Self-host a no-log WireGuard VPN on a VPS

By the HushVPS team · Updated 2026 · 9 min read

The phrase "no logs" is the most repeated promise in the VPN industry, and the least verifiable. Every commercial provider prints it, a few pay for an audit that captures a single moment in time, and all of them ask you to take the rest on faith. There is a cleaner way to get the same protection without trusting anyone's marketing: run the endpoint yourself. A no logs WireGuard VPS turns the policy from a slogan you have to believe into a configuration you can read, because the machine is yours and the logging switch is in your hand. This guide walks the whole path at a high level — why self-hosting wins, how a WireGuard box goes together, how to keep it genuinely no-log, and how to build and manage it without tying the server to your name.

Why self-hosting beats a commercial "no-log" VPN

Most mainstream VPN apps already run WireGuard under the hood, so the difference between renting their exit and building your own is not the protocol or the speed. The difference is who holds the trust. When a company says it keeps no logs, you cannot inspect its servers, its hypervisor, its upstream provider, or the legal orders it may quietly be under. The claim lives entirely outside your control. When you own the box, that same claim collapses into something you can check line by line: WireGuard records nothing about connections or traffic content unless you explicitly configure something to do so.

There is a second, quieter advantage — the shape of the target. A popular VPN's exit IPs are famous. They are blocklisted, fingerprinted, and shared with thousands of strangers whose behaviour you cannot influence. Your own endpoint is an unremarkable server IP that only you use. That is worse for disappearing into a crowd and better for holding a stable, uncontested identity you fully own. Choosing between the two really means choosing what you are optimising for: crowd cover, or control. A self-hosted endpoint is squarely about control — of the exit, of the keys, and of the logs.

What you need before you start

The ingredients are modest. WireGuard is famously lightweight — a personal tunnel barely registers on CPU or RAM, and the real constraint is monthly bandwidth rather than compute. You need three things:

  • A VPS you fully control, with root access and a clean public IP. Our smallest no-logs WireGuard VPS plan is sized for exactly this — a single always-on tunnel for one person or a household.
  • A recent Linux install (Debian or Ubuntu LTS are the least surprising) with the kernel WireGuard module, which ships in every current kernel.
  • A client device — laptop, phone, or router — that will hold its own private key and connect back to the endpoint.

Nothing here requires a control panel, an installer script that phones home, or any pre-baked image. The point of self-hosting is that the stack is only what you put on it, so start from a plain OS and add exactly WireGuard and nothing more.

The high-level WireGuard setup

WireGuard's whole design philosophy is to be small enough to audit, and the setup reflects that. At a conceptual level, a working tunnel is four moves:

1. Generate a key pair on each side

Every peer — the server and each client — gets its own private key and a matching public key. The private key never leaves the device it belongs to. Generate the server's key on the server (or offline and copy only what you must), and generate each client's key on the client. WireGuard peers authenticate each other purely by public key, so there are no passwords, certificates, or accounts anywhere in the picture.

2. Write the server interface config

The server gets an interface — conventionally wg0 — with its private key, a listening UDP port, and an internal address for the tunnel subnet (something in a private range like 10.8.0.0/24). You then add one [Peer] block per client, each naming that client's public key and the tunnel address it is allowed to use. This allowed-IPs list is also the access-control list: a peer can only send traffic from the addresses you grant it.

3. Enable forwarding and a firewall rule for the exit

To make the box act as a VPN exit rather than just a private mesh, turn on IP forwarding in the kernel and add a NAT rule so tunnel traffic is masqueraded out of the server's public interface. This is the one place people trip up — without forwarding and NAT, clients connect but can't reach the internet. Keep the firewall tight otherwise: open only the WireGuard UDP port to the world and leave everything else closed.

4. Bring the interface up and point clients at it

Start the interface, confirm it survives a reboot by enabling it as a service, and hand each client a config that names the server's public key, its public IP and port, and an allowed-IPs of 0.0.0.0/0 if you want that client to route all its traffic through the tunnel. WireGuard's own quick-start documentation covers the exact commands; the shape above is what those commands add up to.

That is the entire mental model. There is no daemon zoo, no sprawling config, and — critically — nothing in the default setup that writes a record of who connected or where their packets went.

Keeping it genuinely no-log

Here is the part that makes the whole exercise worthwhile. WireGuard does not log connections or traffic by design — the wg tool shows you a live handshake timestamp and transfer counters for each peer, but that state lives in memory and is not written to disk as a history. So "no logs" on your own box is not something you switch on; it is the default, and your job is simply to avoid quietly undoing it. A few things to watch:

  • Skip the logging scripts. Plenty of setup tutorials add PostUp hooks that log peer activity or run connection accounting. If you want a true no-log endpoint, leave those out. Every line that records who connected is a line you would have to defend later.
  • Tame the system journal. The OS itself keeps logs — auth attempts, service restarts, DHCP. None of these are WireGuard traffic logs, but they are still a record. Trim journald's retention aggressively, or ship it to nowhere, so the box remembers as little as it can while staying operable.
  • Encrypt the disk. A no-log policy is only as strong as what a seized or snapshotted disk would reveal. Full-disk encryption means that even the operational layer beneath your VPS sees ciphertext, not your keys or config.
  • Do not log DNS. If you run a resolver on the box for tunnel clients, make sure it is not keeping query logs. DNS history is often the most revealing record of all, and it is easy to leave on by accident.

The reason this is trustworthy where a commercial promise is not comes down to incentives and inspectability. There is no marketing department, no shareholder pressure, and no third party between you and the exit who could change the policy without telling you. The no-log posture is a property of a machine you administer, not a claim you outsourced. It builds on the same platform-level minimisation behind our no-logs VPS approach — extended to a workload where you, not the host, own the switch.

Managing the box over Tor

A no-log VPN loses much of its value if the way you build and manage it links the server back to you. The tunnel might be clean, but if you ordered the VPS with a real name, paid with a card, and SSH into it from your home IP, the metadata around the box tells the story the tunnel was meant to hide. Closing that gap is straightforward:

  • Provision anonymously. Reach the order flow over Tor, leave identifying fields blank, and pay in Monero so no name or card is ever attached to the machine. If nothing is collected at signup, there is nothing to correlate later. This is the whole premise behind an anonymous VPS.
  • Administer through an onion. Bind SSH to a Tor onion service and reach the box that way, so the management path never exposes a home IP to the server's provider or to a network observer. The Tor Project documents onion services in depth; the practical effect is that administration leaves no direct IP-to-IP trail.
  • Keep the data plane fast. WireGuard itself is a UDP tunnel and is not meant to run over Tor — that would wreck its speed. The trick is to split the planes: WireGuard on its normal UDP port for daily traffic, and the control plane (SSH, any panel access) riding Tor. You get quick everyday performance and a management path that reveals nothing.

Done this way, both ends of the trust problem are closed. The provider never learns who you are, the network never sees you administer the box, and the endpoint keeps no record of what flowed through it. That is a genuinely no-log VPN, and every link in the chain is one you can inspect.

Where a VPN endpoint leads next

Once you have a machine you fully control, the tunnel is rarely the only thing living on it. The same box tends to become your private front door to everything else — a jump host, a way to reach services at home, or the entry point for a larger stack you would rather nobody else could read. If that is the direction you are heading, our guide to running a private self-hosting VPS picks up right where this one ends, on infrastructure that keeps the same no-log, no-KYC posture. A WireGuard endpoint is a great first service precisely because it teaches the habits — own the keys, own the logs, keep the metadata clean — that make everything else you host private too.

A closing note on scope: privacy is not the same as lawlessness. HushVPS is offshore-legal and data-minimising, and running a personal or small-group VPN for yourself, your household, or a few trusted people is squarely within our acceptable-use policy. Using a tunnel to launder attack traffic, distribute malware, or harm others is not. Build the endpoint you were always allowed to have — one where the no-log promise is yours to keep.

Ready to build one?

Deploy a no-logs WireGuard VPS, paid in Monero

No name, no card, no KYC — order over Tor and hold the only admin key. WireGuard is featherweight, so even the smallest ghost runs a personal tunnel with room to spare.

Get a WireGuard VPS

Keep reading: what a no-logs VPS actually retains · how anonymous ordering works · plans and pricing