Running as a Service¶

Set up r-vpn server to start automatically on boot and restart on failure.

systemd (Linux)¶

Create the service file:

sudo nano /etc/systemd/system/rvpn-server.service

[Unit]
Description=r-vpn Server
After=network-online.target
Wants=network-online.target

[Service]
Type=simple
User=root
ExecStart=/usr/local/bin/rvpn-server -c /etc/rvpn/server.toml
Restart=on-failure
RestartSec=5
LimitNOFILE=65536

# Redirect logs to journal
StandardOutput=journal
StandardError=journal
SyslogIdentifier=rvpn-server

[Install]
WantedBy=multi-user.target

Enable and start:

sudo systemctl daemon-reload
sudo systemctl enable rvpn-server
sudo systemctl start rvpn-server

Check status:

sudo systemctl status rvpn-server

View logs:

sudo journalctl -u rvpn-server -f

Managing the Service¶

Action	Command
Start	`sudo systemctl start rvpn-server`
Stop	`sudo systemctl stop rvpn-server`
Restart	`sudo systemctl restart rvpn-server`
Reload config	`sudo systemctl reload rvpn-server`
View logs	`sudo journalctl -u rvpn-server -f`
Disable autostart	`sudo systemctl disable rvpn-server`

TLS Certificate Auto-Renewal¶

If using Let's Encrypt, add a deploy hook to reload r-vpn when the certificate renews:

sudo nano /etc/letsencrypt/renewal-hooks/deploy/rvpn-reload.sh

#!/bin/bash
systemctl reload rvpn-server 2>/dev/null || systemctl restart rvpn-server

sudo chmod +x /etc/letsencrypt/renewal-hooks/deploy/rvpn-reload.sh

Test the renewal process:

sudo certbot renew --dry-run

FreeBSD rc(8)¶

Create /usr/local/etc/rc.d/rvpn_server:

#!/bin/sh
# PROVIDE: rvpn_server
# REQUIRE: NETWORKING
# KEYWORD: shutdown

. /etc/rc.subr

name="rvpn_server"
rcvar="rvpn_server_enable"
command="/usr/local/bin/rvpn-server"
command_args="-c /usr/local/etc/rvpn/server.toml"
pidfile="/var/run/rvpn-server.pid"

load_rc_config $name
run_rc_command "$1"

chmod +x /usr/local/etc/rc.d/rvpn_server
echo 'rvpn_server_enable="YES"' >> /etc/rc.conf
service rvpn_server start

NAT Prerequisites for TUN Mode¶

If running in TUN mode (full-tunnel VPN), the server must be configured as a NAT gateway before starting the service.

Linux¶

# Enable IP forwarding
sudo sysctl -w net.ipv4.ip_forward=1

# Configure NAT (replace eth0 with your public interface)
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
sudo iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT
sudo iptables -A FORWARD -i eth0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT

Make these persistent across reboots:

# Debian/Ubuntu
sudo apt install iptables-persistent
sudo netfilter-persistent save

# RHEL/CentOS
sudo service iptables save

FreeBSD¶

Add to /etc/rc.conf:

gateway_enable="YES"
firewall_enable="YES"
firewall_type="OPEN"
natd_enable="YES"
natd_interface="vtnet0"  # your public interface

macOS¶

macOS does not support server-side TUN NAT. Use SOCKS5 mode or a Linux VM for TUN mode servers.

TUN Mode vs SOCKS5 Mode¶

Aspect	TUN Mode	SOCKS5 Mode
NAT required	Yes (server-side)	No (client-side relay)
Traffic routing	All apps, full tunnel	Per-application
Server setup	IP forwarding + NAT rules	Standard VPN server

See TUN Mode for complete TUN mode setup documentation.