Documentation

Server 3.x

Deploying on Enterprise Linux#

For simple one server deployments and tests, we have a deploy script available you can run on a fresh EL installation. It will configure all components and will be ready for use after running!

Requirements#

If you have a more complicated setup, we recommend to manually walk through the deploy script and follow the steps.

NOTE: we only test with relatively clean and unmodified installations of Enterprise Linux. If you, or your organization (heavily) modified the OS installation the VPN deployment MAY not work…

Base Deploy#

NOTE: make sure you have tar installed, the EL “minimal” image does not have tar:

$ sudo dnf -y install tar

Perform these steps on the host where you want to deploy:

$ curl -L -O https://codeberg.org/eduVPN/deploy/archive/v3.tar.gz
$ tar -xzf v3.tar.gz
$ cd deploy

Run the script (as root):

$ sudo -s
# ./deploy_el.sh

NOTE: if the script does NOT suggest the actual hostname you want to use on your system, make sure you configure your hostname first, see above.

NOTE: you can NOT use localhost as a hostname, nor an IP address!

NOTE: by default there is NO firewall for the traffic between VPN client and VPN server. So if you have SSH running on your server, the clients will be able to connect to it when you don’t take additional steps! Look here.

TLS Certificate#

See TLS on how to configure a TLS certificate for your server.

Update#

During the deployment you are asked whether to enable automatic updates. If you choose y, the default, a cronjob is installed in /etc/cron.weekly/vpn-maint-update-system.

See Install Updates for manual installation of updates.

Configuration#

VPN#

See Profile Config on how to update the VPN server settings.

Authentication#

Username & Password#

By default there is a user demo and admin with a generated password for portal access. Those are printed at the end of the deploy script.

If you want to update/add users you can use vpn-user-portal-account. Provide an existing account to update the password:

$ sudo vpn-user-portal-account --add foo
Setting password for user "foo"
Password: 
Password (repeat): 

You can configure which user(s) is/are an administrator by setting the adminUserIdList option in /etc/vpn-user-portal/config.php, e.g.:

'adminUserIdList' => ['foo'],

LDAP#

It is easy to enable LDAP authentication. This is documented separately. See LDAP.

RADIUS#

It is easy to enable RADIUS authentication. This is documented separately. See RADIUS.

SAML#

It is easy to enable SAML authentication for identity federations, this is documented separately. See SAML.

Permissions#

If you want to restrict the use of the VPN a bit more than on whether someone has an account or not, e.g. to limit certain profiles to certain (groups of) users, see Permissions.

Theme#

You can activate Portal Branding if you want.