Cheap iron for VPN server: what to choose in 2025

If you're reading this, you've probably already tried free VPNs that cut your speed ridiculously, or paid services that work intermittently. Your own infrastructure is a different level of control. But what cheap vpn server hardware is really worth buying, and what's a waste of money? Let's break it down specifically: single-board computers, mini-PCs, routers, real performance numbers and — what matters for Russia — which protocol won't be blocked by RKN in a month.

Why set up your own VPN server and what hardware you need for it

A paid VPN service is someone else's server, someone else's protocol, and someone else's IP address. You don't control how traffic is masked as legitimate HTTPS, you can't change the protocol in response to new blocks. Your own server gives you complete configuration freedom.

This is especially important in Russia, where ISP DPI (Deep Packet Inspection) can recognize and block signatures of popular protocols. When RKN issues a directive — the provider closes traffic through TSPU equipment. If you have your own protocol with proper masking, you simply change the config without waiting for the service to update.

Your own server vs paid VPN: what's the real difference

Paid VPN gives you one click and a ready-made app. Your own server requires 2-4 hours of initial setup and understanding what's happening. But the IP address belongs only to you — no "this address is blocked because 500 people were using it on one service".

Another point: Russian VPN services under RKN pressure periodically either leave the market or start filtering traffic. A foreign service not under Russian jurisdiction, but can be blocked itself. Your own server on a foreign VPS is the sweet spot.

Minimum hardware requirements for WireGuard and VLESS/XRay

WireGuard is minimalist: runs on 256 MB RAM and one CPU core. Really, WireGuard runs on Orange Pi Zero with 512 MB RAM without problems, just don't expect 1 Gbps.

VLESS/XRay with Reality requires a bit more: minimum 512 MB RAM, preferably 1 GB. XRay is written in Go, no JIT compilation, but it's not particularly heavy. On Raspberry Pi 4 with 2 GB RAM it works great, CPU load with active traffic is 20-40%.

Shadowsocks-2022 in CPU load is roughly like WireGuard, but adds encryption overhead. On weak ARM Cortex-A53 (Orange Pi Zero, old Pi) this is noticeable.

Where to physically place the server: at home, on VPS or at a hosting provider

At home: you need a static IP (or DDNS) and open ports. Many Russian ISPs are behind CGNAT — incoming connections are physically impossible without additional setup. Check in advance: if your external IP starts with 100.64.x.x or 10.x.x.x — you have CGNAT.

VPS abroad (Hetzner, DigitalOcean, Vultr) is the optimal option. From $3-5/month for a basic server in Germany or Finland. Static IP included. No CGNAT problems and incoming connections

Home hardware + foreign VPS — a combo for paranoids and perfectionists: all management is yours, outgoing traffic through a foreign IP.

Top cheap options for VPN server hardware

Let's talk about specific devices with real prices. Prices are current as of early 2025, reference Ozon/Wildberries/AliExpress — there's variation, but the order of magnitude is roughly this.

Single-board computers: Raspberry Pi 4/5, Orange Pi, Banana Pi — prices and performance

Raspberry Pi 4 (2 GB) — around 4000-5500 rubles on Ozon (accounting for gray imports). Cortex-A72 processor at 1.8 GHz gives ~400-600 Mbps with WireGuard in real conditions. Gigabit Ethernet is available. Community support is huge — any question gets answered in 5 minutes of googling.

Raspberry Pi 5 (4 GB) — ~7000-9000 rubles. Cortex-A76, noticeably faster, but requires separate active cooling for 24/7 operation. Some old Pi 4 images won't run on it — verify OS image compatibility before downloading.

Orange Pi 3 LTS — 2500-3500 rubles. Allwinner H6, Cortex-A53. Performance is roughly twice lower than Pi 4: WireGuard ~150-250 Mbps. Enough for one or two users. Only buy the official version — AliExpress has clones with different flash memory chips that cause OS freezes.

Banana Pi M5 — ~3500-4500 rubles. Amlogic S905X3, same Cortex-A55 class. A decent alternative to Orange Pi, but documentation is worse.

Mini PCs: N100, Celeron J4125 — best price-to-performance balance

Intel N100 — that's a different level. x86 architecture, AES-NI out of the box, which provides hardware acceleration for OpenVPN and other protocols with AES encryption. N100 mini PCs cost 8000-12000 rubles on Ozon (brands like BMAX, MinisForum, Trigkey).

WireGuard on N100 delivers 900+ Mbps — nearly gigabit. XRay with VLESS+Reality — 400-600 Mbps even with heavy TLS. This is already a small office-level server, not just a personal VPN.

Celeron J4125 — slightly older, ~6000-9000 rubles for a ready-made mini PC. Performance is somewhat lower than N100, but AES-NI is there too. A good option if you find one on sale.

Old laptop or PC as VPN server: when it's justified

If you have an old laptop with Core i3/i5 and 4 GB RAM lying around — that's free hardware for a VPN server. The built-in battery acts as a UPS during power outages. Downsides: 15-45 W consumption versus 3-5 W for Raspberry Pi, plus fan noise.

For continuous use it's not economically viable — the difference in electricity over a year adds up to 1500-4000 rubles. But for testing or a temporary server — it's great.

Routers with OpenWRT: GL.iNet, TP-Link — the most compact option

GL.iNet Beryl AX (MT3000) — 6000-8000 rubles. MediaTek MT7981B, 256 MB RAM, WireGuard right out of the box in the web interface. Consumption ~5 W. But there's a caveat: it has one 2.5G port, the rest are 1G. Forfor the majority this is not a problem.

An important limitation of all cheap routers: if you have Fast Ethernet ports (100 Mbps) — this is the physical speed ceiling, no software will help. Check the port specifications before buying.

TP-Link Archer C7 and similar devices on OpenWRT work, but the CPU is weak there — WireGuard will achieve 50-80 Mbps maximum. For one user it's acceptable, for a family it's not.

Comparative table: price / consumption / WireGuard speed

Device	Price (rubles)	CPU	RAM	WireGuard (Mbps)	Consumption
Orange Pi 3 LTS	2500–3500	Cortex-A53 × 4	2 GB	~150–250	~3 W
Raspberry Pi 4 (2 GB)	4000–5500	Cortex-A72 × 4	2 GB	~400–600	~4 W
Raspberry Pi 5 (4 GB)	7000–9000	Cortex-A76 × 4	4 GB	~700–900	~5–8 W
GL.iNet Beryl AX	6000–8000	MT7981B × 2	256 MB	~300–400	~5 W
Mini PC N100	8000–12000	Intel N100 × 4 (x86)	8–16 GB	~900+	~10–15 W
Mini PC J4125	6000–9000	Celeron J4125 × 4	4–8 GB	~700–800	~8–12 W

Which protocol to choose for your server under RKN blocking

This is the most important section if you live in Russia. You can buy ideal cheap vpn server hardware, but if the protocol gets blocked in 2 weeks — it's all in vain.

WireGuard: fast, but easily blocked over UDP

WireGuard is a technically superior protocol. Minimalist code (about 4000 lines), fast Curve25519/ChaCha20 cryptography, low ping. In a world without DPI — an ideal choice.

In Russia — a problem. WireGuard operates over UDP and has characteristic signatures in the first handshake packets. ISP DPI equipment recognizes and blocks it. Moreover, some ISPs apply UDP-throttling: they don't block explicitly, but cut UDP traffic to 5-10 Mbps. You will think everything works, just slowly.

VLESS + XRay + Reality: best choice for bypassing DPI in Russia

VLESS with Reality transport — is currently the most DPI-resistant option. Reality masks the connection as a real TLS handshake with an actual domain (for example, microsoft.com or apple.com). DPI sees legitimate HTTPS on port 443 — nothing to block.

XRay — this is a V2Ray fork with additional features, including Reality. It is installed with one comthrough the official script. On a mini-PC with N100, it works great. On an Orange Pi Zero with Cortex-A53 — slowly, because there's no hardware AES acceleration, and XRay loads the CPU at 70-80% with 100 Mbps traffic.

Shadowsocks-2022: a compromise between speed and obfuscation

Shadowsocks-2022 — an updated version of the old protocol with improved cryptography (AEAD-2022). Obfuscation is worse than Reality, but better than plain WireGuard. The traffic looks like random data, which already complicates signature analysis.

The main advantage for weak hardware: CPU load is less than XRay. On Orange Pi 3 LTS, the difference in CPU load between Shadowsocks-2022 and XRay can reach 30-40%. If you have an ARM Cortex-A53 board — Shadowsocks-2022 is a more practical choice.

Amnezia VPN: a ready-made solution on top of ordinary hardware

Amnezia — a Russian open-source project that takes WireGuard and adds junk packets before the actual handshake. DPI cannot recognize the WireGuard signature because it sees a non-standard packet sequence.

AmneziaWG works on practically any hardware where regular WireGuard works — overhead is minimal. Client applications are available for Android, iOS, Windows, macOS. A good solution if you've already set up WireGuard and want to quickly add DPI protection without reinstalling everything.

OpenVPN and IKEv2: when it still makes sense to use them

OpenVPN over TCP on port 443 — an old but working scheme. The traffic looks like HTTPS to most providers without deep analysis. Speed is 30-50% lower than WireGuard, CPU load is higher. But it works almost everywhere and is supported by absolutely all clients.

IKEv2 — for corporate scenarios and iOS (built-in support). In the context of bypassing RKN blocks — a weak choice: it is blocked relatively easily. Use only if you need compatibility with a specific corporate solution.

Step-by-step VPN server setup on cheap hardware

OS installation: Debian/Ubuntu vs Alpine Linux to save resources

On Raspberry Pi 4, use Raspberry Pi OS Lite (64-bit) — this is an optimized Debian for this platform. Download from the official raspberrypi.com, the version without desktop (Lite). Write it using Raspberry Pi Imager — it also configures SSH and hostname before the first boot.

For mini-PCs on x86 — Debian 12 Bookworm Minimal or Ubuntu Server 24.04 LTS. Alpine Linux saves RAM, but repositories are poorer and some packages need to be compiled manually. For a beginner, this is unnecessary trouble.

WireGuard installation in 10 minutes: commands and config

On Debian/Ubuntu:

apt update && apt install -y wireguard
wg genkey | tee /etc/wireguard/server_private.key | wg pubkey > /etc/wireguard/server_public.key
chmod 600 /etc/wireguard/server_private.key

Config /etc/wireguard/wg0.conf:

[Interface]# Server private key
PrivateKey = <contents of server_private.key>
# Server address in VPN network
Address = 10.0.0.1/24
# Port — better non-standard, but if provider blocks UDP — it's a problem
ListenPort = 51820
# Enable traffic forwarding
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
# Client public key
PublicKey = <client_public.key>
AllowedIPs = 10.0.0.2/32

Enable and start:

echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
sysctl -p
systemctl enable wg-quick@wg0
systemctl start wg-quick@wg0

If your provider blocks UDP traffic on non-standard ports — change ListenPort to 53 (DNS) or use wstunnel to wrap WireGuard in WebSocket.

Installing XRay/VLESS with Reality on mini-PC or single-board computer

Official XRay installation script (version 1.8.x and above):

bash -c "$(curl -L https://github.com/XTLS/Xray-install/raw/main/install-release.sh)" @ install

After installation, the config is located in /usr/local/etc/xray/config.json. For Reality, you need to generate a key pair:

xray x25519

In the config, you specify "dest": "www.microsoft.com:443" — XRay will forward unrecognized connections to Microsoft, creating a convincing disguise.

Connecting clients: Android, iPhone, Windows, router

WireGuard Android/iOS: official WireGuard app from Play Store/App Store. Generate config QR code with qrencode -t ansiutf8 < client.conf, scan with your phone.

VLESS/XRay on Android: v2rayNG app (Google Play). Copy link like vless://uuid@ip:443?..., paste it in the app.

VLESS/XRay on iOS: Streisand or Shadowrocket app (paid, $2.99). Import the same link.

Windows: for WireGuard — official client wireguard.com, import .conf file. For XRay — Nekoray or Hiddify.

Monitoring and security: fail2ban, auto-updates

Minimal security set:

apt install -y fail2ban unattended-upgrades
systemctl enable fail2ban
dpkg-reconfigure -plow unattended-upgrades

Fail2ban blocks SSH brute-force automatically. Unattended-upgrades installs security patches without your participation. Change SSH port from 22 to something non-standard and disable password auth — keys only.

What doesn't work and typical errors when choosing hardware

Why home IP is not suitable for VPN in Russia

Even if you solved the CGNAT problem and got a static IP from your provider — home IP address is problematic for another reason.Russian providers have the right and technical capability to block specific IP addresses of their users upon request. Plus your IP is in the range of a Russian provider — some foreign services filter it additionally.

The correct scheme: home hardware + VPS abroad as the exit node. At home there is a Raspberry Pi or mini PC, it connects via a tunnel to your server in Germany, all traffic goes through the German IP. That way no one knows your home address.

Routers without hardware NAT: a bottleneck on speed

Many budget routers with OpenWRT do not have hardware NAT acceleration. With VPN traffic, all forwarding goes through the CPU, which on MIPS routers from 2016-2018 is frankly weak. Real speed can be 20-40 Mbps with theoretical 300 Mbps for the router.

GL.iNet on MediaTek MT7621/MT7981 is better — Software Flow Offloading works there and gives a noticeable boost. But hardware older than 2020 with a MIPS processor for a VPN server is garbage, don't waste your time.

Single-board computers with 100 Mbps Ethernet — a hidden limit

Orange Pi Zero, Banana Pi M2 Zero, some early Raspberry Pi — they physically have 100 Mbps Ethernet or only WiFi. WireGuard can deliver 300 Mbps via CPU, but the network will be a bottleneck at 100 Mbps. Check the specifications before buying.

Raspberry Pi 4 and 5 — gigabit Ethernet. Orange Pi 3 LTS — also gigabit. This is the minimum for normal use.

Heat and stability: problems of 24/7 operation of cheap hardware

Raspberry Pi 4 without cooling under continuous load throttles from 1800 MHz to 600 MHz. This is a real problem with a 24/7 VPN server. Buy a case with a passive heatsink for 300-500 rubles — solves the problem completely without a single fan.

Cheap Chinese mini PCs like "no-name N100" sometimes have an unstable WiFi module and mediocre power supply. Connect via Ethernet, WiFi is not needed for a server at all. Get a power supply with a margin — a cheap 12V/1A under load can have voltage drops.

A separate story — cheap hosts in exotic locations ($1/month for VPS in Moldova or Kazakhstan): power outages, unstable connection, sometimes just offline for several hours. Hetzner, Contabo, DigitalOcean — overpay $2, but you'll sleep peacefully.

Alternative to your own server: when to choose a ready-made VPN

When self-hosting is not appropriate

Your own VPN server on cheap vpn server hardware — this is a project. Not an application, not a subscription, but a project with initial setup, periodic maintenance and solving problems like "the server froze at 3 am and everyone at home has no internet".

Let's calculate real TCO: Raspberry Pi 4 (~5000 rubles one-time) + case with cooling (~500 rubles) + microSD card (~600 rubles) = ~6100 rubles one-time. Electricity: ~4 W × 24 h × 30 days × 6 rubles/kWh = ~17 rubles per month. VPS abroad (Hetzner CX11, 2 GB RAM, Germany) = ~$3.5/month ≈ 320 rubles.Total: ~6100 rubles entry + ~340 rubles/month. Over 6 months that's ~8100 rubles. Plus your time on setup and maintenance.

A ready-made VPN service with normal blocking circumvention support costs 100-500 rubles per month. Over 6 months — 600-3000 rubles, zero setup time. For non-technical users the choice is obvious.

NvoVPN and other services as a ready alternative without hardware

If you don't want to deal with configs and updates, a ready-made service is a reasonable choice. NvoVPN, for example, already supports modern protocols for bypassing DPI and doesn't require purchasing any hardware — just download the app and connect.

Your own server makes sense if: you have technical knowledge and want to control every aspect, you're ready for a time investment, or you have specific requirements (for example, a specific exit IP for working with certain services). In other cases — soberly assess whether it's worth it.

dov plus a one-time purchase of payment ~4000-5500 rubles. Roughly comparable to a good VPN service, but requires technical skills and time for support.