QPOL VPN
EN
← Back to blog

Self-hosted VPN: when it makes sense, when it doesn't

Three honest tests before you choose to operate the infrastructure yourself.

The case for self-hosting is straightforward: you keep full control of the infrastructure, the keys, the logs (or absence of them). Nothing leaves your perimeter. For an organisation with a compliance posture that mandates this, self-hosting isn't a choice — it's a requirement.

For everyone else, self-hosting is a project. There are three questions worth asking before you commit.

First: who watches the boxes at 3am? A VPN node is internet-facing infrastructure. It needs OS patches, certificate rotation, monitoring, incident response. If your team doesn't already operate similar infrastructure, you're inheriting an on-call rotation. The "self" in self-host stops being abstract on the night a node falls over and traffic stops flowing.

Second: what do you actually want — control or dedication? Many people who say "I want self-hosted" actually want a node that isn't shared with strangers, and that's a different product. Personal server gives you a dedicated node, in a country you choose, with QPOL operating the platform underneath. You don't run the box; you do get a clean outbound IP that's yours alone for the voucher's lifetime. If your reason for self-hosting is "shared IPs are flagged" or "I want a stable egress", Personal server is the simpler answer.

Third: do you want the protocol or just a tunnel? Self-host of QPOL means running FROST/1 on your infrastructure with the same anti-DPI properties the public service has. If "any tunnel will do" is good enough, off-the-shelf WireGuard or OpenVPN is a much smaller commitment to set up. If the anti-DPI behaviour is what you specifically need, that's where self-host of FROST/1 differentiates.

Self-hosting fits well for: media organisations with hostile-network correspondents, NGOs operating across borders, R&D teams whose data must not leave their own perimeter. It fits poorly for individuals who want "more privacy" without a clear threat model, or for teams that haven't operated comparable infrastructure before.

If you're between Personal server and self-host, talk to us before committing. Most teams that initially ask for self-host end up better served by Personal server with a clear country and a dedicated outbound. The conversation usually saves a quarter of work.