Self-Hosted VPN Solutions: Building Your Own VPN Infrastructure
Take control of your privacy with a dedicated VPN server in Switzerland.
March 16, 2026
by SwissLayer 10 min read
Self-Hosted VPN Solutions: Building Your Own VPN Infrastructure
Self-hosted VPN server infrastructure

Commercial VPN services promise privacy, but the reality is more complex. When you route your internet traffic through a VPN provider, you're simply shifting trust from your ISP to another company—one that now sees all your browsing activity, handles your payment information, and operates under potentially opaque logging policies.

Building your own VPN infrastructure gives you complete control over your privacy, security, and data sovereignty. This guide covers everything you need to deploy a production-grade self-hosted VPN solution on Swiss infrastructure.

Why Self-Host Your VPN?

True privacy: No third-party seeing your traffic, no mysterious logging policies, no jurisdiction concerns. You control the entire infrastructure.

Performance: Dedicated bandwidth without sharing with thousands of other users. No artificial speed limits or throttling during peak hours.

Reliability: No surprise service shutdowns, no IP blocks from streaming services (you control your own IP addresses), no random disconnections.

Cost effectiveness: For $50-100/month, you get a dedicated server with unlimited bandwidth—cheaper than premium commercial VPNs if you have multiple users or devices.

Compliance: Host in Switzerland for FADP compliance. Keep all data within Swiss jurisdiction. No data shared with Five Eyes or other surveillance networks.

WireGuard vs OpenVPN: Choosing Your Protocol

WireGuard is the modern choice. Released in 2020, it's built with modern cryptography (Curve25519, ChaCha20, Poly1305), has a minimal codebase (4,000 lines vs OpenVPN's 100,000+), and delivers exceptional performance:

  • Speed: 1000+ Mbps throughput on typical hardware
  • Latency: Sub-1ms overhead
  • Battery life: 50% less CPU usage than OpenVPN on mobile devices
  • Simplicity: 10-line configuration files, automatic roaming between networks
  • Security: Formally verified cryptographic design, minimal attack surface

OpenVPN remains relevant for specific use cases:

  • Firewall evasion: Can disguise traffic as HTTPS (port 443/TCP)
  • Complex routing: Fine-grained routing policies, multi-hop configurations
  • Legacy compatibility: Works on older systems, more client software available
  • Enterprise features: RADIUS integration, multi-factor authentication, certificate-based auth

Recommendation: Start with WireGuard for personal use or small teams. Consider OpenVPN if you need TCP mode, complex routing, or integration with existing enterprise auth systems.

Setting Up WireGuard: Step-by-Step

1. Server installation (Ubuntu/Debian):

apt update && apt install wireguard -y
cd /etc/wireguard
umask 077
wg genkey | tee server-private.key | wg pubkey > server-public.key

2. Server configuration (/etc/wireguard/wg0.conf):

[Interface]
Address = 10.0.0.1/24
ListenPort = 51820
PrivateKey = [SERVER_PRIVATE_KEY]
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
PublicKey = [CLIENT_PUBLIC_KEY]
AllowedIPs = 10.0.0.2/32

3. Enable IP forwarding:

echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
sysctl -p

4. Start WireGuard:

systemctl enable wg-quick@wg0
systemctl start wg-quick@wg0

5. Client configuration:

[Interface]
Address = 10.0.0.2/32
PrivateKey = [CLIENT_PRIVATE_KEY]
DNS = 1.1.1.1, 1.0.0.1

[Peer]
PublicKey = [SERVER_PUBLIC_KEY]
Endpoint = vpn.example.com:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25

Import this configuration into the WireGuard app (available for Windows, macOS, Linux, iOS, Android). Connection is instant—no authentication prompts, no "connecting" delays.

Setting Up OpenVPN: Traditional Approach

1. Install OpenVPN and Easy-RSA:

apt install openvpn easy-rsa -y
make-cadir ~/openvpn-ca
cd ~/openvpn-ca

2. Build certificate authority:

./easyrsa init-pki
./easyrsa build-ca
./easyrsa gen-dh
./easyrsa build-server-full server nopass
./easyrsa build-client-full client1 nopass

3. Server configuration (/etc/openvpn/server.conf):

port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 1.1.1.1"
keepalive 10 120
cipher AES-256-GCM
auth SHA256
user nobody
group nogroup
persist-key
persist-tun

4. Start OpenVPN:

systemctl enable openvpn@server
systemctl start openvpn@server

OpenVPN requires more configuration complexity but offers greater flexibility for enterprise deployments.

Security Hardening

Firewall configuration: Only allow VPN ports (51820/UDP for WireGuard, 1194/UDP or 443/TCP for OpenVPN). Block all other inbound traffic:

ufw default deny incoming
ufw default allow outgoing
ufw allow 51820/udp
ufw allow 22/tcp  # SSH - change default port!
ufw enable

Fail2ban protection: Prevent brute-force attacks on SSH and OpenVPN:

apt install fail2ban -y
systemctl enable fail2ban

Regular updates: Enable unattended security updates:

apt install unattended-upgrades -y
dpkg-reconfigure -plow unattended-upgrades

DNS leak prevention: Configure WireGuard/OpenVPN to push DNS servers to clients. Test for leaks at dnsleaktest.com after connecting.

Kill switch on clients: Enable "block untunneled traffic" in WireGuard client settings or use iptables rules to prevent data leaks if VPN disconnects.

Perfect Forward Secrecy: WireGuard provides this automatically. For OpenVPN, ensure you're using ephemeral Diffie-Hellman parameters (dh.pem).

Multi-User Management

WireGuard multi-user: Add peer sections for each user in wg0.conf:

[Peer]
PublicKey = [USER1_PUBLIC_KEY]
AllowedIPs = 10.0.0.2/32

[Peer]
PublicKey = [USER2_PUBLIC_KEY]
AllowedIPs = 10.0.0.3/32

Reload configuration: systemctl reload wg-quick@wg0

OpenVPN multi-user: Generate separate client certificates for each user:

./easyrsa build-client-full alice nopass
./easyrsa build-client-full bob nopass

User revocation: Revoke compromised certificates:

./easyrsa revoke alice
./easyrsa gen-crl
cp pki/crl.pem /etc/openvpn/

Add to server.conf: crl-verify crl.pem

Performance Optimization

Server sizing: VPN performance is CPU-bound. For 10Gbps throughput, you need modern CPUs with AES-NI acceleration. WireGuard benefits significantly from multi-core processors.

MTU optimization: Set MTU to 1420 for WireGuard, 1400 for OpenVPN to avoid fragmentation:

[Interface]
MTU = 1420

Network tuning: Increase buffer sizes for high-bandwidth connections:

net.core.rmem_max = 134217728
net.core.wmem_max = 134217728
net.ipv4.tcp_rmem = 4096 87380 67108864
net.ipv4.tcp_wmem = 4096 65536 67108864

Monitoring: Track VPN bandwidth and connection status:

wg show  # WireGuard status
cat /var/log/openvpn/status.log  # OpenVPN status

Advanced Features

Split tunneling: Route only specific traffic through VPN (e.g., corporate resources) while allowing direct internet access for streaming services:

[Peer]
AllowedIPs = 10.0.0.0/8, 192.168.0.0/16  # Internal networks only

Multi-hop VPN: Chain multiple VPN servers for enhanced privacy. Configure client to connect to VPN1, which forwards to VPN2.

Site-to-site VPN: Connect entire networks (office to office) using WireGuard:

[Peer]
PublicKey = [OFFICE2_PUBLIC_KEY]
AllowedIPs = 192.168.2.0/24
Endpoint = office2.example.com:51820

Dynamic DNS: Use services like DuckDNS or Cloudflare DDNS if your VPN server doesn't have a static IP address.

Why Swiss Hosting for VPN Infrastructure

Switzerland offers unique advantages for VPN hosting:

  • Strong privacy laws: FADP provides robust data protection. No mandatory data retention, no surveillance backdoors.
  • Neutral jurisdiction: Outside Five Eyes, Nine Eyes, Fourteen Eyes surveillance alliances. Swiss courts require significant evidence for data access.
  • Data sovereignty: Data never leaves Switzerland. Critical for GDPR compliance when serving EU customers.
  • Political stability: Long-term reliability. No risk of sudden government interference or service shutdowns.
  • Excellent connectivity: Switzerland has world-class internet infrastructure with low latency to all of Europe.

SwissLayer's dedicated servers in Zurich provide the ideal foundation for VPN hosting—10Gbps or 40Gbps unmetered bandwidth, full root access, and Swiss legal protection.

Troubleshooting Common Issues

Connection refused: Check firewall rules, verify VPN service is running, confirm correct endpoint address/port.

Slow speeds: Test server bandwidth independently. Check for packet loss. Verify MTU settings. Try different VPN ports (UDP vs TCP for OpenVPN).

DNS not working: Verify DNS servers in VPN configuration. Test with nslookup example.com while connected. Check for DNS leaks.

Intermittent disconnections: Enable PersistentKeepalive (WireGuard) or keepalive (OpenVPN). Check for NAT timeout issues.

Can't access local network: Adjust AllowedIPs to exclude local network ranges or use split tunneling.

Key Takeaways

  1. WireGuard first: Start with WireGuard unless you have specific requirements for OpenVPN
  2. Security basics: Firewall configuration, automatic updates, strong authentication
  3. Swiss hosting: FADP compliance, neutral jurisdiction, excellent connectivity
  4. Monitor performance: Track bandwidth usage, connection status, security logs
  5. Plan for scale: Design for growth—multi-user management, performance optimization

Self-hosting your VPN infrastructure on Swiss servers gives you true privacy, full control, and compliance with European data protection standards—without the trust issues inherent in commercial VPN services.

Ready to build your own VPN infrastructure? Explore SwissLayer dedicated servers with 10Gbps or 40Gbps unmetered bandwidth, Swiss legal protection, and full root access for complete control.