How to Deploy a Trojan VPN Server on Ubuntu 22.04 — A Fast, Secure Step-by-Step Guide

Deploying a modern Trojan-based VPN server on Ubuntu 22.04 can deliver fast, TLS-based tunneling that blends well with existing HTTPS ecosystems. This guide walks through a production-ready deployment with detailed commands, configuration snippets, and operational recommendations suitable for administrators, developers, and businesses seeking a secure, high-performance VPN endpoint.

Why Trojan and why Ubuntu 22.04

Trojan (and its actively maintained fork trojan-go) implements a VPN/proxy protocol that mimics HTTPS traffic by using genuine TLS handshakes and certificates. This makes it both resilient to simple DPI and easy to integrate with standard web infrastructure. Ubuntu 22.04 LTS provides a stable base, current OpenSSL, systemd management, and good package availability—ideal for long-term server deployments.

Prerequisites

• An Ubuntu 22.04 server with root or sudo access.
• A registered domain name pointing to the server’s public IP (A record).
• Ports 80 and 443 open for certificate issuance (or alternate HTTP validation method).
• Basic familiarity with shell, systemd, and JSON editing.

Step 1 — System preparation and user hardening

Start by updating the system and creating a dedicated non-root user for running services.

Run: sudo apt update && sudo apt upgrade -y

Create a user: sudo adduser trojan && sudo usermod -aG sudo trojan

Install essential tools: sudo apt install -y curl wget git ufw gnupg ca-certificates

Enable basic firewall rules with UFW to allow SSH and necessary ports (80 and 443). Example:

sudo ufw allow OpenSSH && sudo ufw allow 80/tcp && sudo ufw allow 443/tcp && sudo ufw enable

Step 2 — Obtain a TLS certificate (recommended: certbot or acme.sh)

Trojan’s security model depends on valid TLS certificates. You can use certbot or acme.sh. acme.sh is lightweight and script-friendly.

Install acme.sh and issue a certificate using the webroot or standalone method. For webroot (if you run a web server):

curl https://get.acme.sh | sh

~/.acme.sh/acme.sh –issue -d example.com -w /var/www/html

For standalone (no web server): ~/.acme.sh/acme.sh –issue -d example.com –standalone

After issuance, install the cert to standard folders used by trojan: ~/.acme.sh/acme.sh –install-cert -d example.com –key-file /etc/trojan/example.com.key –fullchain-file /etc/trojan/example.com.crt

Ensure proper permissions: sudo mkdir -p /etc/trojan && sudo chown trojan:trojan /etc/trojan && sudo chmod 600 /etc/trojan/example.com.key

Step 3 — Install trojan-go binary

For performance and active feature support, this guide uses trojan-go. Fetch the latest release from the project’s GitHub and extract the binary.

Example:

cd /tmp && wget https://github.com/p4gefau1t/trojan-go/releases/download/vX.Y.Z/trojan-go-linux-amd64.zip && unzip trojan-go-linux-amd64.zip && sudo mv trojan-go /usr/local/bin/ && sudo chmod +x /usr/local/bin/trojan-go

Replace vX.Y.Z with the latest version tag. Verify: trojan-go -version

Step 4 — Create a robust configuration

Trojan-go uses JSON configuration. Create /etc/trojan/config.json owned by the trojan user. The following configuration is a solid starting point with TLS, WebSocket support, and XTLS fallback disabled by default. Adjust cipher and transport settings to your environment.

{
“run_type”: “server”,
“local_addr”: “0.0.0.0”,
“local_port”: 443,
“remote_addr”: “127.0.0.1”,
“remote_port”: 80,
“password”: [“YourVeryStrongPasswordHere”],
“ssl”: {
“cert”: “/etc/trojan/example.com.crt”,
“key”: “/etc/trojan/example.com.key”,
“sni”: “example.com”,
“alpn”: [“h2″,”http/1.1”] },
“websocket”: {
“enabled”: true,
“path”: “/ws”,
“host”: “example.com”
},
“router”: {
“enabled”: true,
“block”: [“geoip:CN”],
“bypass”: [“geoip:US”] },
“log_level”: 1,
“transport_plugin”: {
“enabled”: false
}
}

Key notes:

• password: Use a strong shared secret or multiple passwords for different clients.
• ssl.cert/key: Point to the certificate and private key installed earlier.
• alpn: Advertises HTTP/2 and HTTP/1.1; adjust if you’re integrating with a web server.
• websocket: Enables WSS transport, useful for traversing strict proxies—set path and host accordingly.

Step 5 — Run trojan-go as a systemd service

Create a systemd unit at /etc/systemd/system/trojan-go.service to manage process lifecycle reliably.

Example service file contents:

[Unit] Description=trojan-go service
After=network.target

[Service] User=trojan
Group=trojan
Type=simple
ExecStart=/usr/local/bin/trojan-go -config /etc/trojan/config.json
Restart=on-failure
LimitNOFILE=65535
AmbientCapabilities=CAP_NET_BIND_SERVICE

[Install] WantedBy=multi-user.target

Then enable and start the service:

sudo systemctl daemon-reload && sudo systemctl enable –now trojan-go

Check logs: sudo journalctl -u trojan-go -f

Step 6 — Integrate with an existing web server (optional reverse proxy)

If you already run Nginx/Apache on port 443 for your site, use a reverse proxy or bind trojan-go to a different port and proxy TLS traffic. Another clean approach is to let the web server handle TLS and proxy WSS to trojan-go’s local port over localhost. Example Nginx snippet for WSS proxy:

location /ws {
proxy_redirect off;
proxy_pass http://127.0.0.1:8080;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection “Upgrade”;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}

In this model, trojan-go listens on 127.0.0.1:8080 and Nginx terminates TLS—certificate management stays centralized.

Step 7 — Client configuration and testing

Clients can be trojan-compatible tools (desktop/mobile). Provide the following essentials to clients: server domain, port (443), password(s), TLS settings (SNI), and WebSocket path/host if used. Example client JSON (outline):

{
“remote”: “example.com:443”,
“password”: “YourVeryStrongPasswordHere”,
“ssl”: {“sni”: “example.com”},
“transport”: {“type”: “ws”,”path”:”/ws”,”host”:”example.com”}
}

Test connectivity from a remote machine: use curl to test a TLS handshake (curl -v –http2 https://example.com/) and trojan client logs to verify connection establishment. Look for successful TLS and WSS handshake messages in server logs.

Step 8 — Security hardening and performance tuning

• Least privilege: Run trojan-go as a non-root user and set appropriate file permissions for keys.
• SELinux/AppArmor: Consider enabling AppArmor profiles to constrain trojan-go if your environment requires it.
• Rate limiting and fail2ban: Integrate fail2ban rules to block repeated failed attempts and reduce brute-force risk.
• TLS settings: Use modern TLS options; prefer ECDSA or RSA 2048/4096 certificates per your organizational policy. Avoid deprecated TLS 1.0/1.1. You can force TLS 1.2+ by OpenSSL build defaults on Ubuntu 22.04, but always verify cipher suites with openssl s_client.
• System tuning: Increase file descriptor limits (LimitNOFILE) and set net.core.somaxconn and other TCP tuning options for high-concurrency workloads.
• Monitoring: Export trojan-go logs to a centralized ELK/Prometheus stack or use local log rotation. Monitor connection counts and unusual patterns.
• Cert renewals: Automate renewal with acme.sh or certbot and restart trojan-go gracefully on certificate changes. Example: ~/.acme.sh/acme.sh –renew -d example.com –reloadcmd “systemctl restart trojan-go”

Troubleshooting checklist

• Check systemd logs: sudo journalctl -u trojan-go -b
• Confirm certificate paths and permissions (trojan user must read the key).
• Validate DNS A record resolves to server IP (dig example.com).
• Verify UFW/IPTables rules and cloud provider security groups allow inbound 443 and 80.
• If using WebSocket, confirm Nginx proxy headers and Upgrade/Connection are correctly set.

Scaling and operational considerations

For enterprise deployments consider load balancing, session persistence, and multi-region certificate management. You can deploy multiple trojan-go instances behind a TCP or TLS-aware load balancer (HAProxy, AWS ALB) with sticky sessions based on source IP or cookie. Centralized logging and configuration management (Ansible, Puppet) help keep credentials and certs synchronized across instances. For higher throughput, place trojan-go on servers with high network I/O capacity and tune OS network buffers.

Finally, maintain a secure lifecycle: rotate passwords/keys periodically, monitor for abnormal traffic, and track upstream trojan-go releases for security patches. When using this setup in production, document client onboarding steps and maintain a private repository of client configurations to expedite deployments.

For more guides, in-depth tutorials, and business-focused VPN deployment advice visit Dedicated-IP-VPN at https://dedicated-ip-vpn.com/.