How to install a virtual private server hosted by hetzner.de (get 20€ credit for your first server)

My servers are hosted at hetzner.de (20€ referal link 🙂).

When you use the link above you gain a Hetzner Cloud credit worth € 20.00.

They have a really good service and a lot of configuration options.

Short guide

• Register your account using the referal-link and create your first server
• Add your SSH-keys to the default configuration
  • create SSH-Keys if you did not yet create them using
    ssh-keygen -t ed25519 -a 256
• Add a Firewall configuration before creating the server
• Create a new rule ICMP
  • Any IPv4, Any IPv6 > Protocol ICMP
  • this enables ping for your server – you will need it for debugging in the future
• Create a new rule trusted
  • add your current IP-address and select TCP and Port any
  • add your current IP-address and select UDP and Port any
  • this enables administrative access to your server for setup and before going live
• Select a location close to your customers
• Select your OS Image
• Select a shared vCPU and AMD server – they have better SSL performance for your webserver
• Add your IPv4 and IPv6 addresses
• Select your SSH keys your stored previously for direct access after installation
• Select the firewall rules: ICMP and trusted
• Enable Backups
• Use this URL for cloud-config: https://tinyurl.com/mrx9uz6n
• Use the FQDN of your server for deployment – the FQDN will also be set inside the server
• After installation: set the reverse DNS name for your server
• After installation: add a Volume for your data

Step by step instructions

Here is a small checklist on how to configure the right VPS for your project

Preparations

Add SSH-keys for instant access

Add your own SSH-keys to the server deployment so you get instant access as root using SSH.

Add firewall configurations before deployment

• Create a new rule ICMP
  • Any IPv4, Any IPv6 > Protocol ICMP
  • this enables ping for your server – you will need it for debugging in the future
• Create a new rule trusted
  • add your current IP-address and select TCP and Port any
  • add your current IP-address and select UDP and Port any
  • this enables administrative access to your server for setup and before going live
• Create a new rule SSH
  • Any IPv4, Any IPv6 > Protocol TCP and Port 22
  • this enables SSH administrative access to your server. Enable it after configuring fail2ban on your server.
• Create a new rule HTTP
  • Any IPv4, Any IPv6 > Protocol TCP and Port 80
  • Any IPv4, Any IPv6 > Protocol TCP and Port 443
  • Any IPv4, Any IPv6 > Protocol UDP and Port 80
  • Any IPv4, Any IPv6 > Protocol UDP and Port 443
  • You wonder why I enable UDP for HTTP traffic? Read this wikipedia-article on HTTP/3 for background-information. Your server should use QUIC for better performance. QUIC uses UDP.
  • enable this rule after you finished setting up your webserver

Create a new server

Select location of your server

Select a location near to your customers so the latency will be low.

Select your OS Image

Select your preferred OS system image. These are the available images as of June 2025:

• Ubuntu
• Fedora
• Debian
• CentOS
• Rocky Linux
• AlmaLinux
• openSUSE

Select Type of server

You can choose between a shared vCPU server or a Dedicated CPU.

For your test-deployment you can choose the shared vCPU.

As we will also use a WAF for our webserver you should select at least

• cpx21 – 3 AMD CPUs – 4GB RAM – 80GB system-drive

The dedicated CPUs have a 15-20% performance gain compared to the vCPUs. Only use it if you need a dedicated performance.

Compare SSL performance on AMD, ARM and Intel CPUs for webservers

use openssl speed -mr > ssltest-myserver.txt on the servers and compare the performance.

My own tests showed better performance on AMD compared to Intel vCPUs.

Add the IPv4 and IPv6 addresses to your server

IPv6 addresses are for free – for IPv4 addresses you have to pay a small fee

Select your SSH-keys for access

Now you select your SSH keys for public-key auth. These keys are copied to /root/.ssh/authorized_keys so you can easily access your server after installation.

If you don’t have SSH keys you should create them now using:
ssh-keygen -t ed25519 -a 256

After creation upload the id_ed25519.pub file

Use a Volume for your data after installation

Do not add a volume during installation. After Installation you can add a Volume for your file-data (i.e nextcloud-data or mailserver-data). This allows you to move the volume to another virtual server when you choose to get a higher performance server.

Select the firewall-rules for access

For the deployment select the firewall rules ICMP and trusted we created earlier. We do not want to open more ports until we finish installation of our server.

Enable Backups

YES – you really want backups. But this is an opt-in so you have to select it manually.

Cloud config

Add the following URL to your cloud config. With this script you will

• update the installed packages
• install rsyslog, fail2ban and logrotate
• set a default /etc/fail2ban/jail.local with incremental blocking times
• edit bash history settings
• create a swapfile

shortened: https://tinyurl.com/mrx9uz6n
or
direct: https://raw.githubusercontent.com/Michal-Koeckeis-Fresel/server-deployment/refs/heads/main/linux/cloudinit/cloudinit-debian.yaml

Check out the scripts on my github.com-repo (Link)

Set the hostname

You can choose any name for the server. I recommend setting it to the future FQDN. During installation the FQDN will be set in the guest-OS so you should use it for the servername.

After pressing “buy”-button 🙂

After you deploy the server you have to wait a few minutes until the server is ready. The server will boot to default configuration, then execute the cloud-init script and reboot. This takes approximately 2 minutes.

Set the reverse DNS name after installation

Go to the network interfaces and set the reverse DNS name. This should be the same name as your hostname.

Add a Volume for your data

Store your data in a separate volume – in case of a server crash you can mount that volume easily on another server

Deploy your applications and enable firewall rules

Install your applications and test them. When you are done with the deployment you can go Live and enable the HTTP firewall rules.