VPN & Tunneling
🛡
WireGuard VPN
The fastest, leanest VPN protocol in existence. Kernel-level performance, ~5 MB RAM, handles hundreds of Mbps on a single core. Your personal encrypted tunnel to anywhere.
~5 MB RAMC / KernelEasy SetupMust-Have
# Install & configure in 2 minutes
apt install wireguard
wg genkey | tee privatekey | wg pubkey > publickey
# Create /etc/wireguard/wg0.conf with your keys
systemctl enable --now wg-quick@wg0
🔗
Headscale (Self-hosted Tailscale)
Self-hosted Tailscale control server. Create a zero-config mesh VPN across all your devices. Works behind NAT, handles key exchange, ACLs, and DNS. Like WireGuard but with a brain.
~50 MB RAMGoDocker
docker run -d --name headscale -p 8080:8080 headscale/headscale headscale serve
headscale users create myuser
headscale -n myuser preauthkeys create --reusable --expiry 90d
🌐
Cloudflared (Cloudflare Tunnel)
Expose local services to the internet without opening any ports. Free Cloudflare proxy in front, DDoS protection included. Your tiny VPS suddenly has enterprise-grade edge networking.
~10 MB RAMGoEasy
cloudflared tunnel create mytunnel
cloudflared tunnel route dns mytunnel app.example.com
cloudflared tunnel run mytunnel
Ad Blocking & DNS
🕳
Pi-hole
Network-wide ad blocker that acts as a DNS sinkhole. Block ads, trackers, and malware for every device on your network. Beautiful web dashboard included.
~50 MB RAMPHP / ShellDockerMust-Have
curl -sSL https://install.pi-hole.net | bash
# Or via Docker:
docker run -d --name pihole -p 53:53/tcp -p 53:53/udp -p 80:80 \
-e WEBPASSWORD="changeme" pihole/pihole
🔒
AdGuard Home
Pi-hole alternative with slicker UI, built-in HTTPS, and DNS-over-HTTPS/TLS support. Slightly more modern, equally lightweight. Blocks ads and protects privacy at DNS level.
~40 MB RAMGoOne Binary
curl -sSL https://raw.githubusercontent.com/AdguardTeam/AdGuardHome/master/scripts/install.sh | sh
# Access web UI at http://your-ip:3000
🔍
Unbound DNS Resolver
Validating, recursive, caching DNS resolver with DNSSEC support. Run your own DNS instead of trusting Google/Cloudflare. Pair with Pi-hole for the ultimate privacy stack.
~20 MB RAMCEasy
apt install unbound
systemctl enable --now unbound
# Point Pi-hole upstream to 127.0.0.1#5335
Password & Secret Management
🏰
Vaultwarden (Bitwarden RS)
Self-hosted Bitwarden-compatible password manager. Single Rust binary, ~10-20 MB RAM. Works with all official Bitwarden apps, browser extensions, and CLI. Your passwords, your server.
~15 MB RAMRustDockerMust-Have
docker run -d --name vaultwarden -p 8080:80 \
-v /vw-data/:/data/ vaultwarden/server:latest
# Pair with Caddy for auto-HTTPS
📨
ntfy (Push Notifications)
Simple HTTP-based push notification service. Send notifications to your phone or desktop from scripts, cron jobs, or any HTTP request. Perfect for alerts and automation.
~20 MB RAMGoDocker
docker run -d --name ntfy -p 80:80 binwiederhier/ntfy serve
# Send a notification:
curl -d "Server backup complete!" ntfy.sh/mytopic
💣
One-Time Secret
Share sensitive info via self-destructing links. The secret is encrypted in-browser, stored temporarily, and destroyed after viewing. Perfect for sharing passwords or API keys.
~30 MB RAMRubyDocker
docker run -d --name ots -p 7143:443 onetimesecret/ots
Privacy Tools
🕵
Tor Relay / Bridge
Run a Tor relay or bridge to help the Tor network. A non-exit relay uses minimal resources (~30 MB RAM) and contributes to internet freedom. Bridges help censored users connect.
~30 MB RAMCEasy
apt install tor
# Edit /etc/tor/torrc - set ORPort, Nickname, ContactInfo
systemctl restart tor
📖
Wallabag (Read Later)
Save web articles to read later, stripped of ads and distractions. Self-hosted Pocket alternative. Full-text search, tags, export to ePUB/PDF, and mobile apps.
~80 MB RAMPHPDocker
docker compose up -d
# See doc.wallabag.org for Docker setup
🔖
Shaarli (Bookmarks)
Personal, minimalist, super-fast bookmarking platform. PHP-based, file storage (no database), incredibly light. Save links with tags and notes, share or keep private.
~15 MB RAMPHPNo Database
git clone https://github.com/shaarli/Shaarli.git /var/www/shaarli
# Point nginx/apache to it, visit /install
📱
Gotify (Push Server)
Self-hosted push notification server with Android app and CLI client. Alternative to PushBullet. Send messages from any script or service directly to your phone.
~25 MB RAMGoDocker
docker run -d --name gotify -p 8080:80 gotify/server
# Android app: play.google.com/store/apps/details?id=com.github.gotify
Pro Tip
Always run behind a reverse proxy (Caddy or Nginx) for auto-HTTPS, rate limiting, and unified logging. Caddy is especially nice for small VPS - single binary, automatic Let's Encrypt, ~10 MB RAM.