Becoming My Own ISP: The WireGuard Experiment

Building a private WireGuard VPN on my OVHCloud server to bypass geo-restrictions and test LLMs, featuring a battle with Docker variable syntax and network packet fragmentation.

The Premise

With the new server humming along in Frankfurt, I decided to tackle a project I’ve wanted to do for a while: Digital Sovereignty. I wanted a private tunnel that I essentially own, giving me a secure exit node in Germany without relying on public VPN providers that might log my data.

I chose WireGuard because it’s lean, modern, and battery-friendly. To keep my Docker-only philosophy intact, I deployed it using the wg-easy container, which bundles the VPN server with a nice web UI.

It sounded simple. It was not.

The “Double Dollar” Trap

The first roadblock hit immediately: I couldn’t log in. It turns out the latest version of wg-easy deprecated plain-text passwords for security, forcing the use of Bcrypt hashes. I generated a hash, pasted it into my Docker Compose file, and… nothing. The container refused to accept it.

After some deep debugging, I found two culprits working together:

  1. The Shell Trap: When I tried to generate the hash via the command line, the Linux shell was interpreting special characters in my complex password before the hashing tool even saw them.
  2. The YAML Trap: Once I finally got a valid hash (which starts with $2a$), Docker Compose tried to be helpful and interpret the $ signs as variables.

The Fix

I had to manually escape the hash in the YAML configuration using double dollars ($$2a$$...) and—crucially—remove the surrounding quotes that I thought were necessary. A classic “Syntax vs. Engineer” battle.

The “MTU Black Hole”

Once I was in, I decided to stress-test the setup. I connected my laptop to my phone’s hotspot, while the phone itself was tunneling through the VPN to Frankfurt. The result? A connection that technically “worked” but crawled at a painful 160 Kbps.

This was a textbook MTU (Maximum Transmission Unit) fragmentation issue. By wrapping VPN packets inside mobile data packets (which were already being NAT’d by the hotspot), I created “packet bloat.” The packets were too large for the mobile network to handle efficiently, causing them to either drop or fragment, tanking the speed.

While I tried tweaking the MTU to 1280, the overhead just made things worse. The lesson? It works perfectly for privacy and unblocking sites in a pinch, but physics has its limits when you double-tunnel through a cellular network.

The Real Use Case: AI Research

Speed aside, this setup is invaluable for my AI testing. I frequently need to test Large Language Models (LLMs) and their geo-restrictions. Public VPNs (like the one in OperaGX) often get blacklisted because thousands of users share the same IP. With this VPS, I have a pristine Datacenter IP in Germany that belongs only to me. It’s the perfect clean slate for testing region-locking behaviors without triggering “VPN Detected” warnings.

Verdict

I now have a functional, private tunnel directly to my server. It requires zero maintenance, costs me nothing extra, and gives me a persistent digital footprint in Europe whenever I need it.