This guide walks you through setting up a Halo server on a Linux VPS, from a fresh Ubuntu 22.04 LTS installation to a fully functional, secure, and remotely manageable server.

We’ll use Wine to run the Windows-based Halo dedicated server executable, TightVNC (or the optional X2Go) for a graphical interface, and BitVise SSH Client for secure remote access. Along the way, we’ll harden the server with a firewall, SSH key authentication, and fail2ban to keep your new server safe.

Estimated time: 35-60 minutes (especially if you’re new to Linux).


Target OS

Ubuntu 22.04 LTS (Jammy Jellyfish) x64
These instructions are written specifically for this version. While the core steps (Wine, VNC, UFW) are similar on other distributions, package names and repository URLs may differ. For the smoothest experience, stick to Ubuntu 22.04 LTS.


Prerequisites

Before we begin, make sure you have the following tools on your local Windows machine:

Tool Purpose
BitVise SSH Client Secure terminal access and file transfers (SFTP).
TightVNC Viewer Remote desktop connection to the VPS GUI (used before we upgrade to X2Go).
SAPP Server Templates or Phasor Server Templates Pre-configured server files that work with Wine: SAPP_PC.zip / SAPP_CE.zip (SAPP) or Phasor_PC / Phasor_CE.

Important notes before you start:

  • Security First - We will create a non-root user, disable password SSH login, use a firewall, and lock down the VNC server. Follow each step carefully.
  • Cost - The recommended VPS plan from Vultr is the Shared CPU vc2-1c-2gb (1 vCPU, 2GB RAM, 55GB SSD, 2TB/month bandwidth) for $10/month. Automatic backups are optional ($2 extra). You can destroy the VPS anytime to stop charges.
  • Static IP - Your VPS will have a static public IP. Your home IP address is irrelevant for server availability.

Step 1: Download and Prepare the Server Template

  1. SAPP server templates or the Phasor server templates.
  2. Download the appropriate archive:
    • From sapp-server-templates: SAPP_PC.zip (for Halo PC) or SAPP_CE.zip (for Halo Custom Edition).
    • From phasor-server-templates: Phasor_PC or Phasor_CE (both are ready-to-run).
  3. Extract the ZIP file on your local computer. You’ll now have a folder named after the archive (e.g., SAPP_PC, SAPP_CE, Phasor_PC, or Phasor_CE). Keep it handy - we’ll upload it to the VPS later.

Step 2: Deploy a New VPS on Vultr

  1. Go to the Vultr Deploy page.
  2. Choose Shared CPU.
  3. Pick a location (e.g., New York (NJ), US).
  4. Select your subscription plan (see the cost recommendation above).
  5. Click Configure Software and select Ubuntu 22.04 LTS x64.
  6. Give your server a hostname (e.g., halo-server).
  7. Click Deploy Now. Wait a few minutes for the instance to be created.
  8. From the instance overview page, note the IP Address, Password, and Username (root).

Step 3: Initial Connection & User Setup via BitVise

We’ll use password login only this one time. Then we’ll switch to SSH key authentication.

  1. Open BitVise SSH Client.
  2. Fill in the Host (your server’s IP) and Username (root).
  3. Set Initial Method to password and check Store encrypted password in profile. Enter the password from the Vultr control panel.
  4. Go to the Client key manager (from the Login tab).
  5. Click Generate New:

    • Algorithm: ed25519 (recommended).
    • Leave passphrase blank unless you want to type it each time you log in.
    • Click Generate.
  6. Highlight your new key and click Export:

    • Export Public Key:
      • Select OpenSSH format.
      • Click Export and save the file somewhere safe, e.g., C:\Users\YourUsername\Desktop\bitvise-ssh-public-key.pub.
    • Export Private Key (for backup or sharing):
      • Select Export Private Key.
      • Choose Bitvise format (text)
      • Click Export and save the private key file, e.g., C:\Users\YourUsername\Desktop\bitvise-ssh-private-key.bkp.
      • Important: This private key is your identity. Keep it secure; only share it with people you trust completely, and never upload it to any public location.
  7. Back on the Login tab, log in as root. If you see a host key warning, verify the fingerprint matches the one shown in your Vultr control panel (Overview tab) and accept it.
  8. Click New Terminal Console to open a terminal window.

Create a dedicated user (non-root)

It’s a security best practice to run services under a regular user account.

# Create a new user named 'haloadmin' (you can change the name)
sudo adduser haloadmin
# Follow the prompts to set a strong password.
# Leave all optional fields (Full Name, Room Number, etc.) blank.
# Type "y" and press ENTER to confirm.

# Add the new user to the 'sudo' group so they can perform administrative tasks
usermod -aG sudo haloadmin

# Verify the user was added correctly
grep sudo /etc/group
# You should see something like: sudo:x:27:ubuntu,haloadmin

Upload your SSH public key

Now we’ll set up key-based authentication for the new user.

# Create the .ssh folder and authorized_keys file for haloadmin
mkdir -p /home/haloadmin/.ssh
nano /home/haloadmin/.ssh/authorized_keys
  • Open the halo-server-key.pub file you exported earlier in a text editor (like Notepad).
  • Copy the entire line (it starts with ssh-ed25519 AAAA...).
  • Paste it into the authorized_keys file in the terminal.
  • Save and exit: press CTRL+S, then CTRL+X.

Now set the correct permissions:

chmod 700 /home/haloadmin/.ssh
chmod 600 /home/haloadmin/.ssh/authorized_keys
chown -R haloadmin:haloadmin /home/haloadmin/.ssh

Close the terminal console.

Test key login

  1. In BitVise, go back to the Login tab.
  2. Log out of the root session.
  3. Log in as haloadmin:

    • Initial Method = publickey
    • Client key = the key you generated (Global 1)
    • Click Log In
  4. Once logged in, open a new terminal console. Your prompt should now show haloadmin@your-server-name.

Only proceed if key login works. If it fails, troubleshoot before moving on.


Step 4: Harden SSH and Configure the Firewall (UFW)

Now we’ll change the SSH port, disable root login, disable password authentication (since we’re using keys), and set up the firewall. Follow the order carefully to avoid locking yourself out.

First, edit the SSH configuration file:

sudo nano /etc/ssh/sshd_config

Find and change these lines:

Important: Remove the # symbol from each line first. Change port to a custom port (e.g., 22992)

Port 22992
PermitRootLogin no
PasswordAuthentication no

Save and exit (CTRL+S, CTRL+X).

Do NOT restart SSH yet. We must first open the new SSH port in the firewall and allow the Halo server port.

Note: If you need to allow a port range, use the start:end/protocol format (for example sudo ufw allow 2010:2315/udp comment 'Halo Server Ports').

# Allow the custom SSH port
sudo ufw allow 22992/tcp comment 'Custom SSH Port'

# Allow the Halo server port (UDP 2302 by default)
sudo ufw allow 2302/udp comment 'Halo Server Port'

# Enable the firewall (it will deny all other incoming connections)
sudo ufw enable
# Type 'y' and press ENTER to confirm.

# Verify the rules
sudo ufw status verbose

Technical note: Since this is a public internet server and we’re not running the Halo client locally, we only need UDP 2302. TCP 2303 is not required.

Now restart SSH:

sudo systemctl restart sshd

Test the new SSH port

  1. Open a new BitVise session.
  2. Enter the server IP and the new port (22992).
  3. Username: haloadmin
  4. Initial Method: publickey, select your key.
  5. Click Log In.

Only after you have successfully logged in on the new port should you close the original terminal window and the old BitVise session.

Now we can remove the default SSH port (22) from the firewall:

# Show rules with numbers
sudo ufw status numbered

# Delete the rules for 22/tcp (replace X and Y with the numbers shown for IPv4 and IPv6)
sudo ufw delete X
sudo ufw delete Y

Step 5: Install Wine and Configure a 32-bit Prefix

With the server secured, it’s time to install Wine. We’ll set up a 32-bit prefix from the start so Halo’s 32-bit server runs without issues.

Run these commands in the SSH terminal:

# Enable 32-bit architecture
sudo dpkg --add-architecture i386

# Download and add the WineHQ key
sudo mkdir -pm755 /etc/apt/keyrings
sudo wget -O /etc/apt/keyrings/winehq-archive.key https://dl.winehq.org/wine-builds/winehq.key

# Add the WineHQ repository for Ubuntu 22.04 LTS (Jammy)
sudo wget -NP /etc/apt/sources.list.d/ https://dl.winehq.org/wine-builds/ubuntu/dists/jammy/winehq-jammy.sources

# Update the package list
sudo apt update

# Install system upgrades
sudo apt upgrade -y

# Install Wine (stable) and the 32-bit components together
sudo apt install --install-recommends winehq-stable wine32 wine32-preloader -y

# Verify the installation
wine --version

You should see a version number like wine-11.0 or higher.

Now create a 32-bit Wine prefix. The Halo server is 32-bit and will fail with a 64-bit prefix, so we force the architecture from the very first Wine command:

# Set the architecture and prefix location
export WINEARCH=win32
export WINEPREFIX=/home/haloadmin/.wine

# Create and initialise the 32-bit prefix
winecfg

If a configuration window appears, just click OK to let it finish creating the prefix.
If you are in an SSH terminal without a graphical display, winecfg will exit with display-related errors, but the prefix is still created - those errors are safe to ignore.


Step 6: Install and Configure TightVNC & XFCE

To give you a graphical interface for managing the server, we’ll install the XFCE desktop environment and TightVNC.

# Install XFCE and TightVNC
sudo apt install xfce4 xfce4-goodies tightvncserver -y

# Start VNC to create its config files (this is temporary)
vncserver
# Set a VNC password (max 8 characters). Optionally create a view-only password (choose 'n').

# Kill the temporary VNC instance
vncserver -kill :1

Configure VNC to launch XFCE

Back up the original startup script and create a new one:

mv ~/.vnc/xstartup ~/.vnc/xstartup.bak
nano ~/.vnc/xstartup

Paste the following:

#!/bin/bash
xrdb $HOME/.Xresources
startxfce4 &

Save and exit. Then make it executable:

chmod +x ~/.vnc/xstartup

Step 7: Create a Systemd Service for VNC (Auto-start on boot)

We’ll use a systemd service to start VNC automatically and keep it running. The -localhost flag ensures VNC only accepts connections from the local machine - we’ll tunnel through SSH for security.

Create the service file:

sudo nano /etc/systemd/system/vncserver@.service

Paste the following, replacing haloadmin with your actual username:

[Unit]
Description=TightVNC Remote Desktop Service
After=syslog.target network.target

[Service]
Type=forking
User=haloadmin
Group=haloadmin
WorkingDirectory=/home/haloadmin
PIDFile=/home/haloadmin/.vnc/%H:%i.pid
ExecStartPre=-/usr/bin/vncserver -kill :%i > /dev/null 2>&1
ExecStart=/usr/bin/vncserver -depth 24 -geometry 1280x720 -localhost :%i
ExecStop=/usr/bin/vncserver -kill :%i

[Install]
WantedBy=multi-user.target

Save and exit. Then reload systemd and enable the service:

sudo systemctl daemon-reload
sudo systemctl enable vncserver@1.service
sudo systemctl start vncserver@1.service

Step 8: Connect to VNC Securely via BitVise (SSH Tunnel)

Because we used -localhost, you cannot connect directly to the VNC port. Instead, we create an SSH tunnel.

  1. In BitVise, go to the C2S (Client-to-Server) tab.
  2. Click Add.
  3. Set:

    • Listen Interface: 127.0.0.1
    • Listen Port: 5901
    • Destination Host: 127.0.0.1
    • Destination Port: 5901
  4. Click OK to save the rule.

Now open TightVNC Viewer on your local machine:

  • VNC Server: 127.0.0.1:5901
  • Enter the VNC password you set in Step 6.
  • Click Connect.

You should now see the XFCE desktop of your VPS.

Important: BitVise must remain connected for the tunnel to work. If you close BitVise, the VNC connection will drop.


Step 9: Install Fail2ban

Fail2ban protects against brute-force attacks by temporarily blocking IPs that fail too many login attempts.

sudo apt install fail2ban -y
sudo systemctl enable fail2ban

No additional configuration is needed for basic protection.


Step 10: Upload Server Files via SFTP

  1. In BitVise, click the New SFTP Window button.
  2. Navigate to /home/haloadmin/Desktop/ on the VPS.
  3. On your local computer, locate the extracted server folder (e.g., SAPP_PC, SAPP_CE, Phasor_PC, or Phasor_CE).
  4. Drag and drop the entire folder into the VPS /home/haloadmin/Desktop/ directory.

This may take a few minutes depending on file size.


Step 11: Set Up the Launch Script and Desktop Shortcut

Your server template (e.g., SAPP_PC.zip, SAPP_CE.zip, Phasor_PC, or Phasor_CE) already includes a ready-to-use
run.sh script. All you need to do is make it executable and create a desktop shortcut to launch it with a single click.

First, make the existing run.sh executable:

chmod +x /home/haloadmin/Desktop/SAPP_CE/run.sh

Replace SAPP_CE with the name of your actual server folder (SAPP_PC, Phasor_CE, etc.).

If the run.sh script is missing, or if you need to change the port, folder structure, or any other setting, you can create or edit it using nano.

To edit (or create) the script, use:

nano /home/haloadmin/Desktop/SAPP_CE/run.sh

After making your changes, save and exit.

The template’s run.sh looks like this (adjustments may be needed if you change the port or folder structure):

#!/bin/bash

# Force 32-bit Wine prefix
export WINEARCH=win32
export WINEPREFIX=/home/haloadmin/.wine

# Set server port
PORT=2302

# Get the script directory
ROOT="$(dirname "$(realpath "$0")")"
cd "$ROOT"

# Set paths
CG_PATH="$ROOT/cg"
INIT_FILE="$CG_PATH/init.txt"

# Launch Server
wine "$ROOT/haloceded.exe" -path "$CG_PATH" -exec "$INIT_FILE" -port $PORT

Now create the desktop shortcut:

nano /home/haloadmin/Desktop/run.desktop

Paste the following:

[Desktop Entry]
Version=1.0
Type=Application
Name=RENAME_THIS
Exec=/home/haloadmin/Desktop/SAPP_CE/run.sh
Path=/home/haloadmin/Desktop/SAPP_CE
Icon=utilities-terminal
Terminal=true
Categories=Game;

Save and Exit. Next, make the desktop file executable:

chmod +x /home/haloadmin/Desktop/run.desktop

Using the shortcut: Double-click the icon on your VPS desktop.
The first time, Wine will prompt you to install Mono - click Install and let it finish. After that, the server console window will open. You’re now ready to host games!


Optional: Changing Passwords

This section covers how to change all passwords you created during the setup, except for the Vultr instance password (the one you used to initially log in as root). If you ever need to update your credentials, follow these steps.

Which passwords are covered?

  • The haloadmin user password (used for sudo and local login).
  • The VNC password (used to connect to the remote desktop).
  • (Optional) The SSH key passphrase, if you chose to set one during key generation.

Change the haloadmin User Password

  1. Open a terminal session in BitVise (as haloadmin).
  2. Run the passwd command:
    passwd
    
  3. You will be prompted for:
    • Your current password.
    • The new password (type it twice to confirm).
  4. After a successful change, the password for haloadmin is updated immediately.

Note: This password is used when you run sudo commands and if you ever need to log in locally on the VPS console.


Change the VNC Password

The VNC password is stored in the user’s home directory and is managed with the vncpasswd tool.

  1. In your SSH terminal, stop the VNC service first (otherwise the password file is locked):
    sudo systemctl stop vncserver@1.service
    
  2. Run the VNC password utility:
    vncpasswd
    
  3. Enter your new password when prompted (maximum 8 characters). You may also set a view‑only password, but you can skip it by typing n.
  4. After the password is saved, restart the VNC service:
    sudo systemctl start vncserver@1.service
    
  5. The new password will be required the next time you connect through your SSH tunnel.

(Optional) Change Your SSH Key Passphrase

If you followed the guide and left the passphrase blank, you can ignore this section. If you did set a passphrase and want to change it, use the ssh-keygen command on your local Windows machine (where your private key is stored).

  1. Open a Command Prompt or PowerShell window.
  2. Navigate to the folder containing your private key (e.g., C:\Users\YourUsername\.ssh\).
  3. Run:
    ssh-keygen -p -f your-private-key-file
    

    Replace your-private-key-file with the actual filename (e.g., id_ed25519 or the key you exported).

  4. You will be asked for:
    • The old passphrase (if any).
    • The new passphrase (type it twice to confirm).
  5. The key is updated in place. You do not need to upload a new public key to the server because the key pair itself remains unchanged; only the encryption of the private key changes.