Deploying on Debian#
For simple one server deployments and tests, we have a deploy script available you can run on a fresh Debian 10 or 11 installation. It will configure all components and will be ready for use after running!
Additional scripts are available after deployment:
- Use Let’s Encrypt for automatic web server certificate management;
- Clean Debian 10 or 11 installation with all updates installed;
- Have a STATIC IPv4 and IPv6 address configured on your external interface;
- Network equipment/VM platform allows access to the very least
tcp/1194for basic functionality, the deploy script will take care of the host firewall;
- Working DNS entry for your VPN server, e.g.
We test only with the official Debian netinst and the official Cloud images.
If you have a more complicated setup, we recommend to manually walk through the deploy script and follow the steps.
NOTE if you expect to do a production deploy, please read the section below about modifying the PHP configuration.
Perform these steps on the host where you want to deploy:
$ sudo apt -y install ca-certificates wget $ wget https://codeberg.org/eduVPN/deploy/archive/v2.tar.gz $ tar -xzf v2.tar.gz $ cd deploy
We assume you have
sudo installed and configured for your user first, after
$ sudo -s # ./deploy_debian.sh
Specify the hostname you want to use for your VPN server. The recommended hostname SHOULD already be the one you want to use… If not, set the hostname correctly first.
NOTE: you can NOT use
localhost as a hostname, nor an IP address!
NOTE: by default there is NO firewall for the traffic between VPN client and VPN server. So if you have SSH running on your server, the clients will be able to connect to it when you don’t take additional steps! Look here.
NOTE: if you want to use the development repository, use:
# VPN_DEV_REPO=1 ./deploy_debian.sh
See PROFILE_CONFIG on how to update the VPN server settings.
Username & Password#
By default there is a user
admin with a generated password for
portal access. Those are printed at the end of the deploy script.
If you want to update/add users you can use the
Provide an existing account to update the password:
$ sudo -u www-data vpn-user-portal-add-user User ID: foo Setting password for user "foo" Password: Password (repeat):
You can configure which user(s) is/are an administrator by setting the
adminUserIdList option in
'adminUserIdList' => ['admin'],
It is easy to enable LDAP authentication. This is documented separately. See LDAP.
It is easy to enable RADIUS authentication. This is documented separately. See RADIUS.
It is easy to enable SAML authentication for identity federations, this is documented separately. See SAML.
It is possible to enable 2FA with TOTP.
If you want to restrict the use of the VPN a bit more than on whether someone has an account or not, e.g. to limit certain profiles to certain (groups of) users, see ACL.
Debian’s PHP package has some unfortunate defaults that only work for very light usage and in no way for deploys where you expect more than a few users to use the service.
/etc/php/7.3/fpm/pool.d/www.conf (Debian 10),
/etc/php/7.4/fpm/pool.d/www.conf (Debian 11), or
/etc/php/8.2/fpm/pool.d/www.conf (Debian 12) and change the following
settings. We’ll use the CentOS/Fedora defaults here as well:
pm = dynamic pm.max_children = 50 pm.start_servers = 5 pm.min_spare_servers = 5 pm.max_spare_servers = 35
You can tweak those further if needed, but they’ll do for some time! Restart the PHP service to activate the changes:
$ sudo systemctl restart php$(/usr/sbin/phpquery -V)-fpm
Web Server Certificates#
By default a self-signed certificate is used for the web server. You can
install your own certificates, and tweak
/etc/apache2/sites-available/vpn.example.org.conf to point to them, or use
Let’s Encrypt using the script mentioned below.
Run the script (as root) from the documentation folder:
$ sudo -s # ./lets_encrypt_debian.sh
Make sure you use the exact same DNS name you used when running
After completing the script, the certificate will be installed. It is set to automatically renew when necessary and gracefully reload Apache after the certificate has been replaced.
If you also want to allow clients to connect with the VPN over