VPS or commercial VPN? Self-host WireGuard or AmneziaWG on your own server
A €4-per-month Linux server gets you a private VPN with a clean, dedicated IP and exactly one user — you. The trade-off: you're responsible for keeping it patched, and one VPS only sits in one country. Here's an honest comparison versus subscribing to NordVPN or Mullvad, and how to set it up so it works on Apple TV through WG Connect.
The choice
Most people who think about this end up in one of three camps. Self-hosting on a VPS gives you a private box you fully control, with a single IP that won't be shared with thousands of strangers. A commercial VPN like Mullvad or NordVPN gives you a global server fleet and engineering effort spent on staying unblocked, but you're trusting their no-logs claim. A home-hosted server (Raspberry Pi, NAS, or router) is the strictest option for privacy but only useful when you're traveling and want to reach back home.
This guide is about the first option: a VPS rented from a hosting provider, running WireGuard or AmneziaWG, with WG Connect as the Apple TV client.
Honest comparison
| Self-hosted VPS | Commercial VPN | |
|---|---|---|
| Cost | €3–6/mo, no commitment | €3–5/mo with 2-yr commitment, €10+ monthly |
| IP shared with | Just you | Hundreds to thousands of users |
| Logging | Whatever you configure (none, by default) | "No-logs" — verified by audit at the better providers |
| Crowd anonymity | Low — IP traces to your rental | High — you blend with other users |
| Streaming unblocking | Hit or miss; datacenter IP ranges get flagged | Active engineering against detection |
| Country variety | One per VPS | Dozens to hundreds, one click to switch |
| Censorship bypass | Strong with AmneziaWG | Varies — some support obfuscation, many don't |
| Maintenance | You patch the OS, monitor uptime | None — provider handles it |
| Time to set up | 15–30 min first time | Sign up, install client |
What you need for a self-hosted server
- A VPS. Any Linux instance with KVM virtualization will do. Hetzner Cloud (CX11/CX22), DigitalOcean Droplet, Contabo VPS S, AWS Lightsail, and Vultr are all common picks. Aim for at least 1 GB RAM and a generous bandwidth allowance — VPN traffic counts.
- Ubuntu 22.04 / 24.04 or Debian 12. Newer kernels include WireGuard out of the box. AmneziaWG installs cleanly via its DKMS package on these distributions.
- A public IPv4 address (most VPS plans include one). UDP port 51820 needs to be open — usually it is by default, but check the provider's firewall.
- SSH access. Comfort with the command line helps but the popular installer scripts handle most of the work for you.
Path A — Plain WireGuard
The simplest setup, recommended unless you specifically need to evade DPI-based blocking. Two equally good ways:
Manual install
- SSH in:
ssh root@your-vps-ip - Install:
apt update && apt install -y wireguard - Generate keys for the server and one client peer (the Apple TV)
- Create
/etc/wireguard/wg0.confwith the server's private key, listen port 51820, and the client's public key as a [Peer] - Enable IP forwarding:
sysctl -w net.ipv4.ip_forward=1 - Start it:
systemctl enable --now wg-quick@wg0 - Export the matching client
.conffor the Apple TV
Or use an installer
If you'd rather not hand-edit configs, an open-source installer like angristan/wireguard-install does the whole setup as one shell script and gives you a peer config you can copy off the server. wg-easy goes further — a Docker container with a web UI for adding and revoking clients.
Path B — AmneziaWG (when networks block plain WireGuard)
AmneziaWG is a fork of WireGuard with the same encryption (ChaCha20-Poly1305) but reshaped packets to defeat deep packet inspection. Same speed, plus traffic that DPI systems can't fingerprint as a VPN. Use it when:
- You're in or visiting a country that blocks WireGuard at the protocol level
- The hotel or campus network drops UDP-based VPNs
- The local ISP throttles or blocks VPN traffic
Easiest: AmneziaVPN client
The official AmneziaVPN desktop or mobile app has a "Self-hosted" mode. Point it at your VPS (IP, root login, SSH key), pick AmneziaWG as the protocol, and the app installs everything on the server over SSH for you. Works on a fresh Ubuntu/Debian VPS in a few minutes. Then export the .conf file and import it into WG Connect on Apple TV.
Manual: amneziawg-go or kernel module
Two flavors of the server are available:
- Kernel module (DKMS): faster, requires KVM-virtualized VPS and a kernel that supports DKMS. Most cheap VPS plans qualify.
- Userspace (
amneziawg-go): slower by a few percent, runs anywhere — including OpenVZ and LXC containers where you can't load kernel modules. Worth knowing if your provider doesn't offer KVM at the price you want.
Repos and instructions live at the Amnezia VPN GitHub organization.
Importing into WG Connect
WG Connect treats your self-hosted profile exactly like a commercial one. There's no toggle, no expert mode.
- Export the client
.conffrom your server (or copy it from your computer if the installer saved it there) - On Apple TV: Add Profile → Upload from Phone
- Scan the QR code with your phone, drag the
.confin, and the Apple TV picks it up over the local network - Connect — WG Connect detects whether it's plain WireGuard or AmneziaWG (1.0 / 2.0) and shows the active protocol on the profile detail screen
You can keep multiple profiles — say, one self-hosted in Germany and one Mullvad profile for streaming — and switch in two clicks from the home screen.
The trade-offs nobody mentions in the marketing
- Datacenter IP detection. Streaming services maintain ASN block-lists. Your fresh Hetzner or Contabo IP may unblock Netflix today and stop working next month. Commercial VPNs employ entire teams to rotate IPs faster than the streamers detect them. As a one-VPS operation, you can't.
- Single point of failure. Your VPS goes down, your VPN goes down. There's no failover to "another server in Germany." Snapshot it and have a recovery plan, or accept the occasional outage.
- One country. You can spin up a second VPS in another country, but each one costs another €3–6/mo. This is where commercial VPN value adds up if you actually want country variety.
- You are the IP. When the IP receives a copyright notice, it's addressed to you. When a website abuse-bans the IP, it's your tunnel that's banned. Many people prefer this — less ambiguity than sharing an IP with thousands. Some don't.
- Patching is on you. Unattended security updates handle most of it on Ubuntu, but you should check on the box every few weeks.
apt update && apt upgradeis the minimum.
When self-hosting is the right call
- You want a fixed, low monthly cost without the dark-pattern auto-renew of consumer VPNs
- You're skeptical of "no-logs" claims by default and want trust in your own hands
- You need a stable, reusable IP — for accessing self-hosted services, allowlisting, or geo-pinning
- You want to bypass DPI-based VPN blocking with AmneziaWG and don't want to pay for a commercial provider that may or may not support it
- The VPS doubles as something else — a personal website, a backup target, a small game server
When a commercial VPN wins
- You want global server choice and one-click country switching
- Streaming-service unblocking is a primary use case
- You don't want to think about Linux at all
- You travel a lot and want IPs you can share-the-blame with thousands of others
Many WG Connect users keep both: one cheap VPS for everyday traffic and trust, plus a commercial WireGuard profile (Mullvad, IVPN, AzireVPN) for the times country variety actually matters.
The realistic monthly math
A €4/mo VPS plus €0/mo for one Apple TV one-time purchase of WG Connect is your baseline. Add a commercial VPN profile (€5/mo Mullvad) only when you actually need it — Mullvad lets you cancel any month. Total: €4–9/mo with full flexibility, no annual commitment, and a clean IP that's only used by your devices.
Frequently asked questions
Is self-hosting a VPN cheaper than NordVPN or Mullvad?
Roughly. A small VPS at Hetzner, Contabo, or DigitalOcean runs €3–€6 per month. Mullvad is a flat €5 per month. NordVPN and Surfshark are around $3–$4 per month if you commit to two years upfront, $12+ per month otherwise. Self-hosting gives you a fixed price with no commitment and no upsell, but you absorb the maintenance time yourself.
Is self-hosting more private than a commercial VPN?
It depends what you mean by privacy. Self-hosting guarantees nobody else logs your traffic — you do (or don't). But you're the only user on that IP, so the IP traces directly back to your VPS rental. Commercial VPNs hide you in a crowd of thousands per IP. Self-host wins for anti-logging trust; shared commercial wins for crowd-anonymity.
Does AmneziaWG need KVM virtualization?
Only if you install the Linux kernel module. The userspace daemon amneziawg-go works on OpenVZ and LXC containers too, with a small performance cost. KVM is the safer default — most cheap VPS providers offer it.
Can I stream Netflix or BBC iPlayer through my self-hosted VPN?
Sometimes, often less reliably than a commercial VPN. Streaming services maintain block-lists of known datacenter IP ranges. A fresh VPS IP from a small provider may work for a while, but if the service classifies the ASN as a datacenter, you're blocked. Commercial VPNs spend significant engineering effort rotating IPs to stay ahead of these blocks; you can't really compete with that on one VPS.
Will WG Connect work with a self-hosted server?
Yes. WG Connect treats every WireGuard or AmneziaWG profile the same — there's no distinction between commercial and self-hosted. Export the .conf file from your server, import it once, and the Apple TV connects.
What's a sensible VPS spec for one Apple TV?
1 GB RAM, 1 vCPU, and at least 1–2 TB of bandwidth per month. WireGuard itself is light — you'll be limited by your home upload speed long before the VPS struggles. Hetzner CX22, DigitalOcean's $4 Droplet, and Contabo's smallest VPS S all fit.