Sell VPN access on your own terms.

What you'll need

• A Linux host with a public IPv4. A $5/mo VPS works fine — Hetzner, OVH, BuyVM, FranTech, anywhere that doesn't prohibit VPN services in their TOS.
• Root access. The node needs network-admin capabilities to set up WireGuard peers on the fly.
• Docker + Docker Compose (the Quick Start uses Compose). Native systemd works too if you prefer.
• For Lightning: a self-hosted Lightning backend (phoenixd is the easiest; LND or CLN via LNbits also work). For ecash: a Cashu mint URL plus the operator keypair the bootstrap script generates for you.
• About ten minutes for first-time setup, plus however long your Lightning channels take to balance.

Quick start

From a fresh Linux box:

# 1. Install host deps.
sudo apt install wireguard-tools docker.io docker-compose-plugin

# 2. Clone the reference workspace.
git clone https://github.com/WesternBTC/westernbtc-monorepo
cd westernbtc-monorepo/services/europa-node

# 3. Bootstrap — generates the operator keypair, WireGuard keys,
#    ecash signing key, and seeds ./config/config.toml from prompts.
./scripts/bootstrap.sh

# 4. Configure the host's WireGuard interface (one-time, ~30 sec).
sudo install -m 600 ./secrets/wg-server.key /etc/wireguard/server.key
sudo tee /etc/wireguard/wg0.conf <<'WGCONF'
[Interface]
PrivateKey = $(cat /etc/wireguard/server.key)
Address = 10.42.0.1/24
ListenPort = 51820
PostUp   = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
WGCONF
echo 'net.ipv4.ip_forward = 1' | sudo tee /etc/sysctl.d/99-wg.conf
sudo sysctl -p /etc/sysctl.d/99-wg.conf
sudo systemctl enable --now wg-quick@wg0

# 5. Bring up the node + Caddy (auto-renewing TLS).
docker compose up -d

# 6. Watch the logs.
docker compose logs -f europa-node

About thirty seconds after step 5 you should see event=listing-published in the logs and your node appear in the directory.

Don't forget the DNS A record for the hostname you used in step 3, and open UDP 51820 + TCP 80/443 in your firewall.

Configure your service

Everything you tune lives in one TOML file — the bootstrap script wrote it to ./config/config.toml. The fields you'll touch most:

• Prices. [[listing.prices]] blocks — one per tier. Units: hour, day, week, month, GiB, TiB. Currency usually sat.
• Lightning backend. [lightning] — flip enabled = true, set backend = "phoenixd", then base_url + api_token. Until this is enabled the listing advertises Lightning but refuses invoices — leave it off until your backend is actually wired up.
• Ecash issuer. [cashu] — same shape: a mint URL and the signing key the bootstrap script generated (./secrets/cashu-p2pk.key). Derive the matching public key once (the script prints the one-liner) and add a [[listing.payment_methods]] entry of type cashu.
• Location. [listing.region] — ISO country, sub-region, and an approximate-location string. The directory plots that string on the world map. Choose precision deliberately: coarser hides the datacenter, finer reassures buyers you're actually in the city you say you are.
• Policies. Short tags like no-logs, no-torrents, dmca-respond — plus an optional URL pointing to a longer prose policy. Buyers filter on these.

After editing the config: docker compose restart europa-node. The node republishes its listing within a few seconds.

Pricing strategy

There's no central pricing authority — you set yours, the market decides whether to buy. A few notes:

• Look at what live operators charge in the directory and price accordingly. The cheapest sort is a race to the bottom; the most recommended sort rewards reputation. Pick which lane you're playing in.
• Price the legal risk of your jurisdiction into your number. Permissive countries (DMCA-respond, no compelled-decrypt laws) let you run wide-open at a competitive rate. Strict jurisdictions: charge more for the risk you're absorbing, and declare your policies up front.
• Time-bundled tiers (hour, day, week) reward stickiness. Data-bundled (GiB, TiB) reward casual buyers. Most operators publish at least one of each.
• Lightning fees on the operator side matter at micro-payment scale. Phoenixd's liquidity-management fee is typically sub-1% on the size of payment you'll see; LND and CLN have their own routing-fee curves.

Legal & reputation

Running an exit VPN means traffic from anyone you serve appears to come from your IP. That's real exposure: DMCA notices, abuse reports from ISPs, possible law-enforcement requests in your jurisdiction. The marketplace doesn't insulate you. Handle it through:

• Jurisdiction choice. Iceland, Switzerland, Romania, Panama have stronger protections for VPN operators. Mainland US, UK, EU have weaker ones. Pick deliberately — the cost shows up in your pricing.
• Logging policy. “No logs” is a marketing claim until you make it real. The reference daemon defaults to operational-only logs (start, stop, errors) with no per-connection traces.
• Pseudonymity. Use a fresh operator account for the node — don't mix it with personal accounts you use elsewhere. The bootstrap script gives you one; don't bind it to any identifying information you don't want associated with the service.
• Reputation. Longevity matters. Buyers who had a good experience can recommend you, and those recommendations follow your operator account around. The longer you deliver reliably under one account, the more your listing accrues recommendations. Rotating the account resets all of it.

Going deeper

Everything above is the smooth path. For the complete server-side spec — every endpoint, every config field, what the daemon promises about logging, how OpenVPN integration works — see the operator spec in the repo:

• services/europa-node/docs/spec.md — server-side reference (CC0).
• docs/architecture/vpn-marketplace/spec.md — cross-workspace protocol spec (CC0).
• services/europa-node/README.md — module-by-module breakdown of the reference daemon.
• config.example.toml — every operator-tunable field, with comments.