Secure Access to Your Server Infrastructure with IVPN + WireGuard Afdrukken

Why a VPN for server management?

If you manage servers, you've probably whitelisted your home IP in firewalls, SSH configs, and control panels. That works until it doesn't: your ISP rotates your IP, someone else on your network triggers a block, or you need access from a different location.

A better approach: use a dedicated VPN with a static exit IP as your access point. Whitelist that IP instead of your home IP. You get consistent access from any device, any location, without exposing your infrastructure to the open internet.

Why IVPN?

I recommend IVPN because it aligns with how I think about privacy and infrastructure:

• Open source - all clients are fully open source and audited
• No logs - independently verified, not just a marketing claim
• WireGuard native - no proprietary protocols, no bloated clients
• No tracking, no ads, no accounts tied to email - you sign up with an account ID, not personal data
• Based in Gibraltar - outside the EU and US, with strong privacy laws

IVPN is not the cheapest VPN. It's also not trying to be. There are no lifetime deals, no influencer codes, no "500 servers in 90 countries" nonsense. It's a small, focused company that does one thing well.

The setup

The idea is simple:

1. Generate a WireGuard config from IVPN's website
2. Import it on your devices (laptop, phone)
3. Whitelist the IVPN exit IP on your servers
4. Keep the VPN always-on

From that point on, your servers only accept connections from your VPN exit IP. Your home IP, coffee shop IP, hotel WiFi - none of it matters anymore.

Step 1: Generate the WireGuard config

Log into your IVPN account at ivpn.net/account/wireguard-config and generate a WireGuard configuration. Pick a server location close to your infrastructure for the lowest latency.

Under DNS settings, select AntiTracker with the Oisdbig list. This blocks ads, malware, and trackers at the DNS level without being so aggressive that it breaks legitimate services. Avoid "Hardcore Mode" unless you want Google and Facebook domains completely blocked.

Download the config file or scan the QR code for mobile.

Step 2: Import on Linux

You have two options:

Option A: NetworkManager (KDE/GNOME)

Import the config file through your network settings. On KDE Plasma, go to System Settings > Connections > Add > Import VPN connection. Select the .conf file. Set the MTU to 1280 to avoid issues with fragmentation.

Option B: wg-quick (command line)

Copy the config to /etc/wireguard/ivpn.conf and add MTU = 1280 under the [Interface] section. Then:

sudo wg-quick up ivpn

To start it automatically on boot:

sudo systemctl enable wg-quick@ivpn

Step 3: Import on mobile

Install the WireGuard app (available on Android and iOS). Scan the QR code from the IVPN config page, or import the .conf file directly. Enable the "Always-on VPN" option in your phone's VPN settings.

Step 4: Verify your exit IP

Once connected, verify your public IP:

curl ifconfig.me

This should return the IVPN exit IP, not your home IP. Note this IP down - you'll need it for the next step.

Step 5: Whitelist the exit IP on your servers

Add the IVPN exit IP to your server firewall. How you do this depends on your setup:

CSF (ConfigServer Firewall):

csf -a 1.2.3.4 "IVPN access"

UFW:

sudo ufw allow from 1.2.3.4

iptables:

sudo iptables -A INPUT -s 1.2.3.4 -j ACCEPT

Replace 1.2.3.4 with your actual IVPN exit IP.

If you use a jumphost (which you should), you only need to whitelist the IP on that one server. Everything else is accessed through the jumphost via SSH.

Potential issues

Some websites don't work through the VPN

Some services block known VPN IP ranges. Email providers are especially aggressive about this. If a specific site doesn't load, it's likely their firewall blocking the IVPN exit IP, not a problem with your connection.

You can verify by testing the connection directly:

nc -zv -w5 TARGET_IP 443

If it times out, the remote server is dropping your traffic. Most providers don't bother checking individual IPs - they subscribe to public blocklists that flag entire VPN/datacenter ranges. So your first move should be to try a different IVPN server location. A different exit IP might not be on their list yet.

If switching servers isn't an option (or you've already pinned a server for your firewall rules), the alternative is to route that specific IP outside the tunnel:

sudo ip route add TARGET_IP/32 via YOUR_GATEWAY dev wlan0

If you use NetworkManager, you can automate this with a dispatcher script in /etc/NetworkManager/dispatcher.d/.

MTU issues

If HTTPS connections hang but DNS works fine, you likely have an MTU problem. WireGuard encapsulation adds overhead, and large TLS handshake packets can get silently dropped. Set MTU = 1280 in your WireGuard config. This is the safe minimum for IPv6 and works everywhere.

DNS blocklist too aggressive

If you use self-hosted analytics (like Umami) or other legitimate services that get caught by DNS blocklists, try a less aggressive list. Oisdbig is a good balance. Lists like Hagezipro can block self-hosted analytics endpoints.

The result

With this setup you get:

• Consistent access from any network, any location
• A single IP to whitelist instead of chasing dynamic home IPs
• Encrypted tunnel for all server management traffic
• Ad and tracker blocking at the DNS level
• No dependency on proprietary VPN clients - just WireGuard

Your home network stays separate from your infrastructure. Your kids, your IoT devices, your smart TV - none of them share an IP with your server access. That's how it should be.