actually being solved.