xmr.club
EN 中文 ES RU
← all guides
guide · long-form explainer

Self-host or trust — a decision framework

Privacy purists tell you to self-host everything. Pragmatists run nothing. Both are wrong for most situations. The right answer is conditional on three things: what you're trying to hide, how much downtime you can absorb, and how much ongoing operational work you'll actually do. Below: the decision framework, by category.

The three questions

  1. What's the leak? Self-hosting reduces leaks to your real IP, your usage patterns, your view-key (if applicable), and any operator-side audit cooperation. It does nothing about the content of what you do, or about an adversary who's already on your device.
  2. What's the downtime cost? A self-hosted Monero node going down means your wallet syncs slowly until you fix it. A self-hosted email server going down means email vanishes for days while you debug. Different categories have different recovery profiles.
  3. How much ongoing work? Self-hosting is not a one-time install. It's patch cycles, monitoring, backups, capacity planning, and on-call response when something breaks at 3am. Be honest about whether you'll actually do it.

By category — self-host scoring

Each item: privacy gain from self-hosting vs operational cost. The right move is where the gain is high and the cost is low for your situation.

  • Monero node. Gain: medium-high (no operator sees your subaddress scans). Cost: low after initial sync. Self-host if you can — see /guides/run-a-monero-node.
  • Bitcoin node. Gain: medium (electrum-server bundle helps wallet privacy + verifies inflation). Cost: medium (250GB+ disk, more bandwidth than XMR). Worth it if you hold significant BTC.
  • Email server. Gain: low (your provider sees content anyway, and deliverability requires inbound TLS + sender reputation). Cost: very high (spam, IP reputation, multi-protocol stack). Don't. Use Tuta / Proton.
  • VPN. Gain: low for most threat models (you become the only user from your VPN IP — the opposite of crowd cover). Cost: medium (Wireguard + IP rotation + monitoring). Self-hosting a VPN often makes privacy worse, not better.
  • Tor relay. Gain: indirect (contributes to network health, doesn't directly improve your privacy). Cost: low for a non-exit relay. Run one if you can spare bandwidth; not for your own privacy.
  • Web service. Gain: high (no third-party operator at all). Cost: high (TLS, deployment, monitoring, backups). Self-host if it's content you control or if running a Tor hidden service — see /guides/host-a-tor-hidden-service.
  • Password manager. Gain: high (vault never leaves you). Cost: medium (Bitwarden self-host + sync). Worth it if your threat model includes service-provider compromise.
  • Search engine. Gain: medium (SearXNG self-host hides query patterns from your local SearXNG instance's operator). Cost: low (Docker image). Worth it if you have a server already running; otherwise a vetted public SearXNG is fine.

The middle path — vetted third-party

For most users in most categories, the right answer is neither "self-host" nor "use whatever's marketed." It's: pick a vetted third party with a good track record + privacy-respecting payment + a reasonable jurisdiction. That's the xmr.club rubric in one sentence; the entire directory is the answer to this question repeated 150+ times.

  • For wallets: a non-custodial wallet you control + a remote node you've vetted. Not your own node, not someone else's wallet.
  • For email: a no-KYC provider with at-rest encryption + cash/crypto payment. Not Gmail, not your own SMTP server.
  • For VPN: a no-KYC operator with a published audit + diskless infrastructure. Not Hola, not your own WireGuard endpoint.

When to actually self-host

  1. You have operational reasons beyond privacy — control, customization, capacity planning, learning, contribution to the network (Tor relay, Monero node).
  2. Your threat model includes the service provider being compromised or compelled. Then taking them out of the chain matters.
  3. You can actually maintain it. Backups, patches, monitoring. Not "I'll set it up once and hope for the best."
  4. The downtime cost is acceptable. If you can't afford this service to be unreachable for a week while you debug, self-host is risky.

When NOT to self-host

  1. You're doing it because someone told you to. Bad reason. The threat model has to be yours.
  2. You think it'll be cheaper. Almost never. Time + electricity + bandwidth + opportunity cost dwarf a paid privacy-respecting service.
  3. You want stronger privacy on a service the operator doesn't see anyway. Self-hosting your password vault makes sense; self-hosting your VPN almost never does.
  4. You're not technical enough yet. Mistakes in a self-hosted privacy stack create worse leaks than the default. Pick the vetted third-party path until you've leveled up.

Hybrid is fine

Most experienced users run a hybrid stack: self-host Monero node, password manager, web service. Trust a vetted third-party for email, VPN, swap engine. Use cash for the categories that matter most. Mix per category, not per ideology.

Picks

  • Feather — Native pairing with your own Monero node. Tor + remote-node toggle.
  • Monero GUI — Direct local-node usage; the reference desktop wallet.
  • Njalla VPS — Privacy-respecting VPS for self-hosting your own services.
  • Rino community node — Vetted remote-node fallback when you can't self-host.