For simple one server deployments and tests, we have a deploy script available you can run on a fresh Debian 9 installation. It will configure all components and will be ready for use after running!
Additional scripts are available after deployment:
- Use Let's Encrypt for automatic web server certificate management;
- Clean Debian 9 installation with all updates installed;
- Network equipment/VM platform allows access to the very least
tcp/80,tcp/443,udp/1194andtcp/1194for basic functionality, the deploy script will take care of the host firewall; - Working DNS entry for your VPN server, e.g.
vpn.example.org.
We test only with the official Debian netinst and the official Cloud images.
If you have a more complicated setup, we recommend to manually walk through the deploy script and follow the steps.
NOTE if you expect to do a production deploy, please read the section below about modifying the PHP configuration.
Perform these steps on the host where you want to deploy:
$ wget https://github.com/eduvpn/documentation/archive/master.tar.gz
$ tar -xzf master.tar.gz
$ cd documentation-master
We assume you have sudo installed and configured for your user first, after
this:
$ sudo -s
# ./deploy_debian.sh
Specify the hostname you want to use for your VPN server. Both the "Web" and "OpenVPN" DNS names can be identical for simple 1 machine setups.
NOTE: you can NOT use localhost as a hostname, nor an IP address!
Periodically install updates!
See PROFILE_CONFIG on how to update the VPN server settings.
By default there is a user me with a generated password for the User Portal
and a user admin with a generated password for the Admin Portal. Those are
printed at the end of the deploy script.
If you want to update/add users you can use the vpn-user-portal-add-user and
vpn-admin-portal-add-user scripts. Provide an existing account to update
the password:
$ sudo vpn-user-portal-add-user
User ID: foo
Setting password for user "foo"
Password:
Password (repeat):
It is easy to enable LDAP authentication. This is documented separately. See LDAP.
It is easy to enable RADIUS authentication. This is documented separately. See RADIUS.
It is easy to enable SAML authentication for identity federations, this is documented separately. See SAML.
For connecting to the VPN service by default only certificates are used, no additional user name/password authentication. It is possible to enable 2FA to require an additional TOTP or YubiKey.
If you want to restrict the use of the VPN a bit more than on whether someone has an account or not, e.g. to limit certain profiles to certain (groups of) users, see ACL.
Debian's php7.0-fpm package has some unfortunate defaults that only work for
very light usage and in no way for deploys where you expect more than a few
users to use the service.
Modify /etc/php/7.0/fpm/pool.d/www.conf and change the following settings.
We'll use the CentOS/Fedora defaults here as well:
pm = dynamic
pm.max_children = 50
pm.start_servers = 5
pm.min_spare_servers = 5
pm.max_spare_servers = 35
You can tweak those further if needed, but they'll do for some time! Restart
the php7.0-fpm service to activate the changes:
$ sudo systemctl restart php7.0-fpm
Run the script (as root):
$ sudo -s
# ./lets_encrypt_debian.sh
Make sure you use the exact same DNS name you used when running
deploy_debian.sh!
After completing the script, the certificate will be installed. After that, it is advisable to set up automatic certificate renewal.
If you also want to allow clients to connect with the VPN over tcp/443, see
Port Sharing.