← Blog

Can you run a VPN or proxy on a VPS? What acceptable-use policies actually allow

Short version: running your own VPN on a VPS — a WireGuard tunnel just for your laptop and phone — is completely normal and allowed. What acceptable-use policies push back on is the open, public stuff: open proxies anyone can relay through, mail relays, and traffic that turns into spam or attacks. This guide draws that line clearly, shows what DigitalOcean's upstream Acceptable Use Policy says (GhostVPS runs on real DigitalOcean droplets, so those rules bind the server too), and explains exactly how Tor fits in.

1. The short answer

A VPS is just a Linux server you control, so you can install almost anything on it — including VPN and proxy software. The question isn't really "is this software allowed," it's "is the way I'm using it allowed." Two simple tests cover almost every case:

• Is it private to you, or open to the public? A VPN or proxy locked to keys and credentials you control is your business. An open service that any stranger on the internet can route traffic through is what gets accounts suspended.
• Is the traffic lawful and non-abusive? Spam, port-scanning, botnet command-and-control, DDoS, and torrent-driven copyright complaints are the things that trigger abuse reports — regardless of what tool produced them.

2. Your own VPN vs. an open proxy — the line that matters

People lump "VPN" and "proxy" together, but for acceptable-use purposes the important distinction is closed vs. open, not VPN vs. proxy.

A personal VPN (closed)

You install WireGuard, generate a keypair for each of your devices, and only those keys can connect. Nobody else can use the tunnel. From the outside it looks like one server talking to a couple of clients. This is the classic "run my own VPN so I'm not trusting a commercial VPN company" setup — and it's fine. Our step-by-step walkthrough is here: set up your own VPN on a VPS with WireGuard.

An open proxy (open)

An open proxy is a server configured so that anyone can connect and relay traffic through it without authentication. These get discovered by scanners within hours and are quickly abused to send spam, mask attacks, and scrape sites. That's why open proxies — along with open mail relays and open DNS resolvers — are explicitly prohibited by most serious infrastructure providers. The fix is simple: require authentication and bind the service so only you can reach it.

3. What DigitalOcean's AUP actually says

Because GhostVPS deploys real DigitalOcean droplets, DigitalOcean is the upstream provider, and their Acceptable Use Policy applies to the underlying server. The relevant clause sits under "Operation of Certain Network Services," which prohibits operating open proxies, open mail relays, open recursive domain name servers, Tor exit nodes, or other similar network services.

Read that carefully, because the common word in the list is open. The policy is aimed at services that accept traffic from the general public and therefore become abuse magnets. It does not say "no VPNs" or "no proxies for personal use" — running a private tunnel for your own devices isn't operating an open network service. DigitalOcean even publishes its own tutorials on installing OpenVPN, which tells you a personal VPN is an expected, supported use of a droplet.

DigitalOcean's separate droplet-policy notes add the underlying principle in plain language: you are responsible for all traffic that leaves your server. If you run something that other people can pump traffic through, their abuse becomes your abuse, and that's what lands a suspension. Keep services closed and traffic lawful and you stay well inside the lines.

4. Tor on a VPS: clients, relays, bridges, exit nodes

Tor is where most of the confusion lives, because "running Tor" can mean four very different things. Here's how each one is treated on GhostVPS, in line with the upstream rules:

• Signing up over Tor or a VPN — allowed. Connecting through Tor or a VPN to create your account and pay is fine, and good for privacy. The rules are about what the server does, not how you reach the panel.
• A Tor client on your VPS — allowed (lawful use). Installing the Tor client to browse or to reach onion services from the server, for your own lawful use, is fine. You're a consumer of the network, not an open relay for others.
• Tor relays / bridges — by prior arrangement. A non-exit relay or bridge forwards other Tor users' traffic. DigitalOcean notes that with any Tor service you become responsible for sub-users you can't see, so we ask that you arrange this with us first rather than just spinning one up.
• Tor exit nodes — not allowed. An exit node sends other people's traffic out to the open internet under your server's IP. The inevitable abuse complaints (spam, scanning, copyright, attacks) land on our upstream DigitalOcean account and put the whole platform at risk. DigitalOcean prohibits open exit-style services in its AUP for exactly this reason, so GhostVPS does not allow exit nodes.

5. How the GhostVPS AUP maps to the upstream rules

We try to keep our acceptable-use policy honest and easy to reason about: it's essentially "do lawful things, keep public services closed, and don't generate abuse," which is the same spine as the upstream DigitalOcean AUP. Because we sit on top of real DigitalOcean infrastructure, we can't allow anything the upstream provider prohibits — if they suspend the underlying account over an open relay or an exit node, your server goes down with it.

What that means in practice for the privacy-minded user is reassuring rather than restrictive. No-KYC signup, paying in crypto, connecting over Tor, and running your own encrypted VPN are all squarely allowed. The lines are drawn around abuse and open services, not around privacy. If you want the bigger picture of what "anonymous hosting" does and doesn't cover, see what is an anonymous VPS.

6. Set up a personal VPN the right way

If your goal is a private VPN that's both useful and clearly within the rules, here's the shape of it. The full commands are in the WireGuard walkthrough; this is the acceptable-use-aware version.

1. Deploy a small droplet. A base plan is plenty for a personal VPN. Pick a region close to you for latency — GhostVPS has 9 cities across 8 countries (Amsterdam, Frankfurt, London, New York, San Francisco, Singapore, Sydney, Toronto, Bangalore), each a real droplet with its own dedicated IPv4.
2. Harden the box first. Non-root user, key-only SSH, a firewall. Don't skip this — see the VPS hardening checklist.
3. Install WireGuard and generate per-device keys. One keypair for your laptop, one for your phone. Only those public keys are added to the server config — that's what keeps the tunnel closed.
4. Open only the VPN port in the firewall. Allow the single UDP port WireGuard listens on and nothing else publicly. Never leave the VPN reachable as an open, credential-free service.
5. Connect and verify. Bring up the tunnel on each device, confirm your public IP now shows the server's IP, and check there's no DNS leak. Done — a private VPN that only you can use.

That's the whole trick: a VPN bound to keys you hold is "closed," which is exactly what keeps it on the right side of every acceptable-use policy in the chain.

7. Quick reference: allowed vs. not allowed

A cheat sheet for the common cases. When in doubt, ask the two tests from section 1: is it closed, and is the traffic lawful?

FAQ

Wondering whether a no-KYC, crypto-paid host is trustworthy in the first place? Read is paying for a VPS with crypto a scam?

GhostVPS is an anonymous, no-KYC VPS host on real DigitalOcean infrastructure. Run your own VPN, pay with Bitcoin, Monero or USDT (TRC20); each server gets a dedicated IP and deploys in minutes from $9/mo. See our acceptable use policy, the WireGuard guide, or open the panel.