Commercial VPNs Are Overrated ( And What I Run Instead )

I paid for NordVPN for two years. Then Mullvad for one. Then I realized I was paying a monthly subscription to route my traffic through someone else's server, with zero control over what they log, and a client app that insisted on updating itself at the worst possible time.

WireGuard changed everything. It's a VPN protocol, not a service. There's no app store, no upsell, no affiliate link. You run it on your own VPS and you own the entire pipe.

WireGuard network setup — My actual WireGuard config running. Nothing fancy, just works.

Why WireGuard, Not OpenVPN

OpenVPN works. I ran it for years. But the config is absurd ( have you seen a .ovpn file? ), the handshake is slow, and the kernel module situation on modern Ubuntu is always a minor crisis.

WireGuard is 4000 lines of code. OpenVPN is 100,000. That alone should tell you something.

WireGuard lives in the Linux kernel. No userspace daemon churning CPU. No TLS handshake that takes 3 seconds. Connections establish in milliseconds because the key exchange happens once, then it's just UDP packets.

Here are the practical differences ( from someone who ran both ):

- OpenVPN: 2-3 second handshake, WireGuard: ~50ms

- OpenVPN: TCP or UDP with heavyweight TLS, WireGuard: UDP only, ChaCha20-Poly1305

- OpenVPN: complicated cert management, WireGuard: one public/private key pair per peer

- OpenVPN: kernel module + userspace daemon, WireGuard: kernel module only

Set Up WireGuard in 5 Minutes

This is on Ubuntu 24.04. If you're on something else, adjust the apt commands.

sudo apt update && sudo apt install wireguard

# Generate keys
wg genkey | tee /tmp/privatekey | wg pubkey > /tmp/publickey

# Server config
sudo nano /etc/wireguard/wg0.conf

Here are the server config:

[Interface]
PrivateKey = <your-server-private-key>
Address = 10.0.0.1/24
ListenPort = 51820
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
PublicKey = <client-public-key>
AllowedIPs = 10.0.0.2/32

Server configuration — The entire server config. That's it. No 200-line OpenVPN horror show.

Client Config

On your laptop/phone/whatever, install WireGuard and create a client config:

[Interface]
PrivateKey = <your-client-private-key>
Address = 10.0.0.2/24
DNS = 1.1.1.1

[Peer]
PublicKey = <server-public-key>
Endpoint = your.server.ip:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25

AllowedIPs = 0.0.0.0/0 means all traffic goes through the VPN. If you only want specific subnets, change it to 10.0.0.0/24 or whatever you need.

PersistentKeepalive is critical if your client is behind NAT. Without it, the connection dies after a few minutes of silence and never comes back.

Fire It Up

# On the server
sudo wg-quick up wg0
sudo systemctl enable wg-quick@wg0

# Check status
sudo wg show

wg show is the only monitoring tool you need. It shows you handshake time, transfer bytes, and connected peers. No web dashboard, no Grafana. Just one command.

Add Your Phone

The WireGuard app on iOS and Android is excellent. Generate a new key pair for the phone, add a new [Peer] section on the server with a new AllowedIPs, scan the QR code from the app. Done.

# Generate QR code for phone client
qrencode -t ansiutf8 < phone.conf

WireGuard on mobile — Yes, the mobile app actually works. No weird permission requests either.

What This Actually Costs

A Linode 512MB Nanode is $5/month. That handles WireGuard for me and 3 other people without breaking a sweat. Plus you get a server you can run other stuff on.

Compare that to NordVPN at $13/month or Mullvad at EUR5/month where you get... nothing except their VPN.

If you already have a VPS ( and you should ), WireGuard is free. Zero additional cost.

What You Lose

I am not going to pretend self-hosting a VPN is for everyone. You lose:

- Multi-hop routing ( you get one exit point )

- Obfuscation ( your WireGuard traffic looks like WireGuard, not HTTPS )

- Split tunneling is manual ( AllowedIPs, not a toggle )

- Someone to blame when it goes down

If you need to bypass the Great Firewall or your ISP blocks VPN traffic, a commercial VPN with obfuscation makes sense. For everything else, self-hosted WireGuard is the better option.

Key Rotation ( Do This )

Generate new keys every few months. It's two commands. There's no excuse.

# New keys
wg genkey | tee /tmp/new_priv | wg pubkey > /tmp/new_pub

# Update server config with new peer public key
# Update client config with new private key
sudo wg-quick down wg0 && sudo wg-quick up wg0

I have a cron job that reminds me every 90 days. Takes 2 minutes. Do it.

Four years of running WireGuard now. Zero crashes. Zero mysterious disconnections that take 30 seconds to recover. Zero app updates that break DNS resolution. Just UDP packets going from point A to point B, encrypted, fast, and mine.

If you have a VPS sitting somewhere, you have no excuse to keep paying for a commercial VPN :)