VPS Providers

Minimum Requirements

Your shield VPS does not need to be powerful. The Lumos Agent is a lightweight binary (~10MB) and HAProxy is extremely efficient with resources. The bottleneck is almost always network bandwidth, not CPU or RAM.

For the full list of supported operating systems and architectures, see Supported OS.

DDoS Protection: The Key Feature

The single most important requirement for a shield VPS is included DDoS protection. The provider's network-level filtering absorbs volumetric attacks (SYN floods, UDP amplification, etc.) before they reach your server, while the Lumos WAF and rate limiting handle application-layer (L7) attacks.

When evaluating a provider, look for:

• "Anti-DDoS" or "DDoS mitigation" listed as an included feature, not a paid add-on
• Multi-Tbps mitigation capacity for serious protection against large-scale attacks
• Automatic detection and filtering that activates without manual intervention

Note: Some budget providers advertise "DDoS protection" that only covers basic L3/L4 attacks with limited capacity. This is still useful -- the Lumos WAF covers L7 regardless -- but understand what level of network-layer protection you are getting.

Recommended Providers

Budget Tier ($3.50-7/month)

Best for personal projects, small sites, and initial testing. These providers offer excellent value with solid DDoS protection.

OVH VPS (VPS-1)

• From $4.20/month
• 4 vCores, 8 GB RAM, 75 GB SSD
• Anti-DDoS protection included (VAC infrastructure)
• Unlimited traffic, 400 Mbps bandwidth
• Daily automatic backup included
• Locations: France, Germany, UK, Canada, Singapore, Australia, and more
• OVH's VAC system automatically detects and mitigates attacks up to multiple Tbps

Hetzner Cloud CX23

• From €3.49/month (~$3.80)
• 2 vCPU (shared), 4 GB RAM, 40 GB SSD
• DDoS protection included
• 20 TB traffic included
• Locations: Germany (Falkenstein, Nuremberg), Finland (Helsinki), USA (Ashburn, Hillsboro), Singapore
• Excellent network performance and very competitive pricing

Vultr Cloud Compute

• From $3.50/month
• 1 vCPU, 1 GB RAM, 25 GB NVMe SSD
• 1 TB bandwidth
• DDoS protection available (may vary by location)
• 32+ locations worldwide
• Check that DDoS mitigation is available at your chosen location before purchasing

Note: Pricing and specifications change frequently. Always verify current offerings on the provider's website before purchasing.

Mid-Range Tier ($5.50-15/month)

Best for production sites with higher traffic, businesses requiring guaranteed resources, or when you need multiple geographic locations.

OVH VPS (VPS-2)

• From $6.75/month
• 6 vCores, 12 GB RAM, 100 GB SSD NVMe
• Anti-DDoS protection included
• Unlimited traffic, 1 Gbps bandwidth
• Daily automatic backup included

Hetzner Cloud CX33

• From €5.49/month (~$6)
• 4 vCPU (shared), 8 GB RAM, 80 GB SSD
• DDoS protection included
• 20 TB traffic included
• Excellent for handling high traffic volumes

BuyVM (FranTech)

• Starting at ~$15/month (with DDoS protection add-on)
• Dedicated resources, unmetered bandwidth
• DDoS protection via Path.net
• Locations: Las Vegas, New York, Luxembourg, Miami
• Known for generous bandwidth allocations

Using Any Provider

Lumos Gate works with any VPS provider that meets the minimum requirements. If your preferred provider is not listed above, that is perfectly fine. The key factors are:

• The provider includes some form of DDoS protection
• The VPS runs a supported operating system (Debian 12+ or Ubuntu 24.04+)
• You have root SSH access
• Ports 80 and 443 are open for incoming traffic (required for SSL certificate provisioning and proxying)

Tip: You can also use dedicated servers, bare metal servers, or cloud instances (AWS EC2, GCP, Azure) as shield servers. The only difference is cost. A $5 VPS with DDoS protection provides the same Lumos Gate functionality as a $100 dedicated server.

Network Requirements

Your shield VPS must meet these network requirements for Lumos Gate to function correctly:

• Public IPv4 address -- At least one public IPv4 is required. This is the IP your DNS records will point to.
• Port 80 open -- Required for HTTP traffic and SSL certificate provisioning via ACME HTTP-01 challenge.
• Port 443 open -- Required for HTTPS traffic proxying.
• Port 8080 open -- Used by the Lumos Agent for internal communication.
• Outbound internet access -- The agent needs to reach the Lumos dashboard API and Let's Encrypt servers.

Warning: Many providers have a separate network firewall (security group, cloud firewall) in their control panel that blocks ports by default. Make sure to allow inbound traffic on ports 80, 443, and 8080 in addition to any OS-level firewall rules.

Virtualization Type

KVM-based VPS is recommended. KVM provides full kernel access, which allows the Lumos agent installer to apply performance tuning (TCP BBR, connection tracking, huge pages) during setup. These optimizations allow even a small VPS to handle very high request volumes.

OpenVZ / LXC containers work but with limitations:

• Kernel parameter tuning is restricted or unavailable
• Use the LUMOS_NO_TUNE=1 flag during installation to skip kernel tuning
• Performance will be lower compared to KVM at the same specs

# Install on OpenVZ/LXC without kernel tuning
curl -fsSL https://get.lumosgate.com/install | LUMOS_TOKEN=YOUR_TOKEN LUMOS_NO_TUNE=1 bash

What Makes a Good Shield VPS

A good shield server combines three qualities:

1. DDoS protection -- Network-level filtering that absorbs volumetric attacks before they hit your server.
2. Low latency -- Place the shield close to your users for fast response times. A shield in the same region as your audience will deliver noticeably better performance.
3. Affordability -- Shield servers do not need much compute power. A basic tier VPS with DDoS protection is all you need.

You do not need dedicated servers, high-end cloud instances, or expensive hosting. A basic VPS with DDoS protection provides the same Lumos Gate functionality as a high-cost server.

Multi-Server Deployment Tips

For production deployments, consider running multiple shield servers:

• Use different geographic regions. Place shields close to where your users are. A shield in Europe and another in North America covers most use cases. Lumos Gate supports assigning a single domain to multiple shield servers.

• Use different providers for redundancy. If one provider experiences an outage or network issue, shields on other providers remain unaffected. Mixing providers (e.g., OVH in Europe + Vultr in the US) is one of the best ways to improve resilience.

• Configure DNS failover. The DNS failover feature automatically switches traffic to a healthy shield when another goes down.

Tip: You do not need all three from the start. Begin with one shield server and add more as your traffic grows or as you need geographic coverage.

Pre-Installation Checklist

After purchasing your VPS, verify the following before installing the Lumos Agent:

1. SSH access works:

ssh root@YOUR_VPS_IP

2. OS is supported:

cat /etc/os-release
# Debian 12+ or Ubuntu 24.04+

3. Architecture is amd64 or arm64:

uname -m
# Expected: x86_64 (amd64) or aarch64 (arm64)

4. Ports are reachable:

# From another machine, check that ports are not blocked
curl -I http://YOUR_VPS_IP
# Any response (even connection refused) means the port is reachable
# A timeout means the port is blocked by a firewall

5. At least 1 GB RAM:

free -h

If ports 80 or 443 are blocked, check your provider's control panel for a network firewall or security group that needs to be configured.

Next Steps

• Quick Start -- Set up your first shield server and protect a domain in 5 minutes
• Supported OS -- Confirm your VPS operating system is compatible
• Agent Installation -- Detailed installation guide with all flags and options
• Multiple Servers -- Learn how to assign domains to multiple shields
• DNS Failover -- Configure automatic failover between shield servers