How to create a VPN server with Hetzner

Learn how to configure a personal VPN server with Hetzner and Meshnet.


Having a personal VPN server can prove to be beneficial in many scenarios: having a static IP address, accessing geo-restricted information online, or simply learning the basics of networking. In addition, you can use a single VPN server between several individuals to have IP-restricted access to certain resources, for example, important documents.

Hetzner is a large data center operator that offers a wide range of reliable and affordable cloud services, such as cloud servers, dedicated servers, and cloud storage. When used in conjunction with Meshnet and its traffic routing feature, Hetzner’s servers can be turned into VPN servers in just a few minutes.

This article goes over the process of deploying a virtual machine (VM) in the cloud using Hetzner and configuring it as a VPN server with the use of Meshnet.


While setting up your own VPN server enhances your online privacy, it may not provide the same level of protection as connecting to a standard VPN server offered by NordVPN. NordVPN follows a strict no-logs policy, which is crucial for ensuring your online activities remain confidential.


Before you start, make sure that you have an active Hetzner account. During registration, you are required to provide your billing details.

Generate an SSH key (optional)

When creating your VPN server, you will need to choose an SSH authentication method. It is recommended to use SSH key authentication for a more secure connection between your devices. If you intend to use SSH keys, proceed with the instructions below to generate an SSH key pair on your device:

  1. Open PowerShell (on Windows) or Terminal (on macOS and Linux).

  2. Execute the following command, where </path/key-name> is the desired path and the filename for the SSH key pair:

    ssh-keygen -f </path/key-name>


    ssh-keygen -f C:\Users\secretmeerkat/.ssh/hetzner-vpn

    This command generates private and public SSH keys at the specified directory.

  3. Display the contents of the public SSH key file by entering the cat command followed by the path to the file, as shown:

    cat </path/key-name>


    cat C:\Users\secretmeerkat/.ssh/hetzner-vpn

  4. Select and copy the command line output to your clipboard. The copied content will be required when configuring SSH access to the VM.

Your SSH key pair is now created and ready for use.

Create a VM instance on Hetzner

With the prerequisites taken care of, you can start working on creating your VPN server on Hetzner.

Create a new project

Hetzner allows you to group servers and other related resources into projects. With projects, you can share the resources with your peers and assign different roles for all users involved. For convenient management, it is recommended to create a new project for your VPN server by taking these steps:

  1. On your Hetzner Cloud console, select New project.

  2. Enter a custom name for your project.

  3. Click Add project.

A new panel for your project should appear on your Hetzner dashboard.

Import your SSH key (optional)

If you want to use SSH key authentication to connect to your cloud VM, you can import the SSH key to the Hetzner project.

  1. On your Hetzner Cloud console, click your newly created project.

  2. From the menu on the left, select Security.

  3. On the SSH keys page, click Add SSH key.

  4. In the new dialog, in the SSH key field, paste the content of your public SSH key file.

  5. In the Name field, enter a custom name for this specific SSH key or leave the automatically generated one.

You should now see an entry for your key on the SSH keys page.

Configure the VM

With the project created, you can proceed to configure your cloud VPN server.

  1. On your Hetzner Cloud console, under your new project, select Create server.

  2. On the Create a server page, select your preferred location, operating system (OS) image, such as Ubuntu 22.04, and server type for your VPN server.

  3. In the Networking section, make sure that Public IPv4 is selected. Optionally, you can choose to enable Private networks and configure the network to allow multiple cloud servers to interact with one another.

  4. If you choose to use SSH key authentication, under SSH keys, select your imported SSH key.

  5. Under Name, enter a custom name for your VPN server.

  6. Double-check all of your settings and click Create & buy now.

Within a few minutes, your cloud server should be deployed and active.

Access your VM instance

Once the cloud server is created, you can connect to it over SSH. Depending on the SSH authentication method you chose, the ways to connect to the VM are slightly different.

  1. Locate the public IP address of your VM. It can be found in the Servers section of your Hetzner Cloud project.

  2. Open PowerShell (on Windows) or Terminal (on macOS and Linux).

  3. Run the ssh -i </path/to/private/key> root@<server> command, where:

    • </path/to/private/key> is the location of your private SSH key file.

    • <server> is the external IP address of your cloud VM. Example

      ssh -i C:\Users\secretmeerkat/.ssh/hetzner-vpn root@

  4. When establishing a connection to the server for the first time, the SSH client asks you to review and confirm the host key's fingerprint. To proceed with the connection, type yes in response to the prompt.

You should now be successfully connected to your cloud VM instance.

Install NordVPN on the VM

To set up NordVPN on your cloud VM, follow these steps:

  1. Download and execute the NordVPN installation script by running this command:

    sh <(wget -qO -

  2. Log in to your NordVPN account.

Log in to NordVPN

You can log in to your NordVPN account without the use of a graphical user interface (GUI) in two ways:

  • By running the nordvpn login command with the --token flag

  • By running the nordvpn login command with the --callback flag

Instructions for both methods are outlined below.

Log in using a token
  1. On any device, log in to your Nord Account dashboard and select the Meshnet (by NordVPN) card.

  2. Under Manual setup, select Set up NordVPN manually.

  3. Enter the verification code sent to your email address.

  4. Under Access token, click Generate new token.

  5. In the dialog that appears, choose either a token that expires in 30 days or one that never expires, and then select Generate token.

  6. Select Copy and close.

  7. On your VM, enter the nordvpn login --token command along with the copied token:

    nordvpn login --token <your_token>


    nordvpn login --token 3fe460cefb8dcf1478c92e45908cec9f9bdbadf7a456a6dfb35dc2c58ee39d5b

You should now see a welcome message.

Log in using a URL
  1. Run the following command:

    nordvpn login

  2. Open the provided link on any device in your browser.

  3. Complete the login procedure.

  4. Right-click the Continue button and select Copy link address.

  5. Run the following command, replacing <URL> with the previously copied link address:

    nordvpn login --callback "<URL>"


    nordvpn login --callback "nordvpn://login?action=login&exchange_token=MGFlY2E1NmE4YjM2NDM4NjUzN2VjOWIzYWM3ZTU3ZDliNDdiNzRjZTMwMjE5YjkzZTNhNTI3ZWZlOTIwMGJlOQ%3D%3D&status=done"

You should now see a welcome message.


To preserve your token when logging out of the NordVPN app, use the nordvpn logout --persist-token command. Otherwise, your token will be revoked.


If you encounter the error message “Whoops! Permission denied accessing /run/nordvpn/nordvpnd.sock,” enter sudo usermod -aG nordvpn $USER. Then, reboot your instance and log back in.

Enable Meshnet

On your instance, enable Meshnet by typing this command:

nordvpn set meshnet on

To view the Nord name and Meshnet IP address of your instance, enter the following command.

nordvpn meshnet peer list

You will also see all of your Meshnet peer devices with their corresponding permissions.

Grant the traffic routing permission

To begin using the VPN server, you need to grant the traffic routing permission for each peer device that you want to have access to the server. Enable this permission from the server machine using the following command:

nordvpn meshnet peer routing allow <device>


nordvpn meshnet peer routing allow secret.meerkat-everest.nord

For more information, see the Traffic routing permissions page.

Start using your VPN server

To start using your new cloud VM as a VPN server, you need to start routing internet traffic from a client device through the VM.

  1. On your client device, open NordVPN and log in to your account.

  2. Start routing traffic through the linked host device. Example

For specific instructions, see the Routing traffic in Meshnet article.

Your IP address should now be the same as the virtual machine’s. This way, your real public IP address is protected, and the websites you visit will see the location of your VPN server instead of your actual device.

Last updated

© 2024 Nord Security. All Rights Reserved.