Running a VPN or proxy service on someone else's shared VPS means your encryption throughput, your available IP reputation, and your available bandwidth are all at the mercy of whatever else is running on that physical host. For a personal VPN this is a minor annoyance; for a business running a commercial VPN service, a corporate remote-access gateway, or a proxy fleet for web scraping or ad verification, it is a direct hit to reliability and performance. A dedicated server gives you the entire machine's CPU (which matters far more than most people expect for encryption throughput), a clean IP with no shared-tenant reputation baggage, and full control over routing and firewall rules. This guide covers the real technical specifics — protocol choice, port numbers, CPU sizing for encryption workloads, and IP allocation strategy.

VPN Protocol Choice: WireGuard vs OpenVPN vs IPsec

Protocol choice affects both throughput and CPU load more than almost any other configuration decision.

ProtocolDefault PortEncryptionThroughputCPU Efficiency
WireGuardUDP 51820 (configurable)ChaCha20-Poly1305, Curve25519Near line-rate on modern CPUs; consistently the fastest of the three in real-world benchmarksExcellent — kernel-space implementation (Linux 5.6+) with a minimal codebase
OpenVPNUDP 1194 (TCP 443 common for firewall traversal)AES-256-GCM (with AES-NI hardware acceleration) or ChaCha20Good, but meaningfully slower than WireGuard at high connection counts due to userspace TLS overheadModerate — benefits heavily from AES-NI CPU instruction support
IPsec/IKEv2UDP 500 and UDP 4500 (NAT-T)AES-256-GCM typicalStrong, native OS client support on most platforms (Windows, macOS, iOS built-in)Good with AES-NI; more complex to configure correctly than the other two

For new deployments in 2026, WireGuard is the default recommendation for most use cases — its smaller codebase, kernel-space implementation, and consistently higher throughput-per-CPU-cycle make it the most efficient choice for both personal and commercial VPN infrastructure. OpenVPN remains relevant where TCP-443 firewall traversal (making VPN traffic look like ordinary HTTPS) is a hard requirement, since WireGuard is UDP-only by design.

Why CPU Matters More Than You'd Expect for VPN Throughput

Every packet passing through a VPN tunnel is encrypted and decrypted in real time — this is a genuinely CPU-intensive operation at high throughput, and it is the most commonly underestimated sizing factor for self-hosted VPN infrastructure.

AES-NI and Hardware Acceleration

Modern server CPUs (virtually all current Intel Xeon and AMD EPYC chips) include AES-NI instructions that accelerate AES encryption dramatically compared to software-only AES. Confirm AES-NI support with grep aes /proc/cpuinfo — its absence turns AES-based encryption (OpenVPN's default, IPsec) into a real CPU bottleneck at anything beyond modest throughput.

Single-Core vs Multi-Core Throughput

WireGuard's kernel implementation and OpenVPN's single-tunnel handling are both largely single-threaded per tunnel, meaning raw single-core clock speed matters as much as core count for a single high-throughput connection. For many concurrent lower-throughput connections (a commercial VPN service with hundreds of simultaneous users), core count matters more since the kernel can distribute separate tunnels across cores.

Sizing a Dedicated Server for VPN/Proxy Workloads

Use CaseCPURAMNetworkEst. Monthly Cost
Personal/small team VPN, up to 10 concurrent users2-4 core4-8 GB1 Gbps$25-$60
Small business remote-access gateway, 10-100 concurrent users4-8 core8-16 GB1 Gbps, unmetered preferred$65-$130
Commercial VPN service or proxy fleet, 500-5,000+ concurrent connections8-16 core, prioritize per-core clock speed16-32 GB10 Gbps, high sustained throughput$180-$400 per node
Large-scale residential/datacenter proxy pool, high connection churn16-32 core across multiple nodes32-64 GB per nodeMultiple 10 Gbps uplinks, multiple IP blocks$450+ per node

As a throughput rule of thumb: a modern 4-core server with AES-NI running WireGuard can sustain several gigabits per second of encrypted throughput on a 10 Gbps port, while the same workload on OpenVPN with AES-256-GCM typically tops out meaningfully lower per core due to userspace protocol overhead — budget roughly 30-50% more CPU headroom if OpenVPN compatibility is a hard requirement for your client base.

IP Allocation Strategy

How you provision IP addresses depends heavily on the VPN/proxy use case:

  • Single dedicated IP — sufficient for a personal VPN or small remote-access gateway where all users share one exit IP.
  • IP block (e.g., a /29 or /28) — needed for a commercial VPN service offering multiple exit locations/identities from one physical server, or for load-balancing outbound connections across several IPs to avoid single-IP rate limiting on destination sites.
  • Clean IP reputation matters disproportionately for proxy use cases — an IP previously used for spam or abuse (common on recycled cloud IP ranges) gets blocked by destination sites regardless of your server's actual configuration; a genuinely dedicated IP with clean history is worth paying for versus a bargain IP with unknown history.

Setting Up a VPN Server: Step by Step (WireGuard Example)

1. Install WireGuard

On a current Linux distribution (Ubuntu 24.04, Debian 12), WireGuard ships in-kernel; install the userspace tools with apt install wireguard.

2. Generate Keys

Generate a private/public keypair for the server and for each client with wg genkey | tee privatekey | wg pubkey > publickey — WireGuard uses Curve25519 keypairs rather than a certificate authority, which meaningfully simplifies setup compared to OpenVPN's PKI.

3. Configure the Server Interface

Create /etc/wireguard/wg0.conf defining the server's private key, listening port (default UDP 51820, but changeable), and internal tunnel subnet (commonly a 10.x.x.x/24 range), then add a [Peer] block per client with their public key and allowed IP range.

4. Enable IP Forwarding and NAT

Set net.ipv4.ip_forward=1 in /etc/sysctl.conf and configure iptables/nftables NAT masquerade rules so tunnel traffic can route out through the server's public interface to the internet.

5. Open the Firewall Port

Allow inbound UDP on your chosen WireGuard port (and, if also running OpenVPN in parallel for compatibility, UDP 1194 and/or TCP 443) while keeping all other ports closed by default.

6. Distribute Client Configs and Test

Generate a client config or QR code (for mobile WireGuard apps) per user, and verify throughput and DNS leak behavior from a client before rolling out broadly.

Monitoring a VPN/Proxy Dedicated Server

Because VPN and proxy infrastructure is invisible to users until it fails, proactive monitoring matters more here than on most other workloads — a slow web app is annoying, but a VPN that silently drops a fraction of connections erodes trust in the entire service.

MetricWhy It MattersWarning Threshold
CPU utilization during peak concurrent connectionsDirectly predicts encryption throughput ceilingSustained above 75-80% during normal peak hours
Connection-tracking table usageExhaustion causes new connections to be silently droppedAbove 80% of nf_conntrack_max
Per-tunnel throughput vs historical baselineA sudden drop often indicates a routing, MTU, or upstream ISP issue rather than a server problemMore than 20-30% below typical baseline for a sustained period
Packet loss on the WAN interfaceUDP-based protocols like WireGuard degrade gracefully but noticeably under packet lossAbove 0.5-1% sustained

MTU and Fragmentation Issues

VPN tunnels add encapsulation overhead that reduces the effective MTU available to tunneled traffic; a common and often misdiagnosed VPN performance problem is path MTU mismatches causing fragmentation or silent packet drops. WireGuard's default MTU (typically 1420) is usually safe, but double-check when tunneling over networks with additional encapsulation layers (e.g., a VPN running inside another provider network) where the effective path MTU may be lower still.

Proxy Server Considerations (Beyond VPN)

Proxy workloads (HTTP/HTTPS/SOCKS5 proxies, commonly built on Squid, 3proxy, or Dante) have different sizing characteristics than tunnel-based VPNs:

  • Connection count matters more than raw encryption throughput — a proxy fleet used for web scraping or automated browsing may need to sustain thousands of short-lived concurrent connections rather than a handful of high-bandwidth long-lived tunnels; size RAM for connection-table overhead, not just bandwidth.
  • Rotating proxy setups need multiple IPs and a rotation layer — typically a reverse proxy or load balancer in front of multiple outbound IPs, cycling the exit IP per request or per session according to the use case's requirements.
  • Rate limiting and abuse prevention — a dedicated server hosting a proxy service should implement per-client rate limits to prevent one abusive user from getting the shared exit IP(s) blocklisted for every other user.
  • Authentication method affects both security and performance — IP-based whitelisting is the lowest-overhead authentication method for a proxy service, while username/password authentication (common for reseller or public-facing proxy products) adds a small but real per-connection overhead worth accounting for at high connection-churn scale.

Squid vs 3proxy vs Dante for Self-Hosted Proxy Servers

SoftwareProtocol SupportBest Fit
SquidHTTP/HTTPS proxying, extensive ACL and caching featuresCorporate web-filtering gateways, caching forward proxies
3proxyHTTP, SOCKS4/5, FTP proxying in a lightweight single binarySimple multi-protocol proxy needs with minimal resource footprint
DanteSOCKS4/5 specificallyPure SOCKS proxy deployments, common for application-level traffic routing

Multi-Tenant VPN Sizing for Commercial Services

Building a commercial VPN product rather than an internal remote-access gateway changes the sizing calculus substantially, because you are now planning for peak concurrent connections across an unpredictable user base rather than a known internal headcount.

Connection Density Per Node

Node TierRealistic Concurrent User CeilingAssumptions
8-core / 16 GB, 1 Gbps port800-1,500 concurrent WireGuard usersTypical mixed web-browsing bandwidth profile per user, not sustained high-bitrate streaming from every user simultaneously
16-core / 32 GB, 10 Gbps port4,000-8,000 concurrent WireGuard usersAssumes AES-NI-capable CPU and kernel WireGuard, not userspace fallback implementations
Same hardware running OpenVPN insteadRoughly 40-60% of the WireGuard concurrent-user ceilingUserspace TLS overhead per connection reduces the practical ceiling versus WireGuard's kernel implementation

These figures assume typical usage where most users are not simultaneously saturating their full allocated bandwidth — a service where every user streams 4K video concurrently needs meaningfully more network headroom than one serving typical mixed browsing traffic.

Load Balancing Across Multiple VPN Nodes

Past a single node's comfortable capacity, distribute users across multiple dedicated servers using either client-side server selection (common in commercial VPN apps, where the client picks from a list of location/load-balanced endpoints) or a DNS round-robin/anycast approach for a single entry hostname. Each node should be sized and monitored independently, since encryption throughput bottlenecks are per-node, not cluster-wide.

Logging Policy and Its Infrastructure Implications

A genuine no-logs policy is not just a legal/privacy commitment — it has real infrastructure implications for how you configure the dedicated server itself.

  • Disable connection logging at the daemon level — WireGuard itself keeps minimal state by design, but surrounding infrastructure (firewall connection logs, NAT logs) should be explicitly configured to avoid retaining per-user connection metadata beyond what is operationally necessary for abuse mitigation.
  • RAM-disk or ephemeral logging for operational debugging — where some short-term logging is genuinely needed for troubleshooting, writing it to a RAM-backed tmpfs that clears on reboot avoids persistent storage of connection metadata.
  • Centralized log aggregation carries its own exposure — if you do centralize logs for abuse detection, ensure the aggregation pipeline itself is scoped down to the minimum data needed and is not simply forwarding full connection-level detail indefinitely.

IPv6 and Kill-Switch Considerations

IPv6 Leak Risk

A commonly overlooked VPN misconfiguration: if the server or client supports IPv6 but the VPN tunnel only routes IPv4 traffic, IPv6-capable destinations can be reached directly outside the tunnel, leaking the client's real IP. Either fully support IPv6 inside the tunnel or explicitly disable IPv6 at the client OS level while connected.

Kill-Switch Behavior

A proper kill-switch blocks all outbound traffic if the VPN tunnel drops unexpectedly, rather than silently falling back to the client's normal internet connection. This is typically implemented client-side via firewall rules that only permit traffic through the tunnel interface, but server-side documentation and default client configs should make this behavior clear and, ideally, on by default for a commercial service.

Common VPN/Proxy Server Issues

  • Throughput far below the server's advertised network speed — almost always a CPU encryption bottleneck rather than a network limitation; check CPU utilization during a throughput test before assuming the network port is underperforming.
  • Connections dropping under high concurrent user count — check ulimit -n (open file descriptor limits) and kernel connection-tracking table size (net.netfilter.nf_conntrack_max), both of which default too low for high-concurrency VPN/proxy workloads.
  • DNS leaks despite VPN being connected — verify client configuration pushes the VPN's DNS servers and blocks fallback to the client's original DNS resolver.
  • IP getting blocklisted by destination services — often a shared-IP reputation problem inherited from a previous tenant on cloud/budget hosting; a genuinely dedicated, previously-unused IP avoids this class of problem entirely.
  • OpenVPN significantly slower than expected — verify AES-NI is actually being used (check OpenVPN's startup log for cipher negotiation) and that the chosen cipher isn't an unnecessarily heavy option for your throughput needs.
  • IPv6 traffic bypassing the tunnel — confirm the tunnel handles IPv6 end-to-end or disable IPv6 on clients while connected, since a partial-IPv6 setup is a common and hard-to-notice leak vector.
  • Connection-tracking table exhaustion on a busy proxy node — raise nf_conntrack_max well above default (often 4-8x the default is reasonable for a busy proxy server) and monitor current table usage against the ceiling.

VPN/Proxy Dedicated Server Buyer's Checklist

  • Does the CPU support AES-NI, and is per-core clock speed competitive (not just core count) for single-tunnel throughput?
  • Can you get a clean, previously-unused dedicated IP or IP block rather than a recycled range with unknown reputation?
  • Is bandwidth genuinely unmetered, or will sustained high-throughput VPN traffic trigger overage billing?
  • Does the provider allow the specific UDP/TCP ports your protocol needs (51820 for WireGuard, 1194/443 for OpenVPN, 500/4500 for IPsec) without restriction?
  • Is the network uplink 10 Gbps capable if you are running a commercial-scale VPN or proxy service?
  • Does the provider's acceptable use policy actually permit VPN/proxy hosting at your intended scale and use case?

Frequently Asked Questions

Is WireGuard or OpenVPN better for a self-hosted VPN?

WireGuard is the better default for most 2026 deployments — higher throughput per CPU cycle, simpler configuration, and a much smaller, more auditable codebase. OpenVPN remains relevant specifically when TCP-443 firewall traversal (disguising VPN traffic as HTTPS) is required, since WireGuard is UDP-only.

How many concurrent VPN users can a dedicated server support?

A mid-tier 8-core server with AES-NI and a 1 Gbps port comfortably supports several hundred concurrent WireGuard users at typical personal-use bandwidth per user; commercial-scale services supporting thousands of concurrent users need a 10 Gbps port and correspondingly higher CPU core counts.

Do I need a dedicated IP for a VPN server?

Yes, in almost all cases — a shared or recycled IP carries reputation risk from previous tenants (blocklisting, geo-restriction flags) that directly undermines the reliability of a VPN service, whose entire purpose is providing a trustworthy, unblocked exit point.

Can I run both a VPN and a proxy service on the same dedicated server?

Yes, as long as CPU and network capacity are sized for the combined load — the two workloads have different bottlenecks (encryption throughput vs connection-count overhead), so size for whichever is the larger driver of resource usage in your specific mix.

Why is my OpenVPN throughput so much lower than my server's network speed?

OpenVPN's userspace TLS-based architecture carries meaningfully more per-packet CPU overhead than WireGuard's kernel implementation; the gap widens further if AES-NI is unavailable or a heavier-than-necessary cipher is configured. Switching to WireGuard where client compatibility allows is usually the single biggest throughput fix.

What network ports do I need to open for common VPN protocols?

WireGuard defaults to UDP 51820, OpenVPN commonly uses UDP 1194 (or TCP 443 for firewall-traversal configurations), and IPsec/IKEv2 requires both UDP 500 and UDP 4500 for NAT traversal — all configurable, but these are the conventional defaults most clients expect.

Is self-hosting a VPN actually legal and within a provider's acceptable use policy?

Running your own personal or business VPN is standard, legitimate infrastructure use and is supported by WebsNP's dedicated server plans; large-scale commercial proxy operations should confirm specific use-case details with the provider's acceptable use policy before deployment, since abuse-prevention terms vary by provider.

How many concurrent users can one dedicated server support for a commercial VPN service?

A 16-core server with a 10 Gbps port and AES-NI-capable CPU running kernel WireGuard can realistically support several thousand concurrent users under typical mixed-browsing bandwidth profiles; the same hardware running OpenVPN instead supports meaningfully fewer concurrent connections due to its higher per-connection CPU overhead.

Does a genuine no-logs policy require special server configuration?

Yes — beyond a written policy, it requires actively disabling persistent connection and NAT logging at the daemon and firewall level, ideally routing any operationally necessary short-term logs to RAM-backed storage that clears on reboot rather than persistent disk.

What is the difference between a VPN and a proxy for my use case?

A VPN tunnels and encrypts all of a device's traffic at the network layer, while a proxy typically operates at the application layer (HTTP/SOCKS5) and is often used selectively for specific traffic like browser requests or scraping jobs; proxies are generally lighter-weight per connection but provide less comprehensive traffic protection than a full VPN tunnel.

Does adding more RAM help VPN or proxy throughput?

Only indirectly — RAM mostly matters for holding connection-tracking tables and buffers at high concurrent connection counts, not for the encryption/decryption work itself, which is CPU-bound. A server hitting throughput ceilings with spare RAM but maxed-out CPU needs a faster or additional CPU, not more memory.

What causes intermittent VPN disconnects that seem to happen randomly?

Check for MTU/fragmentation mismatches along the network path first, followed by connection-tracking table exhaustion under peak concurrent load and any upstream ISP-level UDP throttling, which some networks apply to unrecognized high-volume UDP traffic patterns that resemble VPN tunnels.

VPN and proxy infrastructure lives or dies on CPU encryption throughput and IP reputation — both of which a shared VPS structurally compromises. WebsNP's dedicated server plans pair AES-NI-capable CPUs with genuinely dedicated IP addresses for exactly this workload — contact our team to size hardware and IP allocation for your expected concurrent connection count.