Server Quick Start¶

Get a server running in under 10 minutes.

Prerequisites¶

A machine with a public IP address (Linux, macOS, or FreeBSD)
Port 443 open in your firewall/security group
Root or sudo access

1. Install¶

The universal installer handles everything:

curl -fsSL https://assets.rvpn.org/install.sh | sudo bash -s -- --setup --server

It will auto-detect your platform, download the correct binary, verify the checksum, and walk you through server configuration (keys, TLS, TUN mode, etc.).

Or manually:

# Linux x86_64 (most VPS)
curl -LO https://assets.rvpn.org/1.0.2/rvpn-server-x86_64-linux-gnu
chmod +x rvpn-server-x86_64-linux-gnu
sudo mv rvpn-server-x86_64-linux-gnu /usr/local/bin/rvpn-server

# Linux ARM64
curl -LO https://assets.rvpn.org/1.0.2/rvpn-server-aarch64-linux-gnu
chmod +x rvpn-server-aarch64-linux-gnu
sudo mv rvpn-server-aarch64-linux-gnu /usr/local/bin/rvpn-server

# FreeBSD
fetch https://assets.rvpn.org/1.0.2/rvpn-server-x86_64-freebsd
chmod +x rvpn-server-x86_64-freebsd
sudo mv rvpn-server-x86_64-freebsd /usr/local/bin/rvpn-server

See Server Installation for all available binaries and checksum verification.

Verify it works:

rvpn-server --help

2. Generate Server Keys¶

sudo rvpn-server keygen
sudo rvpn-server prekey-bundle

This creates three files in /etc/rvpn/:

File	Purpose
`server_identity.key`	Server's long-term Ed25519 identity key — keep private
`prekey-bundle.json`	Public prekey bundle — distribute to clients
`prekey-bundle.private.json`	Private prekey material — keep private

Important: Keep server_identity.key and prekey-bundle.private.json secure. Back them up. If lost, clients will need a new prekey bundle.

3. Obtain a TLS Certificate¶

r-vpn requires a valid TLS certificate for the domain clients connect to.

Using Let's Encrypt (certbot):

sudo apt install certbot
sudo certbot certonly --standalone -d your-domain.com

Your certificate files will be at: - /etc/letsencrypt/live/your-domain.com/fullchain.pem - /etc/letsencrypt/live/your-domain.com/privkey.pem

4. Enable IP Forwarding¶

r-vpn needs IP forwarding to route traffic on behalf of clients:

echo "net.ipv4.ip_forward = 1" | sudo tee -a /etc/sysctl.conf
sudo sysctl -p

5. Start the Server¶

sudo rvpn-server -c /etc/rvpn/server.toml

You should see output like:

INFO  Listening on 0.0.0.0:443
INFO  WebSocket endpoint: /api/v1/ws
INFO  WebSocket endpoint (mobile TUN): /api/v1/ws/tun
INFO  WebSocket endpoint (DNS proxy): /api/v1/ws/dns
INFO  WebSocket endpoint (SOCKS5 mux): /api/v1/ws/mux

Once confirmed working, set it up as a systemd service to run on boot.

6. Distribute the Prekey Bundle¶

Clients need prekey-bundle.json to connect. Send it to your users securely (Signal, encrypted email, etc.) — this file is public and does not need to be kept secret, but it must be the real file from your server.

Next Steps¶

Run as a systemd service
Reverse proxy setup — Caddy, nginx, HAProxy, decoy site
Full server configuration options
TUN mode — full-tunnel VPN with NAT
Use case scenarios — practical guides for common deployments
Troubleshooting — solutions for common problems