VPS can be deployed to build websites, run applications, facilitate cross-border business operations and more. After novice users purchase a new VPS, how can they get the server connected to the internet normally? What are the step-by-step procedures to configure stable network connectivity for a VPS? Below we will walk through the complete VPS launch workflow — covering purchasing recommendations, initial remote connection, network configuration, security hardening and performance tuning. Whether you intend to host websites, deploy proxy services or build a remote development environment, this guide will help you get up and running quickly.

Before diving into internet connectivity setup, let’s briefly review core VPS purchasing criteria, as different hardware and network configurations directly determine subsequent network performance.

If your primary audience accesses the VPS from mainland China, transit line quality matters far more than CPU core count or RAM capacity. Recommended premium lines include CN2 GIA (China Telecom optimized dedicated line), CMI (China Mobile International) and CU 9929 / AS9929 (China Unicom). These links maintain low packet loss and stable latency during evening peak hours. General BGP multi-line networks often suffer severe packet loss at peak times, frequently causing disconnections to SSH sessions. Preferred datacenter locations: US West Coast (Los Angeles, San Jose), Tokyo Japan, Singapore, and Hong Kong (note that Hong Kong plans usually come with limited bandwidth).

Shared bandwidth generally suffices for light workloads, but dedicated or high-bandwidth VPS plans are recommended if you need to transfer massive volumes of data. Estimate monthly traffic based on your use case: a few hundred gigabytes per month are enough for website hosting, while video relay or large-scale data migration may require 1TB or more monthly transfer allowance.

Recommended operating systems: Ubuntu 22.04 / 24.04 LTS. These distributions feature extensive documentation, an active developer community, and native compatibility with most network optimization scripts. CentOS / Rocky Linux deliver outstanding stability yet require the EPEL repository for many modern software packages. Debian is another lightweight, reliable alternative. Absolute beginners are advised to choose Ubuntu 22.04 for minimal maintenance overhead.

Nearly all VPS instances are managed remotely via SSH (Secure Shell Protocol). You only need a terminal client: Windows users may use PowerShell, Windows Terminal or PuTTY; macOS and Linux users can utilize the built-in native terminal.

After purchasing a VPS, providers will send credentials via email or display them within the client control panel, including:

- Public IPv4 address

- SSH port (default: 22)

- Login username (typically `root`, or distribution-specific accounts such as `ubuntu`)

- Login password or private key file

Password-Based SSH Login

ssh root@YOUR_VPS_IP -p 22

Input your password to establish the connection. For security, update the root password immediately upon first login.

Key-Based SSH Login (Strongly Recommended)

Generate an SSH key pair locally if you do not already have one:

ssh-keygen -t ed25519 -C "your-email@example.com"

Upload your public key to the VPS:

ssh-copy-id root@YOUR_VPS_IP

Alternatively, manually append the public key content to `~/.ssh/authorized_keys`. Subsequent logins will not require password entry and offer superior security.

By default, newly provisioned VPS instances are preconfigured with a public IP and default routing table, granting immediate internet access. Nevertheless, you should inspect and optimize the following network components.

Verify Basic Network Connectivity

After logging into the VPS, execute the following commands to test connectivity:

ping -c 4 8.8.8.8

ping -c 4 google.com

If the IP address responds to pings but domain names do not resolve, your DNS configuration is faulty. Successful pings to both IPs and domains confirm functional base networking.

Many VPS providers ship with slow or censored default DNS resolvers. Switch to public DNS servers for improved stability.

Edit `/etc/resolv.conf` (netplan or systemd-resolved configuration is required on newer distributions):

nameserver 1.1.1.1

nameserver 8.8.8.8

For Ubuntu 18.04+ systems utilizing netplan:

sudo nano /etc/netplan/01-netcfg.yaml

Add the DNS block under your target network interface:

yaml

nameservers:

  addresses: [1.1.1.1, 8.8.8.8]

Apply the new configuration:

sudo netplan apply

Configure Hostname and Hosts File

Set a descriptive hostname for easier server administration:

sudo hostnamectl set-hostname my-vps

A VPS exposed directly to the public internet is vulnerable to constant port scanning and brute-force attacks. Mandatorily deploy a firewall and only open ports required for your workloads.

Firewall Configuration with UFW (Recommended for Ubuntu)

Install UFW:

sudo apt update && sudo apt install ufw -y

Set default policies: block all inbound traffic, allow all outbound traffic:

sudo ufw default deny incoming

sudo ufw default allow outgoing

Permit SSH access (execute this step first to avoid locking yourself out):

sudo ufw allow 22/tcp

Open HTTP and HTTPS ports if you plan to host websites later:

sudo ufw allow 80/tcp

sudo ufw allow 443/tcp

Activate the firewall and review rules:

sudo ufw enable

sudo ufw status verbose

iptables (Low-Level Alternative for Advanced Users)

Direct iptables manipulation enables granular traffic control, though UFW meets most routine operational requirements.

Security Note: If you modify the default SSH port (e.g., to 2222), remember to whitelist the new port in the firewall. Keep port 22 open temporarily until you confirm successful login via the custom port.

Even with premium transit lines, stock Linux kernel parameters rarely deliver optimal TCP throughput. The following adjustments drastically boost transmission speed and connection stability.

Enable BBR (Bottleneck Bandwidth and RTT)

BBR is a TCP congestion control algorithm developed by Google, designed to maximize throughput over high-latency, packet-loss-prone international networks. Enabling BBR is highly recommended.

Verify kernel BBR module support

modprobe tcp_bbr

echo "tcp_bbr" | sudo tee -a /etc/modules-load.d/modules.conf

Inject BBR kernel parameters

cat >> /etc/sysctl.conf << EOF

net.core.default_qdisc = fq

net.ipv4.tcp_congestion_control = bbr

EOF

Load updated sysctl values

sysctl -p

Confirm BBR activation

sysctl net.ipv4.tcp_congestion_control

Expected output: net.ipv4.tcp_congestion_control = bbr

Optimize Core TCP Kernel Parameters

Append the following settings to `/etc/sysctl.conf` or `/etc/sysctl.d/99-custom.conf`:

ini

Expand network buffer memory limits

net.core.rmem_max = 134217728

net.core.wmem_max = 134217728

net.ipv4.tcp_rmem = 4096 87380 134217728

net.ipv4.tcp_wmem = 4096 65536 134217728

Enable TCP timestamps and selective ACK

net.ipv4.tcp_timestamps = 1

net.ipv4.tcp_sack = 1

Reduce lingering TIME_WAIT connections

net.ipv4.tcp_tw_reuse = 1

net.ipv4.tcp_fin_timeout = 30

Expand connection tracking table capacity to prevent packet loss

net.netfilter.nf_conntrack_max = 655360

Run `sysctl -p` to apply all modified kernel settings.

Tune MTU and MSS Clamping

Excessively large MTU values trigger fragmentation and packet loss on certain international transit networks. Test for the optimal MTU size with this command:

ping -M do -s 1472 8.8.8.8

If fragmentation is required, gradually decrease the `-s` value until pings succeed. The ideal MTU equals your successful payload size plus 28 bytes (IP + ICMP header overhead).

Advanced SSH Security Hardening

Disable Root Password Login, Enforce Key Authentication Only

Create a standard unprivileged administrative user (example username: `deploy`):

adduser deploy

usermod -aG sudo deploy

Switch to the new user and configure SSH key authentication:

su deploy

mkdir .ssh

chmod 700 .ssh

nano .ssh/authorized_keys

chmod 600 .ssh/authorized_keys

Edit the SSH daemon config file `/etc/ssh/sshd_config`:

ini

PermitRootLogin no

PasswordAuthentication no

PubkeyAuthentication yes

Restart the SSH service to apply changes:

systemctl restart sshd

Critical Reminder: Maintain an active root SSH session for testing to avoid permanent lockout from the server.

Custom SSH Port (Optional but Recommended)

Modify the listening port within `/etc/ssh/sshd_config`:

ini

Port 2222

Restart SSH and whitelist the new port number in your firewall rules.

Install and Configure Fail2ban

Fail2ban automatically blocks IP addresses that trigger repeated failed login attempts to mitigate brute-force attacks:

sudo apt install fail2ban -y

sudo systemctl enable fail2ban

sudo systemctl start fail2ban

Create and edit the jail configuration file `/etc/fail2ban/jail.local`:

ini

[DEFAULT]

bantime = 3600

findtime = 600

maxretry = 5

[sshd]

enabled = true

port = 2222

Restart the Fail2ban service to activate policies.

Maintain System Security with Regular Updates

sudo apt update && sudo apt upgrade -y

Enable unattended automatic security patches

sudo apt install unattended-upgrades -y

sudo dpkg-reconfigure --priority=low unattended-upgrades

Common Use Cases for VPS Internet Proxy Services

Once all base configurations are complete, your VPS operates as a secure, high-performance cloud host. You may deploy additional services to route internet traffic for your personal devices based on your requirements:

1. Personal websites / blogs: Deploy Nginx/Apache + PHP + MySQL and bind a domain name for public access.

2. proxy deployments (for compliant legal use): Open, WireGuard, Shadowsocks  (abide by local internet regulations; only utilize for legitimate study and commercial work).

3. Remote development environments: Install Docker, Node.js, Python and other toolchains for SSH-based remote coding.

4. File synchronization & download servers: Nextcloud, Aria2 with WebUI frontends, etc.

This tutorial focuses exclusively on foundational VPS internet connectivity setup. Step-by-step deployment guides for individual applications will be covered in our dedicated follow-up articles.

Transforming a bare VPS into a fully stable, secure internet-connected server involves five core phases: supplier selection → initial SSH connection → base network configuration → firewall deployment → TCP kernel acceleration → comprehensive security hardening. The workflow outlined above has been validated across dozens of VPS instances from various hosting providers, applicable to low-cost entry-level virtual machines as well as high-performance dedicated bandwidth servers. Memorize three critical pillars for optimal VPS network performance: premium transit lines, BBR congestion control, and strict firewall rules. Master these three components, and your VPS networking experience will outperform 80% of other users.