A VPS in a tier-III facility can host a VPN for team or site-to-site access. WireGuard is simpler and faster; OpenVPN is widely supported. Harden the server and use key-based auth; consider a dedicated IP.
WireGuard vs OpenVPN
- WireGuard: Modern, minimal config, fast. Good default for new deployments. Built into many kernels. Fewer options but easier to maintain.
- OpenVPN: Mature, many options (TCP/UDP, tun/tap). Wide client support. Heavier config; good when you need specific features or compatibility.
Hosting the VPN
- VPS: Enough for a small team or a few site-to-site links. Tier-III DC gives power and network reliability. Choose a region close to users or the other site.
- Dedicated IP: Helps if you need to whitelist the VPN endpoint in firewalls or if the provider does not allow certain outbound traffic from shared IPs.
- Ports: WireGuard usually uses UDP (e.g. 51820); OpenVPN often UDP 1194 or TCP 443. Open firewall and (if needed) provider security group for the chosen port.
Security
- Key-based auth: Both use cryptographic keys; no password auth by default. Keep private keys secure; rotate if compromised.
- Harden server: Minimal install; firewall (only VPN and SSH); disable root login; updates. VPN server is a high-value target so lock it down.
- Split tunnel vs full: Decide whether only certain traffic goes through the VPN (split) or all traffic (full). Split is common for access to internal resources only.
Summary
Run WireGuard or OpenVPN on a VPS in a reliable DC. Use key-based auth and harden the server. Choose region and dedicated IP as needed.
