Reading time: ~14 minutes Audience: Homelab and self-hosting enthusiasts
What Is a VPS for Docker Containers?
Overview
A Virtual Private Server (VPS) is a rented virtual machine hosted in a data center. When you run Docker containers on a VPS, you create a hybrid homelab architecture: your local server handles storage, media, and sensitive workloads, while the VPS handles public-facing services, offsite backups, or geo-distributed hosting. This gives you a public IP, DDoS protection, and 24/7 uptime without exposing your home network directly.
Why Combine a VPS with a Homelab?
Most residential ISPs do not offer static IPs, and many block common ports (25, 80, 443). A VPS bypasses these limitations. You can host a public-facing website, a reverse proxy, a VPN gateway, or a monitoring beacon on the VPS while keeping personal data on your local NAS. The two environments communicate via VPN mesh (WireGuard, Tailscale) or SSH tunnels, forming a unified logical network.
Why Use a VPS for Docker in Your Homelab?
Public IP and Port Availability
Data centers provide static or stable IPs with all ports open. You can run an SMTP relay, a public-facing web server, or a game server without fighting CGNAT or ISP firewalls. Docker containers on the VPS behave as if they are on the open internet.
Geographic Diversity and Latency
Hosting a VPS in a different region — or multiple regions — lets you serve content closer to your users. If your homelab is in Singapore, a VPS in Frankfurt or New York can act as a CDN edge or a failover endpoint. Docker makes this portable: the same Compose file runs on any VPS.
Backup and Redundancy
A VPS is an ideal offsite backup target. You can run a MinIO container, a restic server, or a BorgBackup repository on the VPS and schedule nightly backups from your homelab. If your house loses power or internet, your backups are still accessible from anywhere.
Installation
Prerequisites
- A VPS with at least 2 vCPUs, 2 GB RAM, and 20 GB SSD (4 GB+ RAM recommended)
- Ubuntu 22.04/24.04 LTS or Debian 12
- SSH key-based access (disable password auth)
- A domain name (optional but recommended for HTTPS)
- A firewall policy (UFW or cloud-provider firewall)
Method 1: Standard Docker Installation on a VPS
Update the system and install Docker:
# Update packages
sudo apt update && sudo apt upgrade -y
# Install prerequisites
sudo apt install -y ca-certificates curl gnupg lsb-release
# Add Docker's official GPG key
sudo mkdir -p /etc/apt/keyrings
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | \
sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg
# Set up the repository
echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] \
https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | \
sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
# Install Docker Engine
sudo apt update
sudo apt install -y docker-ce docker-ce-cli containerd.io docker-compose-plugin
# Add your user to the docker group
sudo usermod -aG docker $USER
newgrp docker
Verify:
docker --version
docker compose version
Method 2: Hardened Docker Compose Environment
For a VPS that will run multiple public services, create a dedicated project directory and deploy everything via Compose.
# Create a project directory
mkdir -p ~/homelab && cd ~/homelab
# Create a .env file for secrets
# (Never commit .env to Git)
# docker-compose.yml example
version: "3.8"
services:
traefik:
image: traefik:v3.0
container_name: traefik
restart: always
ports:
- "80:80"
- "443:443"
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./traefik:/etc/traefik
command:
- "--api.dashboard=true"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.web.address=:80"
- "--entrypoints.websecure.address=:443"
- "--certificatesresolvers.letsencrypt.acme.tlschallenge=true"
- "--certificatesresolvers.letsencrypt.acme.email=your-email@example.com"
- "--certificatesresolvers.letsencrypt.acme.storage=/etc/traefik/acme.json"
whoami:
image: traefik/whoami
labels:
- "traefik.enable=true"
- "traefik.http.routers.whoami.rule=Host(`whoami.yourdomain.com`)"
- "traefik.http.routers.whoami.tls.certresolver=letsencrypt"
watchtower:
image: containrrr/watchtower
volumes:
- /var/run/docker.sock:/var/run/docker.sock
command: --interval 3600
Deploy:
docker compose up -d
Basic Setup and Configuration
Step 1: Harden the VPS
Before running any containers, lock down the host:
# Disable root login and password auth
sudo sed -i 's/#PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
sudo sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config
sudo systemctl restart sshd
# Enable UFW
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow 22/tcp
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw enable
Step 2: Configure Docker for Production
Create /etc/docker/daemon.json to harden the Docker daemon:
{
"live-restore": true,
"log-driver": "json-file",
"log-opts": {
"max-size": "10m",
"max-file": "3"
},
"no-new-privileges": true
}
Restart Docker:
sudo systemctl restart docker
Step 3: Connect the VPS to Your Home Homelab
Use WireGuard or Tailscale to create a secure tunnel between the VPS and your home server.
WireGuard example on the VPS:
sudo apt install -y wireguard
wg genkey | tee privatekey | wg pubkey > publickey
Create /etc/wireguard/wg0.conf:
[Interface]
Address = 10.200.200.1/24
ListenPort = 51820
PrivateKey = <vps-private-key>
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
[Peer]
# Home server
PublicKey = <home-public-key>
AllowedIPs = 10.200.200.2/32
Start the tunnel:
sudo wg-quick up wg0
sudo systemctl enable wg-quick@wg0
Advanced Features
Multi-Region VPS Swarm
For advanced users, you can form a Docker Swarm across multiple VPS providers. One manager node in your home lab, worker nodes in the cloud. Services are scheduled across regions. Be aware of latency: Swarm overlay networks (VXLAN) require low latency to avoid consensus issues.
Automatic HTTPS with Let’s Encrypt
The Traefik Compose example above includes a Let’s Encrypt resolver. Any container labeled with traefik.http.routers.*.tls.certresolver=letsencrypt automatically receives a valid certificate. No manual certbot required.
Log Aggregation to Your Homelab
Send container logs from the VPS to your local Loki or ELK stack via a WireGuard tunnel. This keeps sensitive log data on your own hardware while the VPS only runs the public services.
# In a service's Compose definition
logging:
driver: syslog
options:
syslog-address: "udp://10.200.200.10:514"
tag: "{{.Name}}"
Integrating with Your Homelab
Reverse Proxy as a Gateway
Use the VPS as the public-facing reverse proxy. It terminates TLS, handles DDoS, and routes traffic to your home services via the WireGuard tunnel. Your home IP is never exposed.
Offsite Backup Target
Run a MinIO container on the VPS:
docker run -d \
-p 9000:9000 -p 9001:9001 \
--name minio \
-e "MINIO_ROOT_USER=admin" \
-e "MINIO_ROOT_PASSWORD=strong-password" \
-v minio-data:/data \
quay.io/minio/minio server /data --console-address ":9001"
Point your local restic or rclone backup job to this MinIO endpoint.
Alternatives to Consider
Hetzner Cloud vs DigitalOcean vs Linode
| Provider | Strength | Best For | Price (2 vCPU, 4 GB) |
|---|---|---|---|
| Hetzner Cloud | Low cost, high performance | Budget homelabbers | ~€4.51/mo |
| DigitalOcean | Simple UI, excellent docs | Beginners | ~$24/mo |
| Linode (Akamai) | Good support, broad regions | Multi-region hosting | ~$24/mo |
| Vultr | Custom ISOs, bare metal | OS tinkerers | ~$20/mo |
| AWS Lightsail | AWS ecosystem integration | Enterprise users | ~$24/mo |
Dedicated Server vs VPS
If you need more CPU or RAM than a VPS provides, consider a dedicated server (Hetzner AX42, OVH Advance). You get the full machine, no noisy neighbors. The tradeoff is higher cost and responsibility for hardware issues.
Frequently Asked Questions
Is it safe to expose Docker API on a VPS?
Never expose the Docker TCP socket (2375 or 2376) without TLS client authentication. Prefer using SSH or a local socket mounted into a management container (Portainer, Traefik). If you must expose the API, use dockerd with TLS verification.
How do I keep containers updated on the VPS?
Use Watchtower (included in the Compose example) or Renovate Bot to monitor image updates. For critical services, pin image digests (image:tag@sha256:...) and test updates in a staging container before deploying to production.
Can I run a VPS completely for free?
Oracle Cloud Free Tier and some student programs offer limited free VPS instances. However, they come with bandwidth caps, weaker support, and the risk of policy changes. For a reliable homelab, budget $5–$20/month.
What about IPv6?
Most VPS providers now offer IPv6. Configure your Docker daemon to support IPv6 by adding "ipv6": true and "fixed-cidr-v6": "2001:db8:1::/64" to daemon.json. Ensure your firewall rules cover both IPv4 and IPv6.
Conclusion
Summary
A VPS extends your homelab into the cloud, solving public IP, port blocking, and offsite backup challenges. Docker makes the workload portable: the same Compose file runs at home and in the cloud. With WireGuard, the two environments merge into a single secure network. For less than the cost of a streaming subscription, you gain a global, always-on infrastructure presence.
Next Steps
- Deploy a VPS with Docker and Traefik
- Set up WireGuard between your home and the VPS
- Migrate a public-facing service from your home to the VPS
- Configure automated backups from home to the VPS MinIO instance
Affiliate Opportunities
- installation: hosting — Hetzner Cloud, DigitalOcean, Vultr referral links
- integration: tool — Tailscale or WireGuard commercial support
- alternatives: tool — Cloudflare Tunnels (free alternative to VPS for some use cases)
Internal Linking Strategy
installation→ setup_guide: our Docker Compose beginner guideintegration→ related_guide: how to set up Grafana Loki for log aggregationalternatives→ comparison: VPS vs homelab server comparison
CTA
- [comment] Which VPS provider do you use for your homelab? Share your experience and cost breakdown.
- [newsletter] Get weekly hybrid-cloud homelab tips and self-hosted app recommendations.
- [internal_link] Ready for monitoring? Read our Docker monitoring with Grafana + Prometheus guide