What this stack is
Privacy Stack is the "take your privacy back" product. One-click deploys WireGuard VPN (encrypted tunnel to your VPS), Pi-hole (DNS-level ad + tracker blocking), Vaultwarden (password vault), and SearXNG (private search aggregator). The customer routes their phone/laptop traffic through their own VPS — gets ad-free browsing, blocked trackers, encrypted DNS, and private search, all under one personal domain.
For the hosting provider, this is the lowest-friction entry product in the catalog (4 GB RAM, 4 free-tier apps if license tier allows). Sells to privacy-conscious individuals, security-aware professionals, and small teams wanting baseline data hygiene.
What it's for
- Personal VPN — encrypt all traffic when on public WiFi, hotels, conferences
- Network-wide ad + tracker blocking — Pi-hole blocks ads/trackers at DNS level, works across all devices
- Password vault — Bitwarden-compatible, syncs across phone + laptop + desktop browsers
- Private search — SearXNG aggregates results from Google/Bing/DuckDuckGo without tracking the user
- Encrypted DNS — DNS-over-HTTPS via Pi-hole, no ISP DNS snooping
Who it's for
- Security-aware individuals wanting baseline privacy hygiene
- Remote workers needing trusted VPN endpoint when traveling
- Small teams sharing a VPN for accessing internal resources securely
- Privacy advocates + journalists with operational security needs
- Tech-savvy families routing kids' devices through Pi-hole for content filtering
Apps in this stack
| App | Role |
| WireGuard | Modern VPN — encrypted tunnel, low overhead, easy mobile setup |
| Pi-hole | DNS-level ad + tracker blocking + DNS-over-HTTPS |
| Vaultwarden | Bitwarden-compatible password vault — passwords, 2FA seeds, secure notes |
| SearXNG | Privacy-respecting metasearch — Google/Bing/DDG without their tracking |
Sizing & deployment
- Recommended VPS: 2 GB RAM, 1 vCPU, 20 GB NVMe storage (tiny footprint)
- No GPU needed
- VPS region matters: pick a region closest to where the user actually browses for best WireGuard latency
- Deploy time: ~10-15 min one-click, all SSL automatic via Let's Encrypt
- Backup profile: WireGuard configs + Pi-hole settings + Vaultwarden vault dump
Why hosters sell this
This stack is the entry product for the privacy-conscious segment. Low VPS cost = low retail price = low barrier to first sale. Once the customer trusts you for VPN + ad-blocking, they upgrade to Personal Cloud or Private AI Plus when they need more.
Common resale shape:
- Solo privacy tier — single VPS, single user, basic VPN + ad-block
- Family tier — single VPS, family-wide VPN, kids' device filtering, shared password vault
- Small team tier — single VPS, 5-10 users, shared VPN endpoint, team password vault
Stack retail pricing is set by the hoster. See the suggested retail hint on this page as starting anchor; refer to bluix.net/bluixapps.php for the Bluix module license layer.
Compliance profile
- No traffic logs by default — WireGuard doesn't log connections; the hoster's compliance posture inherits VPS-level
- DNS queries stay on the VPS — Pi-hole doesn't share data with third parties
- Vaultwarden zero-knowledge — even the server admin can't decrypt vault contents
- GDPR clean — user is data controller, hoster is processor under DPA
- Jurisdiction-aware: deploy to a region matching the customer's privacy threat model