[$ xmrhost] _

$ man 7 evaluate-offshore-vps

[$ ] How to choose the best offshore VPS in 2026 — 9 evaluation criteria

// NAME

best-offshore-vps-2026 — methodology, not a listicle. Nine evaluation criteria for offshore VPS providers, the trade-offs per criterion, and how xmrhost.io scores on each. No competitor-bashing; the framework applies to every honest provider in the niche.

// SYNOPSIS 

$ evaluate --jurisdiction --payment --hardening --aup \\
           --network --anonymity --abuse-posture --uptime \\
           --refund

// METHODOLOGY

$ man 7 method

Most "best offshore VPS" content online is one of three patterns: (1) marketing thinly disguised as a comparison, (2) affiliate-link listicles that rank providers by referral kickback, (3) outdated 2019 posts re-published every year. This guide is none of those. It is the evaluation rubric an operationally-aware buyer would actually apply, written by an offshore-hosting operator from the operator side.

Apply the rubric to any provider you're considering. The scoring at the end is xmrhost.io's own scoring; replace it mentally with another provider's name and run the same nine questions on their public surface. If the answers are not publishable to a single page, that itself is a signal.

// THE NINE CRITERIA

$ ls /etc/evaluate/criteria.d

1. Jurisdiction

The jurisdiction the provider's infrastructure physically sits in determines what legal process applies to it. The relevant properties: (a) does the country have a private-notice DMCA- §512-equivalent? (b) does removal require court process? (c) what's the civil-court timeline? Iceland and Romania both score well on (a) and (b); see /vs/iceland-vs-romania for the long-form. Red flag: providers that claim "offshore" but operate infrastructure in jurisdictions with first-party DMCA-style takedown obligations.

2. Payment rail

Crypto-only providers materially reduce the chain-of-custody surface. KYC at signup undoes the offshore posture — the provider knows who you are regardless of where the box runs. Acceptable rails: Monero (best privacy), Bitcoin / Lightning (transparent ledger), Litecoin / Ethereum / USDT (convenience). Red flag: any provider that requires credit card or PayPal at signup.

3. Hardening posture

Does the provider ship hardened defaults (KSPP kernel, sshd baseline, auditd, restrictive nftables) or do they ship a bare Debian/Ubuntu and let the customer figure it out? Hardened- by-default is a real operational property; see /hardening for the baseline xmrhost.io applies. Red flag: providers whose "hardening" page is empty or copies a CIS Benchmark verbatim.

4. AUP — Acceptable Use Policy

Read the AUP before buying. The brand promises in marketing copy are aspirational; the AUP is contractual. Look for: (a) narrow exclusions (CSAM, malware C2, fraud) vs. broad ("anything we find objectionable"), (b) due-process clauses, (c) advance- notice requirements for suspensions. See xmrhost.io's /legal/aup for the enumerated exclusions. Red flag: AUP that gives the provider unilateral termination on "any complaint".

5. Network upstream + redundancy

Single-cable jurisdictions (smaller islands, isolated countries) have worse availability stories regardless of operator effort. Iceland has three submarine cables (FARICE-1, DANICE, IRIS); Romania has dense mainland-EU peering. The provider's upstream AS diversity matters more than RAID configurations on disk. Red flag: vague "premium network" claims without concrete carrier names.

6. Anonymity primitives in operator-facing infrastructure

Does the provider's management surface (account dashboard, billing, support) operate without identity data? Does the support ticket system require email? Is the password manager OK with pseudonyms? xmrhost.io accepts pseudonyms, does not require email, and routes support via a form-to- Telegram channel rather than email surfaces. Red flag: provider that forces a real email for password reset.

7. Abuse-handling posture

How does the operator respond to abuse complaints? Honest operators publish a complaint-handling procedure (intake channel, response window, due-process steps before suspension). See xmrhost.io's /legal/aup for the intake routing. Red flag: "abuse@" mailbox with no published procedure — complaint volume becomes a denial-of-service against the customer.

8. Uptime + SLA

Synthetic 99.99% badges are noise; look for: (a) an SLA-target page that says what windows are measured and what the credit ladder is, (b) post-incident write-up history, (c) the provider's monitoring posture (do they monitor themselves or wait for customers to call?). See /uptime for xmrhost.io's posture. Red flag: 100% uptime claims (impossible; provider is lying or marketing-laundering).

9. Refund mechanics

Crypto rails are settlement-final. The provider's refund mechanism is the only reversal path. Acceptable: refund in the same currency as payment, to a customer-supplied address, within a documented window. See xmrhost.io's /legal/refund. Red flag: refunds only as account credit, or refunds in fiat (which requires re-introducing a fiat off-ramp the operator should not run).

// HOW XMRHOST.IO SCORES

$ evaluate xmrhost.io

// criterion // xmrhost.io // reference
1. Jurisdiction Iceland (Höfundalög nr. 73/1972) + Romania (Legea nr. 8/1996) /location
2. Payment rail Monero (recommended) + BTC / Lightning / LTC / ETH / USDT via OxaPay no-KYC /payments
3. Hardening KSPP kernel + sshd baseline + auditd + nftables; hardened-by-default on every plan /hardening
4. AUP Narrow exclusions (CSAM, malware C2, fraud, terrorism, NCSI), enumerated /legal/aup
5. Network Iceland: 3 submarine cables; Romania: dense mainland-EU peering /location/*
6. Anonymity primitives Pseudonym signup, no email required, /contact form-routed /contact
7. Abuse posture Topic-routed intake, response windows published, court-process required for removal /legal/aup
8. Uptime + SLA 99.9% node / 99.95% network targets, service-credit ladder, post-incident write-ups /uptime
9. Refund Same-currency refund to customer-supplied address, 7-day no-questions on first invoice /legal/refund

// PLAN MATCH BY USE CASE

$ recommend --by-use-case

// use case // recommended plan // monthly
small static site, no traffic spikes vps-1 $15
small CMS / forum / blog vps-2 $25
Tor hidden service (small) tor-1 $20
Tor hidden service (active) / Matrix homeserver tor-2 $42
Tor non-exit relay vps-2 + tor-relay-config addon $30
I2P floodfill i2p-1 $16
Lokinet exit lokinet-1 $27
Bitcoin / Monero full node vps-4 ~$45
AI inference (LLM hosting) gpu-lite / gpu-pro / gpu-beast $60-450

// FAQ

$ faq best-offshore-vps

Q. Who is the best offshore VPS provider in 2026?

A. There is no single "best" provider — the right answer depends on the threat model, the payment rail tolerance, the jurisdiction preference, and the workload. This guide walks the nine evaluation criteria so a buyer can map their requirements to the right provider, including xmrhost.io. We do not name competitors editorially; the evaluation framework applies to every honest provider.

Q. What jurisdiction is best for offshore hosting?

A. For most workloads, Iceland (Höfundalög nr. 73/1972, EEA-not-EU) or Romania (Legea nr. 8/1996, EU member, lowest mainland-EU latency) are the operationally-practical choices. Both have no DMCA-§512-equivalent. Iceland has slight edge for transatlantic latency + EEA-not-EU posture; Romania has slight edge for cost + EU-internal latency. See /vs/iceland-vs-romania-offshore-jurisdiction.

Q. Is offshore hosting actually legal?

A. Yes — operating, paying for, and hosting on offshore infrastructure is legal in every jurisdiction where the customer holds funds legally. What is hosted is the customer's responsibility under the law of the hosting jurisdiction (and any applicable extraterritorial law, depending on customer location). xmrhost.io's /legal/aup enumerates the workloads the operator declines to host (CSAM, terrorism, malware C2, etc.) regardless of jurisdiction.

Q. Why does Cloudflare matter when evaluating an offshore VPS?

A. Cloudflare is US-incorporated. Any site put behind Cloudflare has its TLS terminated in the US and its keys held by a US entity, which is subpoena-able under US legal process. A provider that fronts your VPS with Cloudflare has converted your offshore deployment into a US-subpoenable surface. Always verify the provider serves direct via Caddy / nginx without a CDN layer — xmrhost.io serves direct.

Q. What's the difference between offshore VPS and Tor hidden service hosting?

A. An offshore VPS is reachable via clearnet (public IP + DNS) — the offshore jurisdiction is the layer of protection. A Tor hidden service is reachable only via the Tor network at a .onion address — no clearnet exposure. xmrhost.io offers both: vps-* plans for clearnet sites; tor-* plans pre-configured as v3 hidden services with hardened tor.conf. See /tor for the pillar guide.

Q. Should I pay in Bitcoin or Monero for an offshore VPS?

A. Monero is the recommended rail for chain-analytics-aware threat models. BTC / Lightning are accepted by xmrhost.io but the customer's funding wallet becomes the chain-of-custody anchor. For casual / low-stakes use either works; for source-protection or high-stakes deployment, default to XMR. See /why-monero for the threat-model trade-off.

Q. How much should I expect to pay for a quality offshore VPS?

A. $15-50/month for a single-tenant VPS depending on resources. Below $10/month the provider is either: (a) reselling someone else's infrastructure with a markup that doesn't cover real costs, (b) under-resourced and likely to fail, or (c) cutting corners on hardening / network upstream. xmrhost.io's entry-level plan (vps-1) is $15/mo; mid-tier vps-2 is around $25/mo.

// SEE ALSO

$ ls /usr/share/doc/xmrhost/guide