7 min read Privacy

Hosted vs Self-Hosted VPNs

Hosted vs Self-Hosted VPNs
Photo by Privecstasy / Unsplash

Most of the advice about VPNs can be overly dramatic.

On the one hand there are people who believe that every commercial VPN is tracking your every move for ad data. On the other hand there are people who think that paying for a polished app solves every privacy problem you may have. Neither version is especially useful when you are in a coffee shop or an airport, connected to a public Wi-Fi.

A self-hosted VPN gives you control over its every aspect, while a commercially hosted VPN gives you convenience. The option that makes sense for you depends on what you are actually trying to do.

Broadly there are three different tasks one would expect a VPN to handle:

  • Protect traffic on untrusted networks
  • Make your connection appear to come from somewhere else
  • Give you secure access back into your own machines or home network

To pick the right one between the two choices you need to be clear about your use case.

Self-hosting a VPN gives you control and responsibility

You self-host a VPN by installing a VPN software (such as openvpn) on a server you control. It can be a droplet from DigitalOcean or a VPS from Hetzner, or a Raspberry Pi sitting on your desk. There are tools like WireGuard and Algo that have made this job a lot easier than it was five years ago.

The most appealing aspect of self-hosting is trust. You decide the configuration, and the software to run. It is your responsibility to store the keys securely, pick the DNS to use, handling updates, uptime, and optionally any DNS filtering or ad-blocking. If you like being in control, and these terms do not make you uncomfortable, this is probably your kind of setup.

You can consider self-hosting when your goal is to securely access your own stuff remotely. This may include accessing your NAS, staging box, or your home network remotely.

Before taking this route, you should also be aware of the downsides of self-hosting.

1. Trust on the external hosting service: If you host your VPN server on a cloud platform such as DigitalOcean, Hetzner, AWS, etc. you are shifting trust to your cloud hosting provider. Your ISP can no longer see the contents of your traffic between you and the VPN endpoint, which is good. The coffee shop router cannot inspect that traffic either, also good. But the company hosting your server still sees that a server exists, that you pay for it, and in a cloud setup it remains part of your threat model.

2. Self-hosting does not provide location flexibility: Your VPN server exists where you put it. Build it in Frankfurt and you now look like you are in Frankfurt, every time, until you build another server somewhere else. This is not the best option when you want to change between different countries for testing, streaming, or travel.

3. Self-hosting makes you the sysadmin: You will need to handle Updates, firewall rules, SSH key management etc. If something breaks while you’re outside, there is no one else to fix it for you.

4. Local self-hosting is cheap but cloud hosting is costly: A basic VPS usually costs $4–$6 a month. If you've your own hardware the recurring cost becomes almost negligible. But you also need to be aware of the bandwidth costs, and the less obvious ones like backups, and monitoring costs. On top of that you also pay with your time to keep everything running smoothly.

Hosted VPN services give you convenience at a cost

For most people, a hosted VPN is the right choice.

You get an easy to use app for a small monthly fee. Just download it, pick a server, and connect to use the service. If something breaks, there is at least somebody else to blame.

This is also where self-hosting usually loses. A standard hosted service comes with servers in dozens of countries, many exit nodes, kill switches, DNS leak protection etc.

The biggest downside of hosted VPN services is the trust.

When you use a commercially hosted VPN, you're routing everything through a single company's servers. You can not independently verify their "no-logs" policy, and have to take their word for it.

One of the better examples here is Mullvad's 2023 search-warrant case, where Swedish police left empty-handed from their offices because nothing was stored on their servers.

Before picking a hosted VPN service, you should do a bit of research. You should check for things like independent audits, a solid technical track record, and how a particular service has handled real-world incidents.

You should avoid using free VPN services, they may secretly log and sell your data.

Here's a side-by-side comparison of popular hosted VPN providers.

Provider Best for Pricing snapshot Jurisdiction Notes
Mullvad Privacy-first users Flat €5/month Sweden Best privacy posture, least marketing fluff
Proton VPN Transparency plus a usable free tier Free tier plus paid plans Switzerland Best balance of trust, polish, and features
NordVPN Mainstream use and streaming Discounted long-term plans Panama Fast and polished, but the 2018 incident still belongs in the trust story
ExpressVPN Premium ease of use Usually premium-priced British Virgin Islands Strong product, but ownership baggage matters if that matters to you
Surfshark Value and lots of devices Aggressive long-term pricing Netherlands Good family or multi-device pick

Comparing different VPN protocols

Every VPN uses an underlying protocol that takes care of encryption and tunneling. You can usually ignore it, until your connection gets slow, blocked, or unstable.

Below we briefly discuss some popular VPN protocols:

  1. WireGuard is the right default for most people. It is fast, uses modern cryptography, and has been part of the Linux kernel since 2020. The main limitation is that it runs over UDP, so restrictive networks can block it easily.

  2. OpenVPN is slower, but it can run over TCP on port 443, making it look like regular web traffic. That makes it the better choice behind strict corporate firewalls or a restrictive guest networks. It's not the fastest option, but it works in situations where WireGuard doesn't.

  3. IKEv2/IPsec handles network switching well. If your phone moves between Wi-Fi and mobile data, it tends to hold the connection more reliably than the others. The downside is that it's easier for networks to detect and block.

WireGuard vs. OpenVPN vs. IKEv2

Protocol Speed Firewall bypass Mobile stability Best use case
WireGuard Fastest Moderate Good Default choice for most people
OpenVPN Moderate Excellent over TCP 443 Decent Restrictive hotel, airport, or corporate networks
IKEv2/IPsec Fast Limited Excellent Phones switching between Wi-Fi and cellular

WireGuard is a good starting point. If it gets blocked, you should fall back to OpenVPN over TCP 443. On a phone, where connection stability matters more than bypassing restrictions, IKEv2 is worth considering.

Warning: You should avoid using outdated protocols such as PPTP and L2TP/IPsec. PPTP is highly insecure due to numerous, well-documented cryptographic vulnerabilities, offering virtually no protection. Similarly, L2TP's security is unreliable unless the accompanying IPsec configuration is absolutely perfect.

When a full VPN is overkill

Many a times people start using VPNs when their use case is much simpler. If you want a way to access your own machines remotely, setting up a full VPN is often more than you need.

Tailscale and ZeroTier are two popular tools that handle this use case really well. They create a private network between your devices with almost no setup. These tools tend to just work, even on tricky networks.

If you're running a small homelab and mainly need SSH, or access to an internal dashboard, it is worth trying this option.

If you don't mind managing a dedicated box, you can also look at PiVPN. It sits somewhere in between a full self-hosted setup and an overlay network.

Hosted VPNs vs self-Hosted VPNs vs Overlay networks

Here's a quick comparison of the three approaches.

Feature Self-hosted VPN Hosted VPN service Overlay network
Control Highest Limited to provider features High for device-to-device access
Setup effort Highest Lowest Usually low
Location flexibility Limited to where you deploy Broad server choice Not really the point
Best for Secure access to your own network Public Wi-Fi, travel, and geo-shifting Reaching your own machines
Ongoing maintenance Yours Mostly the provider's Usually light
Main trust tradeoff Your hosting and your own ops discipline The VPN company and its claims The overlay vendor plus your own device security

Conclusion

There isn't a single right answer when choosing between a self-hosted VPN and a commercial one. It mostly comes down to what you're trying to do and how much responsibility you’re willing to take on.

If you're concerned about keeping your online activities private when using public networks, or if you want to access your own devices securely, hosting your own server can be a good idea. This way, you have complete control over how everything is set up. However, there's a catch - you'll be responsible for making sure everything runs smoothly, which includes doing updates, keeping the server running all the time, making backups, and managing security keys. All these tasks need your time and attention, so it's not a decision to be taken lightly. You have to weigh the benefits of having control and security against the hassle of managing it all yourself.

If you just want to make it look like you're browsing from somewhere else, a commercial VPN is probably the way to go. You just pay for it, install the app, choose a server, and that's it. It's not as flexible as some other options, but it's really easy to use and gets the job done.

So the real question is: do you want control, or convenience?

A few practical pointers:

  • Start with a simple threat model. Who are you trying to protect against, and what actually matters?
  • Go with self-hosting if you want to minimize third-party trust, or if accessing your own network is the priority.
  • For a hassle-free experience with easy location switching and minimal setup, consider using a commercial provider. It's often the best way to get up and running quickly.
  • You may combine both options to get the best of both worlds. For private access, you may use your own setup, but when you need to access different regions, you can switch to a paid VPN.

Published by:

Rajeev R Sharma

You might also like...

Mar
14
LLM on consumer-grade CPU-Only machines

LLM on consumer-grade CPU-Only machines

A guide to run and optimize suitable LLMs on local machine with average specs such as i5 CPU-only machine
4 min read
Sep
27
How developers can detect spy cameras to protect privacy IRL

How developers can detect spy cameras to protect privacy IRL

A detailed practical guide to detect hidden cameras in real life using the knowledge of electronics and programming
7 min read
Dec
30
Best operating system for developers - macOS vs Ubuntu vs nixOS

Best operating system for developers - macOS vs Ubuntu vs nixOS

As a developer, the choice of which operating system (OS) to use can have a major impact on productivity and
4 min read
Dec
07
Securing home network and computers for remote work

Securing home network and computers for remote work

When we work as a remote developer, not having quick access to an IT/Security team makes our home networks
6 min read
Sep
23
GraphQL vs REST API

GraphQL vs REST API

A side-by-side comparison, advantages/disadvantages of both approaches, real-word examples, getting started with GraphQL, etc. And some new out-of-the-box ideas.
13 min read

Member discussion