Server Configuration¶
Complete reference for R-VPN server configuration options.
Configuration File¶
Default location: /etc/rvpn/server.toml or specified via -c flag.
Main Section¶
[server]
# Network binding
bind_address = "0.0.0.0:443"
# TLS configuration
tls_cert_file = "certs/cert.pem"
tls_key_file = "certs/key.pem"
# Identity
identity_key_file = "server_identity.key"
# X3DH prekey rotation (hours)
prekey_rotation_hours = 168 # Weekly
# One-time prekeys
one_time_prekey_count = 100
# WebSocket path
websocket_path = "/connect"
# HTTP port for ACME challenges (Let's Encrypt)
http_port = 80
# Redirect HTTP to HTTPS
redirect_http_to_https = true
# Decoy website (optional)
decoy_root = "/var/www/html"
# Prekey bundle file (optional)
prekey_bundle_file = "prekey-bundle.json"
HTTP Server¶
The server includes a built-in HTTP server for ACME challenges and serving the decoy website:
[server]
# Port for HTTP server (for ACME and decoy site)
# Set to null to disable HTTP server
http_port = 80
# Redirect HTTP to HTTPS
redirect_http_to_https = true
# Decoy website root (served on port 80)
decoy_root = "/var/www/html"
The HTTP server provides: - ACME Challenge - Automatic Let's Encrypt certificate verification - HTTP→HTTPS Redirect - Redirects all HTTP traffic to HTTPS - Decoy Website - Serves static content to unauthenticated visitors
Decoy Websites¶
R-VPN includes several decoy website templates that can be used to make your server appear as a legitimate website:
| Template | Description | Location |
|---|---|---|
| Blog | Travel/lifestyle blog | decoy-sites/blog/ |
| News | News publication | decoy-sites/news/ |
| Ecommerce | Home goods store | decoy-sites/ecommerce/ |
| Portfolio | Creative agency | decoy-sites/portfolio/ |
| Docs | API documentation | decoy-sites/docs/ |
To use a decoy site:
1. Copy the desired template to your web root
2. Configure decoy_root in your server config
3. The site will be served to unauthenticated visitors on port 80
Rate Limiting¶
[server.rate_limit]
# Maximum connections per IP
max_connections_per_ip = 5
# Maximum handshakes per minute per IP
max_handshakes_per_minute = 10
Network Configuration¶
[server.network]
# Enable NAT
nat_enabled = true
# DHCP range for clients
dhcp_range = "10.200.0.0/24"
# DNS servers for clients
dns_servers = ["1.1.1.1"]
Logging¶
[server.logging]
# Log level: error, warn, info, debug, trace
level = "info"
# Log file (optional)
file = "/var/log/rvpn/server.log"
Complete Example¶
[server]
bind_address = "0.0.0.0:443"
tls_cert_file = "/etc/rvpn/cert.pem"
tls_key_file = "/etc/rvpn/key.pem"
identity_key_file = "/etc/rvpn/server_identity.key"
prekey_rotation_hours = 168
one_time_prekey_count = 100
websocket_path = "/connect"
decoy_root = "/var/www/html"
http_port = 80
redirect_http_to_https = true
[server.rate_limit]
max_connections_per_ip = 5
max_handshakes_per_minute = 10
[server.network]
nat_enabled = true
dhcp_range = "10.200.0.0/24"
dns_servers = ["1.1.1.1"]
[server.logging]
level = "info"
file = "/var/log/rvpn/server.log"
Command Line Options¶
# Start with custom config
rvpn-server -c /etc/rvpn/server.toml
# Custom bind address
rvpn-server -b 0.0.0.0:8443
# Verbose logging
rvpn-server -v
rvpn-server -vv
# Generate keys
rvpn-server keygen
Environment Variables¶
| Variable | Description |
|---|---|
RVPN_CONFIG |
Path to config file |
RVPN_BIND |
Bind address override |
RVPN_LOG_LEVEL |
Log level |
Configuration Options Reference¶
| Option | Type | Default | Description |
|---|---|---|---|
bind_address |
String | 0.0.0.0:443 |
Address to bind to |
tls_cert_file |
Path | certs/cert.pem |
TLS certificate file |
tls_key_file |
Path | certs/key.pem |
TLS private key file |
identity_key_file |
Path | server_identity.key |
Server identity key file |
prekey_bundle_file |
Path | null |
Prekey bundle file (optional) |
prekey_rotation_hours |
u32 | 168 | Prekey rotation interval in hours |
one_time_prekey_count |
u32 | 100 | One-time prekey pool size |
websocket_path |
String | /connect |
WebSocket endpoint path |
decoy_root |
Path | null |
Decoy website root directory (optional) |
http_port |
u16 | null |
HTTP port for ACME and redirects (optional) |
redirect_http_to_https |
bool | true |
Redirect HTTP to HTTPS |
Rate Limit Options¶
| Option | Type | Default | Description |
|---|---|---|---|
rate_limit.max_connections_per_ip |
u32 | 5 | Maximum connections per IP address |
rate_limit.max_handshakes_per_minute |
u32 | 10 | Maximum handshakes per minute per IP |
Network Options¶
| Option | Type | Default | Description |
|---|---|---|---|
network.nat_enabled |
bool | true |
Enable NAT for client traffic |
network.dhcp_range |
String | 10.200.0.0/24 |
DHCP IP range for VPN clients |
network.dns_servers |
Array | ["1.1.1.1"] |
DNS servers for VPN clients |
Logging Options¶
| Option | Type | Default | Description |
|---|---|---|---|
logging.level |
String | info |
Log level (error, warn, info, debug, trace) |
logging.file |
Path | null |
Log file path (optional) |
Next Steps¶
- Setup - Initial server setup
- Deployment - Production deployment