Your own VPN — encrypted tunnel, no third party in the line

Why not a commercial VPN?

Because you hit the same problem there as with US clouds: you don’t know what the provider does with your metadata. A VPN provider sees everything flowing through the tunnel — even with a “no-logs” promise. Several big providers have been sold to ad conglomerates in recent years — exactly the kind of company a VPN is supposed to protect you from.

Own VPN = no third party in the line. You know what gets logged (nothing, because you configured it) and who owns the server (you, in Deutschland).

What WireGuard is

WireGuard is the modern VPN standard: fast (significantly faster than OpenVPN), lean (around 4,000 lines of code versus 100,000), in the Linux kernel, with up-to-date elliptic-curve cryptography.

I use WireGuard myself on all my devices — smartphone, laptop, home router, workshop server permanently connected through the same tunnel. What I set up for you is my daily working environment.

Three scope variants

Road-warrior (field work / home office)

Your staff member is on hotel Wi-Fi, in a café, on a train — the laptop automatically brings up a tunnel to the company VPN. Access to internal servers, Nextcloud, Matrix, printers just like on site. No port forwards on the office router needed.

Site-to-site (connecting two locations)

Two offices, both look like one network. Useful for a second site, a warehouse, a workshop, a home server connected to the law firm. Configured at router level (OPNsense, MikroTik, UniFi) — no client on endpoint devices needed.

Full-tunnel (all internet traffic through your own server)

Your entire browsing traffic routes through your server in Deutschland before it hits the internet. Protection in public Wi-Fi, a stable IP footprint, no Wi-Fi operator tracking. Plus geo-consistency while travelling — your banking access from abroad looks like it’s from Deutschland.

Three packages

Solo — 1 user, up to 3 devices

• 1 user, up to 3 devices (laptop, phone, tablet)
• Scope: road-warrior or full-tunnel
• Setup, configs, QR codes, docs

Setup €190 + €5/month hosting (small Hetzner VPS including a small margin over my cost) — or €0/month extra if you already have a workshop server. Runs along with it.

Team — up to 10 devices

• 2-10 users/devices
• Scope: road-warrior + optional full-tunnel per user
• Optional: AdGuard DNS filter (ads, trackers, malware domains)
• Staff onboarding instructions

Setup €390 + €9/month — or €3/month on top of an existing workshop server.

Site — site-to-site + road-warrior

• Two locations connected + up to 15 staff devices
• Router configuration included (OPNsense / MikroTik / UniFi)
• Optional failover config to a second endpoint
• Monitoring with alerts

Setup €690 + €15/month — or €6/month on top of an existing workshop server.

Complement to the cloud-exit

A VPN protects the transport layer — the part between your device and the server. Combined with a cloud-exit stack (Nextcloud, Immich, own mailserver) this yields an end-to-end architecture where your data neither sits on US servers nor travels visibly through foreign networks. For law firms, medical practices and therapy offices a sensible combination.

What’s not included

• Anonymisation against law enforcement — WireGuard on your own server does not hide anything from formal government requests. For that, use Tor or a multi-hop service like Mullvad — a different goal.
• Streaming geo-unblocking as a main purpose — often works, but Netflix/Prime blocks are a cat-and-mouse game I cannot guarantee.
• Enterprise WAN with MPLS/IPsec redundancy — different scope, I can refer you.

My own stack as reference

Smartphone, laptop, home router — all permanently in the tunnel to my workshop server. Reason: I don’t want every café Wi-Fi and every hotel provider to know which services I contact and when. Same setup is what I offer you.