<SYSTEM>This is the full developer documentation for PhoenixVPS Docs</SYSTEM>

# PhoenixVPS Documentation

> Run your own VPN in your own cloud account. Pick your provider and follow the setup + key-handoff guide.

## Choose your cloud provider

[Section titled “Choose your cloud provider”](#choose-your-cloud-provider)

AWS

Launch via CloudFormation, then hand the scoped credential to the app. [AWS guide →](/aws/setup/)

Hetzner

Create a scoped API token and connect it. [Hetzner guide →](/hetzner/setup/)

Infomaniak

Create a scoped token and connect it. [Infomaniak guide →](/infomaniak/setup/)

DigitalOcean

Generate a Read & Write token and connect it. [DigitalOcean guide →](/digitalocean/setup/)

## Using an AI assistant?

[Section titled “Using an AI assistant?”](#using-an-ai-assistant)

Every page on this site is available as raw Markdown, and the whole site is summarised for language models at [`/llms.txt`](/llms.txt) and [`/llms-full.txt`](/llms-full.txt). Paste a page into your assistant, or point it at a URL, and it can walk you through the steps and answer cost questions.

# AWS — Key handoff

> Copy the single Credential value from the CloudFormation Outputs tab and paste it into PhoenixVPS to connect your AWS account.

## What you need

[Section titled “What you need”](#what-you-need)

* The **PhoenixVps-Access** stack created in [AWS — Setup](/aws/setup/), with its three resources showing **Complete**. If you have not done that yet, complete the setup guide first.
* The **PhoenixVPS** app, open at the **Amazon Web Services** panel.

***

## Step 1 — Open the Outputs tab

[Section titled “Step 1 — Open the Outputs tab”](#step-1--open-the-outputs-tab)

On the **PhoenixVps-Access** stack page, find the row of tabs near the top. From left to right they read:

> **Stack info**  ·  **Events**  ·  **Resources**  ·  **Outputs**  ·  **Parameters**  ·  Template  ·  Changesets  ·  Git sync

Click the **Outputs** tab (the fourth one).

**What you see:** A table titled **Outputs (1)** with one row. Its columns are **Key**, **Value**, **Description**, and **Export name**:

* **Key:** `Credential`
* **Description:** *“Copy this single value into the PhoenixVps app once, then close this page. To revoke access, delete this stack.”*
* **Value:** one long string of letters, numbers, and `==` on the end. This is your scoped credential.

***

## Step 2 — Copy the credential

[Section titled “Step 2 — Copy the credential”](#step-2--copy-the-credential)

In the **Credential** row, copy the entire **Value**. Select the whole string (it ends in `==`) and copy it — or use the copy icon that appears when you hover over the value.

This value is a live secret

The Credential is a real access key for your AWS account (encoded). Do **not** paste it into chat, email, a screenshot, or any document. The only place it should go is the PhoenixVPS field in the next step. Once pasted, close the browser tab.

***

## Step 3 — Paste it into PhoenixVPS

[Section titled “Step 3 — Paste it into PhoenixVPS”](#step-3--paste-it-into-phoenixvps)

Switch to the PhoenixVPS **Amazon Web Services** panel. Under **Step 2 — Paste the stack Output**, click the box labelled **“Paste Base64 credential here…”** and paste the value you just copied.

Then click **Validate & Connect**.

**What you see:** PhoenixVPS checks the credential with a harmless read-only call (usually under five seconds). The **Status** line near the bottom of the panel updates to confirm the account is connected. You can now close the AWS browser tab.

If you see an error instead, see [Troubleshooting](#troubleshooting).

***

## What happens next

[Section titled “What happens next”](#what-happens-next)

PhoenixVPS can now create and tear down a VPN server in your AWS account using the scoped credential — your root and admin keys are never involved. To start a session, return to the main screen and click **Connect**.

Remember: a running server bills until you tear it down. Use **Tear Down VPN Server** when you are finished (see the [FAQ](/faq/#is-my-vpn-server-deleted-when-i-disconnect)).

***

## Troubleshooting

[Section titled “Troubleshooting”](#troubleshooting)

### ”Invalid credential”

[Section titled “”Invalid credential””](#invalid-credential)

The value was probably truncated when copied. Go back to the **Outputs** tab, copy the full **Value** again (it must end in `==`), and paste it fresh. Do not type it by hand.

### ”Permission denied” or the server fails to start after connecting

[Section titled “”Permission denied” or the server fails to start after connecting”](#permission-denied-or-the-server-fails-to-start-after-connecting)

The credential is valid but could not create the server. Check that the **PhoenixVps-Access** stack finished with all three resources **Complete**, and that your account has capacity in the chosen region (an instance quota limit is the usual cause).

***

## Revoking access

[Section titled “Revoking access”](#revoking-access)

To remove PhoenixVPS’s access to your AWS account:

1. In PhoenixVPS, click **Disconnect / Revoke** to delete the locally stored credential.
2. To fully revoke it in AWS, click **Open Delete-Stack Page** in the app (or go to the CloudFormation console yourself), then delete the **PhoenixVps-Access** stack. Deleting the stack removes the `phoenixvps-provisioner` user and its access key.

After the stack is deleted, the credential is dead — PhoenixVPS can no longer create or manage anything in your account.

# AWS — Setup

> Create a scoped PhoenixVPS provisioner credential in your AWS account with a one-click CloudFormation stack — no root keys involved.

## Overview

[Section titled “Overview”](#overview)

In this guide you will:

1. Open the PhoenixVPS **CloudFormation launch stack** from the app.
2. Review the scoped IAM user the stack will create.
3. Acknowledge the IAM capability and create the stack.
4. End with a single **Base64 credential** that you hand to the app in [AWS — Key handoff](/aws/key-handoff/).

This guide creates only the **scoped credential** — PhoenixVPS never asks for your AWS root or admin keys, and the credential it creates has programmatic access only (no console login).

***

## Prerequisites

[Section titled “Prerequisites”](#prerequisites)

Before you start, make sure you have:

* [ ] An **AWS account**, and you are **signed in** to the AWS console in your browser.
* [ ] The **PhoenixVPS** app installed on your device.

***

## Step 1 — Open the launch stack from PhoenixVPS

[Section titled “Step 1 — Open the launch stack from PhoenixVPS”](#step-1--open-the-launch-stack-from-phoenixvps)

In PhoenixVPS, open the **Amazon Web Services** panel. Choose your **AWS Region** from the dropdown at the top, then click **Connect AWS Account**. The app opens your browser at the AWS CloudFormation **Quick create stack** screen, with the template and stack name already filled in for you.

**What you see:** A page titled **Quick create stack** with a **Template** panel near the top. If your browser opens to the AWS sign-in page instead, sign in first — AWS returns you to this screen afterwards.

***

## Step 2 — Confirm you are on the right stack

[Section titled “Step 2 — Confirm you are on the right stack”](#step-2--confirm-you-are-on-the-right-stack)

Check the **Quick create stack** page shows these values before continuing:

* **Stack description:** *“PhoenixVps scoped access. Creates a least-privilege IAM user for VPN provisioning. No root credentials are required or used.”*
* **Stack name:** `PhoenixVps-Access` (already filled in — leave it unchanged).
* **Parameters:** *“There are no parameters defined in your template”* — there is nothing for you to fill in here.

**What you see:** The description and the pre-filled stack name confirm this is the PhoenixVPS template. You do not need to touch Tags, Permissions, or any of the *optional* sections.

***

## Step 3 — Review the scoped permissions

[Section titled “Step 3 — Review the scoped permissions”](#step-3--review-the-scoped-permissions)

This stack creates one IAM user named `phoenixvps-provisioner`. It is deliberately limited:

| The credential can                                                                                                | The credential cannot                                                    |
| ----------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------ |
| Create and delete the EC2 instance, security group, and key pair that PhoenixVPS tags with `ManagedBy=PhoenixVps` | Touch any resource it did not create (untagged or tagged otherwise)      |
| Manage only those tagged resources (start, stop, terminate)                                                       | Read your billing data, list other services, or create further IAM users |
| Be used programmatically only                                                                                     | Log in to the AWS console                                                |

To revoke everything later, you delete this stack — see [AWS — Key handoff](/aws/key-handoff/#revoking-access).

***

## Step 4 — Acknowledge the IAM capability

[Section titled “Step 4 — Acknowledge the IAM capability”](#step-4--acknowledge-the-iam-capability)

Scroll to the **Capabilities** panel at the bottom. It states that the template creates IAM resources (`AWS::IAM::AccessKey` and `AWS::IAM::User`).

Tick the checkbox labelled **“I acknowledge that AWS CloudFormation might create IAM resources with customised names.”**

**What you see:** The checkbox becomes ticked. The **Create stack** button to its right is now enabled.

***

## Step 5 — Create the stack and wait for the three resources

[Section titled “Step 5 — Create the stack and wait for the three resources”](#step-5--create-the-stack-and-wait-for-the-three-resources)

Click the **Create stack** button in the bottom-right corner.

**What you see:** The page switches to the stack page for **PhoenixVps-Access**. Near the top is a row of tabs. From left to right they read:

> **Stack info**  ·  **Events**  ·  **Resources**  ·  **Outputs**  ·  **Parameters**  ·  Template  ·  Changesets  ·  Git sync

You start on the **Events** tab, which shows the deployment progress. **Stay on this tab** and wait while AWS creates the three things the template defines:

* **AppUser** — the `phoenixvps-provisioner` user
* **AppPolicy** — its scoped permissions
* **AppAccessKey** — the access key the app will use

Each one moves from **In progress** to **Complete** (shown in green). This usually takes under a minute. When all three read **Complete**, the credential is ready — move on to the key handoff.

***

## Next step

[Section titled “Next step”](#next-step)

Go to [AWS — Key handoff](/aws/key-handoff/) to copy the credential from the stack’s **Outputs** tab and paste it into PhoenixVPS.

# DigitalOcean — Key handoff

> Paste your DigitalOcean personal access token into PhoenixVPS to connect your account.

## What you need

[Section titled “What you need”](#what-you-need)

* The **DigitalOcean personal access token** (begins `dop_v1_`) you copied at the end of [DigitalOcean — Setup](/digitalocean/setup/). If you don’t have it, generate a new one — it is shown only once.
* The **PhoenixVPS** app, open at the **DigitalOcean** panel.

***

## Step 1 — Paste the token into PhoenixVPS

[Section titled “Step 1 — Paste the token into PhoenixVPS”](#step-1--paste-the-token-into-phoenixvps)

In PhoenixVPS’s **DigitalOcean** panel, find **Step 3 — Paste the API token**. Click the box labelled **“Paste DigitalOcean API token here…”** and paste the token.

```text
(paste your DigitalOcean token — a long string beginning dop_v1_)
```

This value is a live secret

The token acts like a combined username and password for your DigitalOcean account. Do **not** paste it into chat, email, a screenshot, or any document — only into this field.

***

## Step 2 — Connect

[Section titled “Step 2 — Connect”](#step-2--connect)

Click **Validate & Connect**.

**What you see:** PhoenixVPS checks the token against the DigitalOcean API (usually under five seconds). The **Status** line near the bottom of the panel updates to confirm the account is connected.

If you see an error instead, see [Troubleshooting](#troubleshooting).

***

## What happens next

[Section titled “What happens next”](#what-happens-next)

PhoenixVPS can now create and tear down a VPN server (a “droplet”) in your DigitalOcean account using the token. To start a session, return to the main screen and click **Connect**.

Remember: a running droplet bills until you tear it down. Use **Tear Down VPN Server** when you are finished (see the [FAQ](/faq/#is-my-vpn-server-deleted-when-i-disconnect)), and see the [Pricing](/pricing/) page for cost details.

***

## Troubleshooting

[Section titled “Troubleshooting”](#troubleshooting)

### ”Invalid token”

[Section titled “”Invalid token””](#invalid-token)

The token was probably truncated when copied. DigitalOcean shows the token only once, so if you’re unsure you copied all of it, generate a fresh one: in the DigitalOcean Console go to **API → Tokens**, delete the old token, and create a new **Full Access** token (see [DigitalOcean — Setup](/digitalocean/setup/)).

### The token connects but the server fails to start

[Section titled “The token connects but the server fails to start”](#the-token-connects-but-the-server-fails-to-start)

The most common cause is a **Read Only** token. PhoenixVPS needs **Full Access** (or a Custom Scope token with write access) to create a droplet. Generate a new token with the right scope and connect again.

A regional capacity limit can also cause this — try a different region.

***

## Revoking access

[Section titled “Revoking access”](#revoking-access)

To remove PhoenixVPS’s access to your DigitalOcean account:

1. In PhoenixVPS, click **Disconnect / Revoke**. This deletes the locally stored token and tears down any droplet the app is managing.
2. To fully revoke it, open the DigitalOcean Console → **API → Tokens**, find the PhoenixVPS token, open its **⋯** menu, and choose **Delete**.

After the token is deleted, PhoenixVPS can no longer create or manage anything in your DigitalOcean account.

# DigitalOcean — Setup

> Create a DigitalOcean account and a Read & Write personal access token for PhoenixVPS.

## Overview

[Section titled “Overview”](#overview)

In this guide you will:

1. Create (or sign in to) a **DigitalOcean** account.
2. Generate a **personal access token** with **Read & Write** access.
3. End with that token, which you hand to the app in [DigitalOcean — Key handoff](/digitalocean/key-handoff/).

The token is a single secret (no separate ID) — the same shape as a password for the DigitalOcean API.

***

## Prerequisites

[Section titled “Prerequisites”](#prerequisites)

* [ ] A **DigitalOcean** account (see Step 1 if you don’t have one).
* [ ] The **PhoenixVPS** app installed on your device.

Payment method required — but no EU-style ID check

DigitalOcean requires a **payment method** (card or PayPal) to activate an account, and new accounts can occasionally hit a short verification/fraud hold. Unlike Hetzner or Infomaniak, there is **no photo-ID + selfie** check. New accounts often include free signup credit.

***

## Step 1 — Create or sign in to your account

[Section titled “Step 1 — Create or sign in to your account”](#step-1--create-or-sign-in-to-your-account)

If you don’t have an account, go to `https://www.digitalocean.com/` and sign up (email, Google, or GitHub), confirm your email, and add a payment method to activate it.

If you already have an account, sign in.

**What you see:** The DigitalOcean control panel (cloud.digitalocean.com).

***

## Step 2 — Open the API tokens page

[Section titled “Step 2 — Open the API tokens page”](#step-2--open-the-api-tokens-page)

In PhoenixVPS’s **DigitalOcean** panel, click **Open DigitalOcean Console** (opens the API tokens page). Or go directly to `https://cloud.digitalocean.com/account/api/tokens`.

**What you see:** A page titled **Applications & API** with three tabs — **Tokens**, **OAuth Applications**, **Authorized Applications**. You’re on **Tokens**. Click the blue **Generate New Token** button.

***

## Step 3 — Configure the token

[Section titled “Step 3 — Configure the token”](#step-3--configure-the-token)

The **Create A New Personal Access Token** form opens. Fill it in:

1. **Token Name:** type something you’ll recognise, such as `PhoenixVPS`.
2. **Expiration:** choose how long the token stays valid (the default is **90 days**; you can pick up to 1 year, or no expiry). Note that when it expires you’ll repeat this setup.
3. **Scopes:** select **Full Access**.

**Why Full Access:** PhoenixVPS needs to *create and delete* droplets, SSH keys, firewalls, and tags. A **Read Only** token will be accepted but the app will fail when it tries to create a server.

For the security-conscious: Custom Scopes

Instead of Full Access you can pick **Custom Scopes** and grant only what PhoenixVPS uses: **create/read/delete** on `droplet`, `ssh_key`, `firewall`, and `tag`, plus **read** on `regions` and `sizes` and `account`. Token scopes **cannot be edited after creation**, so if in doubt, Full Access is simplest.

***

## Step 4 — Generate and copy the token

[Section titled “Step 4 — Generate and copy the token”](#step-4--generate-and-copy-the-token)

Click **Generate Token**.

**What you see:** The new token is displayed **once**, as a long string beginning `dop_v1_`.

Copy it now.

Shown only once

DigitalOcean shows the token **only at this moment**. If you leave the page without copying it, you cannot retrieve it — you’d have to generate a new one. Do not paste it into chat, email, or any document; the only place it should go is the PhoenixVPS field in the next step.

***

## Next step

[Section titled “Next step”](#next-step)

Take the token to [DigitalOcean — Key handoff](/digitalocean/key-handoff/) to connect PhoenixVPS.

# FAQ & Troubleshooting

> Common questions about PhoenixVPS setup, costs, credentials, and troubleshooting — each answer is self-contained so an AI assistant can answer from a single section.

Each question below is a short, self-contained section. An AI assistant given any one section can answer the question without reading the rest of the page.

***

## What will it cost?

[Section titled “What will it cost?”](#what-will-it-cost)

PhoenixVPS runs a VPN server in **your own cloud account**, so you pay your cloud provider directly — PhoenixVPS itself has no subscription fee. Your cost is mainly the hourly price of the small cloud server while it exists, plus data transfer (egress).

You are billed for as long as the server **exists**, not just while the VPN tunnel is connected. When you finish, use the app’s **Tear Down VPN Server** action to terminate the server and stop the charges — see [Is my VPN server deleted when I disconnect?](#is-my-vpn-server-deleted-when-i-disconnect).

Detailed per-hour and per-day figures — including AWS’s per-hour public IPv4 charge and egress, which are easy to overlook — are on the [Pricing](/pricing/) page. Note that all figures are currently unverified placeholder rates; see each provider’s official pricing page for confirmed numbers.

***

## Does PhoenixVPS ever see my admin or root cloud keys?

[Section titled “Does PhoenixVPS ever see my admin or root cloud keys?”](#does-phoenixvps-ever-see-my-admin-or-root-cloud-keys)

No. You create a **scoped credential** — an IAM user via CloudFormation on AWS, or a scoped API token on Hetzner and Infomaniak — that can only manage the resources PhoenixVPS creates. That scoped credential is the only thing you hand to the app.

Your admin or root keys stay in your cloud console. PhoenixVPS never asks for them, never receives them, and has no way to act on them.

***

## How do I revoke access?

[Section titled “How do I revoke access?”](#how-do-i-revoke-access)

The method depends on your provider:

* **AWS:** Delete the CloudFormation stack named `PhoenixVPS` (or whatever you named it) in your AWS console. This deletes the `phoenixvps-provisioner` IAM user and its access key. Then open PhoenixVPS → **Settings → Cloud accounts** and remove the AWS profile.
* **Hetzner:** Go to your Hetzner Cloud project → **Security → API Tokens**, find the token you created for PhoenixVPS, and delete it. Then remove the Hetzner account in PhoenixVPS settings.
* **Infomaniak:** Log in to your Infomaniak Manager, navigate to **API keys**, and delete the PhoenixVPS key. Then remove the Infomaniak account in PhoenixVPS settings.

After revocation, PhoenixVPS cannot create or manage any resources in your account. Any server that was running at the time of revocation will continue to run until you delete it manually in your cloud console.

***

## Can my AI assistant help me set this up?

[Section titled “Can my AI assistant help me set this up?”](#can-my-ai-assistant-help-me-set-this-up)

Yes. The guides on this site are written specifically for AI-assisted setup. You can:

* **Paste a page** into your assistant (Claude.ai, ChatGPT, Gemini, etc.) and ask it to walk you through the steps.
* **Point your assistant at a URL** — the guides are plain Markdown, and the assistant can fetch and read them directly.
* **Use the llms.txt index** — the whole site is summarised for language models at [`/llms.txt`](/llms.txt) (short index) and [`/llms-full.txt`](/llms-full.txt) (full content). Your AI can fetch the index and then fetch individual pages on demand.

Every step in every guide is complete from text alone — the AI does not need to see any screenshots to coach you through the process.

***

## Is my VPN server deleted when I disconnect?

[Section titled “Is my VPN server deleted when I disconnect?”](#is-my-vpn-server-deleted-when-i-disconnect)

No — disconnecting and tearing down are two separate actions. **Disconnecting** stops the WireGuard tunnel, but the cloud server keeps running (and keeps billing). To delete the server, use the app’s **Tear Down VPN Server** action, which terminates the instance in your cloud account. Always tear down the server when you are finished so you are not paying for an idle machine.

The scoped credential and any key pairs stored on your device persist across sessions, so you do not need to repeat the setup when you create a new server later.

***

## What does “scoped credential” mean?

[Section titled “What does “scoped credential” mean?”](#what-does-scoped-credential-mean)

A scoped credential is an access key or API token that can only do a limited set of things. For example, the `phoenixvps-provisioner` IAM user on AWS can create and delete EC2 instances, security groups, and key pairs that PhoenixVPS tagged — it cannot list your S3 buckets, read your billing data, or touch anything outside those tagged resources.

This limits the damage if the credential is ever compromised: an attacker can spin up a VM (which you pay for) but cannot access your other cloud resources.

***

## Why does the setup use CloudFormation (AWS)?

[Section titled “Why does the setup use CloudFormation (AWS)?”](#why-does-the-setup-use-cloudformation-aws)

CloudFormation lets PhoenixVPS create the scoped IAM user without ever seeing your admin keys. You open a “Launch Stack” URL in your browser, review what the stack will create, and click **Create stack** — all inside your own AWS session. The app receives only the scoped credential the stack emits as its Output.

Hetzner and Infomaniak do not have an equivalent “launch stack” flow, so their guides walk you through creating a scoped API token manually in their web consoles.

***

## I pasted the credential but the app says “Invalid credential”

[Section titled “I pasted the credential but the app says “Invalid credential””](#i-pasted-the-credential-but-the-app-says-invalid-credential)

The most common causes:

1. **Truncation.** Copy the full value again from the source (the CloudFormation Outputs tab, the token creation screen, etc.). Do not type it manually; even one wrong character invalidates it.
2. **Expiry.** Some providers let you set token expiry at creation time. If the token has expired, go back to your cloud console and create a new one.

***

## Where is my data stored?

[Section titled “Where is my data stored?”](#where-is-my-data-stored)

* **Scoped credentials** are encrypted in your local credential store (Data Protection API on Windows, Keychain on macOS, Secrect Service on Linux).
* **SSH Keys** are encrypted in your local credential store and handed to ssh-agent if you open a Shell
* **Tunnel configuration** (WireGuard config, key pairs) are stored encrypted on disk under `%ProgramData%\PhoenixVPS\` (Windows) and is ACL-locked to the SYSTEM account and local Administrators. You can save an unencrypted copy via the Devices Screen
* **No telemetry** is collected. PhoenixVPS does not send usage data, crash reports, or analytics to any servers

# Hetzner — Key handoff

> Paste your Read & Write Hetzner API token into PhoenixVPS to connect your Hetzner Cloud project.

## What you need

[Section titled “What you need”](#what-you-need)

* The **Hetzner API token** you copied at the end of [Hetzner — Setup](/hetzner/setup/). If you don’t have it, go back and complete the setup guide first (the token is shown only once).
* The **PhoenixVPS** app, open at the **Hetzner Cloud** panel.

***

## Step 1 — Paste the token into PhoenixVPS

[Section titled “Step 1 — Paste the token into PhoenixVPS”](#step-1--paste-the-token-into-phoenixvps)

In PhoenixVPS’s **Hetzner Cloud** panel, find **Step 3 — Paste the API token**. Click the box labelled **“Paste Hetzner API token here…”** and paste the token you copied.

```text
(paste your Hetzner API token — a long string of letters and numbers, ~64 characters)
```

This value is a live secret

The token acts like a combined username and password for your Hetzner project. Do **not** paste it into chat, email, a screenshot, or any document — only into this field.

***

## Step 2 — Connect

[Section titled “Step 2 — Connect”](#step-2--connect)

Click **Validate & Connect**.

**What you see:** PhoenixVPS checks the token against the Hetzner API (usually under five seconds). The **Status** line near the bottom of the panel updates to confirm the account is connected.

If you see an error instead, see [Troubleshooting](#troubleshooting).

***

## What happens next

[Section titled “What happens next”](#what-happens-next)

PhoenixVPS can now create and tear down a VPN server in your dedicated Hetzner project using the token. To start a session, return to the main screen and click **Connect**.

Remember: a running server bills until you tear it down. Use **Tear Down VPN Server** when you are finished (see the [FAQ](/faq/#is-my-vpn-server-deleted-when-i-disconnect)), and see the [Pricing](/pricing/) page for cost details.

***

## Troubleshooting

[Section titled “Troubleshooting”](#troubleshooting)

### ”Invalid token”

[Section titled “”Invalid token””](#invalid-token)

The token was probably truncated when copied. Hetzner shows the token only once, so if you are unsure you copied all of it, generate a fresh one: in the Hetzner Console go to your project → **Security → API tokens**, delete the old token, and create a new **Read & Write** token (see [Hetzner — Setup](/hetzner/setup/)).

### The token connects but the server fails to start

[Section titled “The token connects but the server fails to start”](#the-token-connects-but-the-server-fails-to-start)

The most common cause is a **Read-only** token. PhoenixVPS needs **Read & Write** to create a server. Generate a new token with **Read & Write** permission and connect again.

A regional capacity limit can also cause this — check the Hetzner Console for any warnings.

***

## Revoking access

[Section titled “Revoking access”](#revoking-access)

To remove PhoenixVPS’s access to your Hetzner account:

1. In PhoenixVPS, click **Disconnect / Revoke**. This deletes the locally stored token and tears down any server the app is managing.
2. To fully revoke it in Hetzner, open the Hetzner Console → your project → **Security → API tokens**, click the **⋯** menu next to the PhoenixVPS token, and choose **Delete**. (Deleting the whole dedicated project also removes the token.)

After the token is deleted, PhoenixVPS can no longer create or manage anything in your Hetzner account.

# Hetzner — Setup

> Create a dedicated Hetzner Cloud project and a Read & Write API token for PhoenixVPS — scoped so the app can only touch its own project.

## Overview

[Section titled “Overview”](#overview)

In this guide you will:

1. Create a **new, dedicated** Hetzner Cloud project for your VPN.
2. Generate a **Read & Write API token** inside that project.
3. End with the token, which you hand to the app in [Hetzner — Key handoff](/hetzner/key-handoff/).

The token is **project-scoped**: because you put it in a dedicated project, PhoenixVPS can only see and manage resources in that one project — never your other Hetzner servers.

***

## Prerequisites

[Section titled “Prerequisites”](#prerequisites)

Before you start, make sure you have:

* [ ] A **Hetzner Cloud** account, and you are signed in to the Hetzner Cloud Console.
* [ ] The **PhoenixVPS** app installed on your device.

Identity verification required at signup

Hetzner is an EU provider with **strict identity checks (KYC)**. Creating an account typically requires verifying your identity — often a **photo ID plus a selfie**. Allow extra time: a new account may not be able to create servers until that verification clears.

***

## Step 1 — Create a dedicated project

[Section titled “Step 1 — Create a dedicated project”](#step-1--create-a-dedicated-project)

In PhoenixVPS’s **Hetzner Cloud** panel, click **Open Hetzner Console** (this opens the Hetzner Cloud Console at the Projects page). Or go directly to `https://console.hetzner.cloud/projects`.

On the **Projects** page, click the **+ New project** card. Give it a name such as `PhoenixVPS` and confirm.

**What you see:** The new project appears as a card alongside any existing projects.

Use a new project — do not reuse an existing one

The API token can only be scoped to a whole project, so a dedicated project is what keeps PhoenixVPS away from your other servers. Don’t generate the token inside a project that holds resources you care about.

***

## Step 2 — Open the project’s API tokens page

[Section titled “Step 2 — Open the project’s API tokens page”](#step-2--open-the-projects-api-tokens-page)

Click your new project’s card to open it. The project **Dashboard** opens, with a menu down the left-hand side.

At the bottom of that left menu, click **Security**. The Security page opens with a row of tabs across the top:

> **SSH keys**  ·  **S3 credentials**  ·  **API tokens**  ·  **Certificates**  ·  **Members**

Click the **API tokens** tab.

**What you see:** The **API tokens** list (empty in a new project) and a red **Generate API token** button in the top-right corner.

***

## Step 3 — Generate a Read & Write token

[Section titled “Step 3 — Generate a Read & Write token”](#step-3--generate-a-read--write-token)

Click **Generate API token**. A dialog titled **Generate API token** opens.

1. In the **Description** field, type a name you’ll recognise, such as `PhoenixVPS`.
2. Under **Permissions**, select **Read & Write**.

**Why Read & Write:** PhoenixVPS needs to *create and delete* the VPN server, not just read. A **Read**-only token will be accepted by Hetzner but the app will fail when it tries to start a server.

Click the **Generate API token** button in the dialog.

***

## Step 4 — Copy the token

[Section titled “Step 4 — Copy the token”](#step-4--copy-the-token)

**What you see:** The dialog shows the full token once. It is a long string of letters and numbers.

Copy it now.

Shown only once

Hetzner displays the full token **only at this moment**. If you close the dialog without copying it, you cannot retrieve it — you would have to delete it and generate a new one. Do not paste it into chat, email, or any document; the only place it should go is the PhoenixVPS field in the next step.

***

## Next step

[Section titled “Next step”](#next-step)

Take the token to [Hetzner — Key handoff](/hetzner/key-handoff/) to paste it into PhoenixVPS.

# Infomaniak — Key handoff

> Enter your Application Credential ID, secret, and region into PhoenixVPS to connect your Infomaniak Public Cloud project.

## What you need

[Section titled “What you need”](#what-you-need)

* The **Application Credential ID** and **Secret** you copied at the end of [Infomaniak — Setup](/infomaniak/setup/), plus your **region** (e.g. `dc3-a`). If you don’t have the secret, go back and create a new credential — it is shown only once.
* The **PhoenixVPS** app, open at the **Infomaniak Public Cloud** panel.

***

## Step 1 — Enter the credential ID

[Section titled “Step 1 — Enter the credential ID”](#step-1--enter-the-credential-id)

In PhoenixVPS’s **Infomaniak Public Cloud** panel, find **Step 3 — Enter credentials and region**. Click the **Application Credential ID** box and paste the ID.

```text
(paste your Application Credential ID — a long string of letters and numbers)
```

***

## Step 2 — Enter the secret

[Section titled “Step 2 — Enter the secret”](#step-2--enter-the-secret)

Click the **Application Credential Secret** box and paste the secret. The field hides the value as you paste it (shown as dots).

These values are live secrets

The ID and secret together act like a username and password for your project. Do **not** paste them into chat, email, a screenshot, or any document — only into these fields.

***

## Step 3 — Choose your region and connect

[Section titled “Step 3 — Choose your region and connect”](#step-3--choose-your-region-and-connect)

From the **Region** dropdown, select your region (the app pre-selects **`dc3-a`** — use the region your project is in). Then click **Validate & Connect**.

**What you see:** PhoenixVPS checks the credential against the Infomaniak OpenStack API (usually under five seconds). The **Status** line near the bottom of the panel updates to confirm the account is connected.

If you see an error instead, see [Troubleshooting](#troubleshooting).

***

## What happens next

[Section titled “What happens next”](#what-happens-next)

PhoenixVPS can now create and tear down a VPN server in your Infomaniak project using the Application Credential. To start a session, return to the main screen and click **Connect**.

Remember: a running server bills until you tear it down. Use **Tear Down VPN Server** when you are finished (see the [FAQ](/faq/#is-my-vpn-server-deleted-when-i-disconnect)), and see the [Pricing](/pricing/) page for cost details.

***

## Troubleshooting

[Section titled “Troubleshooting”](#troubleshooting)

### ”Invalid credential” or authentication fails

[Section titled “”Invalid credential” or authentication fails”](#invalid-credential-or-authentication-fails)

* The **ID** or **secret** may have been truncated when copied. Since the secret is shown only once, the simplest fix is to create a fresh Application Credential in Horizon (**Identity → Application Credentials → Create Application Credential**, role **member**) and enter the new ID and secret. See [Infomaniak — Setup](/infomaniak/setup/).
* Make sure the **Region** matches the region your project is in.

### The credential connects but the server fails to start

[Section titled “The credential connects but the server fails to start”](#the-credential-connects-but-the-server-fails-to-start)

The credential is valid but the server could not be created — usually a quota or capacity limit in the selected region. Check your project’s quotas in Horizon (**Compute → Overview**), or try again later.

***

## Revoking access

[Section titled “Revoking access”](#revoking-access)

To remove PhoenixVPS’s access to your Infomaniak account:

1. In PhoenixVPS, click **Disconnect / Revoke**. This deletes the locally stored credential and tears down any server the app is managing.
2. To fully revoke it, open Horizon → **Identity → Application Credentials**, find the PhoenixVPS credential, and delete it. (Deleting the whole dedicated project also removes the credential.)

After the credential is deleted, PhoenixVPS can no longer create or manage anything in your Infomaniak project.

# Infomaniak — Setup

> Create an Infomaniak Public Cloud project and a scoped OpenStack Application Credential for PhoenixVPS — no admin login shared.

## Overview

[Section titled “Overview”](#overview)

In this guide you will:

1. Open your **Public Cloud** project in the Infomaniak Manager.
2. Open the **Horizon** dashboard for that project.
3. Create a scoped **Application Credential** (an ID + secret pair).
4. End with that **ID + secret + region**, which you hand to the app in [Infomaniak — Key handoff](/infomaniak/key-handoff/).

The Application Credential is **project-scoped**, so PhoenixVPS can only act inside the one project — never your other Infomaniak resources. Your account password is never shared.

***

## Prerequisites

[Section titled “Prerequisites”](#prerequisites)

Before you start, make sure you have:

* [ ] An **Infomaniak** account, signed in.
* [ ] A **Public Cloud project** in that account. The project itself costs **nothing up front** (you’re billed monthly only for what your servers use), but ordering one requires a **phone identity check** and a **payment card on file**. If you don’t have a project yet, order one first — see the note in [Step 1](#step-1--open-your-public-cloud-project).
* [ ] The **PhoenixVPS** app installed on your device.

Identity verification required at signup

Infomaniak is an EU provider with **strict identity checks (KYC)**. Creating an account and ordering Public Cloud requires verifying your identity — typically a **photo ID plus a selfie**. Allow extra time: a new account may not be usable until that verification clears.

***

## A note on Infomaniak’s two portals

[Section titled “A note on Infomaniak’s two portals”](#a-note-on-infomaniaks-two-portals)

Infomaniak has two separate web portals, and it’s easy to land on the wrong one:

* **Manager** (`manager.infomaniak.com`) — the administration console, where Public Cloud lives.
* **kSuite** — the mail/productivity portal. The login page at `login.infomaniak.com` sends you here by default.

If you end up in kSuite, switch over: click **My Applications** (the grid icon, top-right of the screen), then choose **Access Manager**. (The same menu has **Access kSuite** to switch back.)

***

## Step 1 — Open your Public Cloud project

[Section titled “Step 1 — Open your Public Cloud project”](#step-1--open-your-public-cloud-project)

Go to `https://manager.infomaniak.com/` and sign in. In the left sidebar, click **Cloud Computing**, then **Public Cloud**.

**What you see:** Your Public Cloud projects, each named `PCP-xxxxxx`. (If the page says *“You have no Public Cloud”*, order a project first — see Prerequisites.)

Open your project (use a dedicated project for the VPN so the credential stays isolated).

First time? Ordering a project

If you have no project yet, click **Order a Public Cloud**. The order flow is short: **name your cloud → confirm your identity by phone → decline the Swiss Backup add-on → review and confirm**. Throughout, the **Amount payable shows 0,00 €** — Public Cloud has no up-front cost; you’re billed at the **end of each month** for what your servers actually use. A **payment card must be on file** and you accept the Special Terms to finish, but **no charge occurs until you run a server**.

***

## Step 2 — Open the Horizon dashboard

[Section titled “Step 2 — Open the Horizon dashboard”](#step-2--open-the-horizon-dashboard)

From the project, open the **Horizon** dashboard (OpenStack’s web console). In PhoenixVPS’s **Infomaniak Public Cloud** panel you can click **Open Horizon Dashboard** to go straight there.

**What you see:** The Horizon dashboard for your project, with a navigation menu down the left side (Project, Compute, Network, **Identity**, …).

***

## Step 3 — Open Application Credentials

[Section titled “Step 3 — Open Application Credentials”](#step-3--open-application-credentials)

In the Horizon left menu, open **Identity → Application Credentials**.

**What you see:** The Application Credentials list (empty if you haven’t made one) and a **Create Application Credential** button.

***

## Step 4 — Create a member Application Credential

[Section titled “Step 4 — Create a member Application Credential”](#step-4--create-a-member-application-credential)

Click **Create Application Credential** and fill in the dialog:

1. **Name:** type something you’ll recognise, such as `PhoenixVPS`.
2. **Roles:** select **member**.
3. Leave **Unrestricted** **unchecked**. (Unrestricted would widen the credential’s powers — PhoenixVPS does not need it.)

Leave the other fields (Secret, Expiration, Project) at their defaults, then click **Create Application Credential**.

***

## Step 5 — Copy the ID and secret

[Section titled “Step 5 — Copy the ID and secret”](#step-5--copy-the-id-and-secret)

**What you see:** A confirmation showing the new credential’s **ID** and **Secret** (there is usually a **Download openrc file** / **Download clouds.yaml** option too).

Copy **both** the **ID** and the **Secret**.

The secret is shown only once

Horizon displays the **Secret** only at this moment. If you close the dialog without copying it, you cannot retrieve it — you’d have to delete the credential and create a new one. Do not paste either value into chat, email, or any document; they go only into PhoenixVPS.

Also note your **region** (the app pre-selects `dc3-a`); you’ll choose it during handoff.

***

## Next step

[Section titled “Next step”](#next-step)

Take the **ID**, **secret**, and **region** to [Infomaniak — Key handoff](/infomaniak/key-handoff/) to connect PhoenixVPS.

# Pricing

> Estimated running costs for PhoenixVPS across AWS, Hetzner, and Infomaniak — broken out by component so you can see every billable item, including easy-to-miss charges like AWS's per-hour public IPv4 address fee.

PhoenixVPS has no subscription fee — you pay your cloud provider directly for the server while it exists. This page shows every billable component for each supported provider.

> **Important:** the server bills for as long as it **exists**, not just while the VPN tunnel is connected. When you finish, use the app’s **Tear Down VPN Server** action to terminate the server and stop the charges. See [Is my VPN server deleted when I disconnect?](/faq/#is-my-vpn-server-deleted-when-i-disconnect)

***

## All providers

[Section titled “All providers”](#all-providers)

All figures below are **unverified placeholder rates** until a maintainer confirms them from each provider’s official pricing page and marks them verified. See the ⚠️ indicator on each row. Do not rely on these numbers for budget planning — click through to the official pricing page for each provider before committing.

### AWS — t4g.nano

Beyond the EC2 instance hourly rate, the server also incurs a small per-hour charge for its public IPv4 address, plus per-GB egress cost (data out to the internet). The components below call each one out explicitly. It should be noted that Data Transfer costs are high and billed per GB rather than per TB as with the other providers

| Component                                                                                                         | Unit     | Per hour (USD) | Per day (USD) | Status                |
| ----------------------------------------------------------------------------------------------------------------- | -------- | -------------- | ------------- | --------------------- |
| EC2 instance (t4g.nano, on-demand)                                                                                | per hour | 0.0048         | 0.1152        | ✓ verified 2026-06-19 |
| Public IPv4 address (in-use) ([pricing](https://aws.amazon.com/vpc/pricing/))                                     | per hour | 0.0050         | 0.1200        | ✓ verified 2026-06-19 |
| Data transfer out (100GB Free per month) ([pricing](https://aws.amazon.com/ec2/pricing/on-demand/#Data_Transfer)) | per GB   | 0.0900         | —             | ✓ verified 2026-06-19 |

### Hetzner — CX23

Hetzner typically includes generous traffic allowances per server; egress beyond the allowance is billed per TB. (1TB = 1000GB)

| Component                               | Unit     | Per hour (EUR) | Per day (EUR) | Status                |
| --------------------------------------- | -------- | -------------- | ------------- | --------------------- |
| Cloud server (CX23)                     | per hour | 0.0088         | 0.2112        | ✓ verified 2026-06-19 |
| Public IPv4 address (in-use)            | per hour | 0.0008         | 0.0192        | ✓ verified 2026-06-19 |
| Data transfer out (20TB free per month) | per TB   | 1.0000         | —             | ✓ verified 2026-06-19 |

### Infomaniak — a1\_ram2\_disk20\_perf1

RAM only servers are also available

| Component                                                                     | Unit     | Per hour (CHF) | Per day (CHF) | Status                |
| ----------------------------------------------------------------------------- | -------- | -------------- | ------------- | --------------------- |
| Cloud server \| 2GB RAM \| 1vCPU \| 20GB Storage \| (a1\_ram2\_disk20\_perf1) | per hour | 0.0058         | 0.1385        | ✓ verified 2026-06-19 |
| Data transfer out - FREE                                                      | per TB   | 0.0000         | —             | ✓ verified 2026-06-19 |

### DigitalOcean — s-1vcpu-1gb

DigitalOcean includes a public IPv4 address at no extra charge. Free Data transfer allowances increase with Droplet Size up to 11,000 GB

| Component                                                                                                        | Unit     | Per hour (USD) | Per day (USD) | Status                |
| ---------------------------------------------------------------------------------------------------------------- | -------- | -------------- | ------------- | --------------------- |
| Basic Droplet \| 1GB RAM \| 1 vCPU \| 25GB Storage \| (s-1vcpu-1gb)                                              | per hour | 0.0089         | 0.2143        | ✓ verified 2026-06-19 |
| Data transfer out (1000GB free per month) ([pricing](https://docs.digitalocean.com/products/billing/bandwidth/)) | per GB   | 0.0100         | —             | ✓ verified 2026-06-19 |

***

## Notes on AWS costs

[Section titled “Notes on AWS costs”](#notes-on-aws-costs)

AWS has two charges beyond the EC2 instance hourly rate that are easy to overlook:

* **Public IPv4 address.** Since February 2024 AWS bills a small per-hour charge for every in-use public IPv4 address. The VPN server has one (so it can be reached), so this charge applies the whole time the server exists.
* **Data transfer out (egress).** AWS charges per GB transferred from EC2 to the internet. The first 100 GB per month is tiered; a free-tier allowance may apply in some accounts.

Both are called out as separate rows in the table above so the total cost is visible before you launch a server.

***

## Are these figures current?

[Section titled “Are these figures current?”](#are-these-figures-current)

Not until a maintainer verifies them. Prices are marked ⚠️ unverified until a maintainer confirms them and sets `verified: true` in `src/data/pricing.json` (see the **Updating prices** section of `AUTHORING.md` in the repository root). Consult each provider’s official pricing page directly:

* **AWS EC2:** [aws.amazon.com/ec2/pricing/on-demand/](https://aws.amazon.com/ec2/pricing/on-demand/)
* **AWS public IPv4:** [aws.amazon.com/vpc/pricing/](https://aws.amazon.com/vpc/pricing/)
* **Hetzner Cloud:** [hetzner.com/cloud/](https://www.hetzner.com/cloud/)
* **Infomaniak Public Cloud:** [infomaniak.com/en/hosting/public-cloud](https://www.infomaniak.com/en/hosting/public-cloud)