If you’re in a rural area trying to self-host services — a VPN endpoint, a game server, a website, or a remote monitoring platform — you’ve probably hit the same wall I did: no static IP from your ISP. Most rural ISPs use CGNAT or dynamic IPs, which means you can’t reliably point the internet at your home network.
The solution? A cheap cloud VPS that acts as your public-facing front door. I use UpCloud, a European cloud provider with US data centers that consistently beats AWS and DigitalOcean on price-to-performance. Here’s how to set one up and route traffic back to your home lab.
Why UpCloud?
I’ve tried most of the major VPS providers. Here’s why UpCloud wins for this use case:
- MaxIOPS storage — Their custom storage tier is genuinely fast. Not “fast for the price” fast, just fast.
- Simple pricing — $5/month gets you 1 vCPU, 1GB RAM, 10GB storage, and 1TB transfer. No surprise bandwidth bills.
- US data centers — Chicago and New York, with sub-20ms latency from most of the central US.
- API-first — Everything you can do in the UI, you can do via API. Great for automation.
- Hourly billing — Spin up a server for testing, tear it down when you’re done, pay pennies.
Step 1: Create Your Account and Server
Sign up at upcloud.com. Once you’re in:
- Click Deploy Server
- Choose your data center (I use Chicago for central US)
- Pick Ubuntu 24.04 LTS — it’s stable and has the longest support window
- Select the $5/month plan (1 vCPU, 1GB RAM, 10GB MaxIOPS)
- Add your SSH key (strongly recommended over password auth)
- Deploy
Your server will be up in about 45 seconds. Seriously. UpCloud’s provisioning is impressively fast.
Step 2: Initial Server Hardening
SSH into your new server and lock it down:
ssh root@your-server-ip
# Update everything
apt update && apt upgrade -y
# Create a non-root user
adduser deploy
usermod -aG sudo deploy
# Copy SSH keys to new user
mkdir -p /home/deploy/.ssh
cp ~/.ssh/authorized_keys /home/deploy/.ssh/
chown -R deploy:deploy /home/deploy/.ssh
# Disable root SSH and password auth
sed -i 's/PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config
systemctl restart sshd
# Set up basic firewall
ufw allow 22/tcp
ufw allow 80/tcp
ufw allow 443/tcp
ufw enableStep 3: Set Up WireGuard Tunnel
This is the magic piece. WireGuard creates an encrypted tunnel between your VPS and your home network. Traffic hits the VPS’s public IP, travels through the tunnel, and arrives at your home server — bypassing CGNAT entirely.
# Install WireGuard on both machines
apt install wireguard
# On the VPS — generate keys
wg genkey | tee /etc/wireguard/privatekey | wg pubkey > /etc/wireguard/publickey
# On your home server — generate keys
wg genkey | tee /etc/wireguard/privatekey | wg pubkey > /etc/wireguard/publickeyCreate the VPS config at /etc/wireguard/wg0.conf:
[Interface]
PrivateKey = (VPS private key)
Address = 10.0.0.1/24
ListenPort = 51820
[Peer]
PublicKey = (Home server public key)
AllowedIPs = 10.0.0.2/32, 192.168.0.0/16Create the home server config:
[Interface]
PrivateKey = (Home private key)
Address = 10.0.0.2/24
[Peer]
PublicKey = (VPS public key)
Endpoint = your-vps-ip:51820
AllowedIPs = 10.0.0.1/32
PersistentKeepalive = 25The PersistentKeepalive is crucial — it keeps the tunnel alive through your home router’s NAT. Without it, the tunnel dies after a few minutes of inactivity.
# Start WireGuard on both machines
systemctl enable wg-quick@wg0
systemctl start wg-quick@wg0
# Verify the tunnel
ping 10.0.0.2 # From VPS, should reach home serverStep 4: Forward Traffic Through the Tunnel
Now set up iptables on your VPS to forward incoming traffic to your home server via the WireGuard tunnel:
# Enable IP forwarding
echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf
sysctl -p
# Forward port 443 (HTTPS) to home server
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to-destination 10.0.0.2:443
iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE
# Save rules
apt install iptables-persistent
netfilter-persistent saveNow any HTTPS traffic hitting your VPS gets forwarded through WireGuard to your home server. Add more PREROUTING rules for any other ports you need.
Step 5: Point Your Domain
Create DNS records pointing to your VPS’s public IP:
yourdomain.com A → VPS-IP
*.yourdomain.com A → VPS-IPThe wildcard record lets you add subdomains later without touching DNS again.
Cost Breakdown
Here’s what this setup costs monthly:
- UpCloud VPS: $5/month
- Domain name: ~$1/month (amortized)
- SSL certs: Free (Let’s Encrypt)
- WireGuard: Free (open source)
- Total: ~$6/month
Compare that to a static IP from most rural ISPs ($15-30/month extra, if they even offer it) and you’re saving money while getting a more flexible setup.
What Can You Host?
With this setup running, you can self-host basically anything:
- Home Assistant — Control your smart home from anywhere
- Plex / Jellyfin — Stream your media library remotely
- Matrix / Mattermost — Private team chat
- Nextcloud — Your own cloud storage
- Git repositories — Self-hosted Gitea or GitLab
- Network monitoring — Grafana dashboards for your infrastructure
The VPS handles the public-facing networking while your actual hardware stays safe behind your home firewall. Best of both worlds.
Pro Tips
- Monitor the tunnel: WireGuard is rock-solid, but set up a simple cron job that pings through the tunnel and alerts you if it drops.
- Use Caddy: Instead of Nginx, try Caddy as your reverse proxy. It handles SSL automatically and the config is much simpler.
- Snapshots: UpCloud’s snapshot feature lets you back up your entire VPS state. Take one before any major changes.
- Consider a Squid proxy: Running a transparent proxy on the VPS lets you route specific home traffic through the VPS’s IP — useful for services that need a clean IP reputation.
Self-hosting in rural areas doesn’t have to mean fighting with your ISP for a static IP. A $5 VPS and WireGuard give you everything you need to put your home lab on the public internet, securely and affordably.