Prerequisites¶
Everything on this page is done once, before installing any Valenius component. If your server already runs Docker behind an HTTPS reverse proxy, skip ahead and just check the checklist at the bottom.
What you need¶
- A Linux server — a small VM or VPS is plenty (2 CPU cores, 2 GB RAM, 20 GB disk). This runs the backend; it does not carry VPN traffic.
- A domain name you control, e.g.
vpn.example.com, with a DNS record pointing at the server. - Docker — Docker Engine plus the Docker Compose plugin.
- An HTTPS reverse proxy with a valid certificate (Nginx Proxy Manager, Caddy, Traefik, plain Nginx — any of them works). Valenius requires real HTTPS in front: sign-in cookies and single sign-on do not work over plain HTTP.
- Pro only Pro: one more Linux machine (or the same one) with a public IP or hostname and one open UDP port — that's where the integrated WireGuard® server will run.
Steps¶
1. Install Docker¶
On a fresh Debian/Ubuntu server, the official convenience script installs Docker Engine and the Compose plugin in one go:
For other distributions, follow Docker's install instructions.
2. Set up the DNS record¶
At your DNS provider, create an A record (and/or AAAA) for the hostname
you'll use — for example vpn.example.com → your server's public IP.
3. Set up the reverse proxy¶
If you don't have one yet, Nginx Proxy Manager is the easiest to start with — it runs in Docker too and issues Let's Encrypt certificates from a web UI. Install it now; you'll add the actual forwarding rule during the backend install.
Verify it works¶
docker --versionanddocker compose versionboth print a version.docker run --rm hello-worldprints "Hello from Docker!".ping vpn.example.com(from your own PC) resolves to the server's IP.- Your reverse proxy's admin UI is reachable and can issue certificates.
All four pass? Continue with the backend: Community edition or Pro edition.
Common problems¶
docker commands fail with "permission denied".
Your user isn't in the docker group. Run
sudo usermod -aG docker $USER, then log out and back in — or simply prefix
the commands with sudo.
The reverse proxy can't issue a certificate. Ports 80 and 443 must be reachable from the internet for Let's Encrypt, and the DNS record must already point at this server. Check both, then retry.
The DNS record doesn't resolve yet.
DNS changes can take a while to propagate. Wait a few minutes and test again
with nslookup vpn.example.com.