Is self-hosting a private proxy not recommended under a high-risk threat model?

I’m planning to spend an extended period in a country where VPN and Tor connections are often blocked or disrupted, and I’d like a more resilient backup solution. Specifically, I’m considering self-hosting tools like V2Ray or Hysteria2 on my own VPS so that if my commercial VPN or Tor circuits fail, I can still reach the open internet.

However, I’ve noticed that most privacy communities strongly recommend using reputable, third-party VPN providers or the official Tor network—and generally advise against self-hosting your own proxy or tunnel endpoint. While I run several websites and have a solid grasp of server management and basic security practices, I’ve never operated under a censorship-intense, high-risk threat model like this before.

Under a high-risk, connectivity-constrained threat model, is self-hosting a proxy/tunnel (e.g. V2Ray, Hysteria2) a bad idea because of extra risks, or is it a viable, resilient fallback if I harden and carefully setup my VPS?

I’m planning to spend an extended period in a country where VPN and Tor connections are often blocked or disrupted

Tor is blocked pretty aggressively here too, but obfs4 bridges still tend to work. In an extreme case, obfs4 with iat-mode set to 2 is more likely to work, or you can self-host your bridge so it doesn’t get enumerated. I say this because bridges are easier to use. You might want to look into a tool similar to GoodbyeDPI (Windows) or zapret (multi-platform)

Is bypassing the internet restrictions illegal, or just difficult? (Probably, no need to answer this publicly ) just consider)

Under a high-risk, connectivity-constrained threat model, is self-hosting a proxy/tunnel (e.g. V2Ray, Hysteria2) a bad idea because of extra risks, or is it a viable, resilient fallback if I harden and carefully setup my VPS?

Are you also worried about surveillance from this hostile country, or from a global adversary? Or are you just worried about censorship evasion being detected?

If you worried about surveillance - the VPS company or the physical location of the VPS is in a country that is “hostile” to your intentions, then it could monitor your traffic flows just like it would a VPN to de-anonymize your activity, or even covertly send disk/ram images to the police. They don’t need to “hack” it, just force the VPS provider to monitor traffic or provide disk images.

If you’re using VPS to Tor, or if you use a VPS thats outside of your adversary’s jurisdiction, then this is less of an issue.

Outside of government-level threats, self hosting a well-updated VPS or dedicated server and using that as a VPN is rather low-risk, and in many cases better than using a commercial VPN.

Thanks for all the great pointers so far.

Tor is blocked pretty aggressively here too, but obfs4 bridges still tend to work. In an extreme case, obfs4 with iat-mode set to 2 is more likely to work, or you can self-host your bridge so it doesn’t get enumerated. I say this because bridges are easier to use. Also, you might want to look into a tool similar to GoodbyeDPI (Windows) or zapret (multi-platform).

I didn’t even know there was an iat-mode=2 until now everything I’d ever pulled from the official website of Tor Project downloads only provided modes 0 and 1. I guess self-hosting my own mode=2 obfs4 bridge is the way to go.

Another thing I’ve noticed here is that most public Tor exits and even many commercial VPN exit IP are on the blacklist of the services I use for work and personal. To address that, I’m looking into leasing a static IP from a trusted ISP in my country and pointing those at my self-hosted VPS. That way, I can white-list the outgoing IP once and not worry about service disruptions.

Is bypassing the internet restrictions illegal, or just difficult?

I’m not familiar a law, but from what I’ve read, bypassing network restrictions isn’t illegal and it’s just difficult in most case.

Though I did find a handful of arrest news where authorities applied some vague cybercrime statutes. In short, it seems more of a gray area than an outright ban, but definitely something to keep an eye on.

Are you also worried about surveillance from this hostile country, or from a global adversary? Or are you just worried about censorship evasion being detected?

I’m worried that if that country detects my evasion tools, they’ll block my connections and cut me off from my country services. I’ve heard that around major national events they shut down popular VPN and proxy services and keep them blocked until end of that events.
That is why I need a solution that lets me stay reliably connected to my country even in those situations.

The problem of a private VPN server, proxy or Tor bridge is that traffic correlation becomes trivial as you are the only user connected to the node.
If your goal is just to bypass censorship then it is not a problem at all. If your goal is to hide your internet activity, you better connect to Tor or a popular VPN service after your private proxy.

I used to do this with my VPS, but I found that some sites (including eg. craigslist) blocked me because my (that is, the proxy’s) IPv4 address was “in a bad neighborhood”. This is one aspect of the “safety in numbers” property of mass consumer VPNs. Most of the problem went away when I forced the proxy to connect with IPv6, but then not all websites are reachable over IPv6.