
This article provides a guide for how to run a self-hosted RMM, when you deploy Tactical RMM on Debian VPS server.
Tactical RMM (TRMM) is a powerful open-source Remote Monitoring and Management (RMM) platform designed for Managed Service Providers (MSPs), IT departments, and system administrators. It combines remote monitoring, scripting, software inventory, Windows patch management, alerting, and remote desktop access through an integrated MeshCentral server.
Unlike many commercial RMM platforms that charge per endpoint, Tactical RMM can be self-hosted, giving organizations complete control over their infrastructure and data.
What You’ll Build
At the end of this guide you’ll have:
- Tactical RMM Web Dashboard
- REST API
- MeshCentral Remote Access
- Nginx Reverse Proxy
- Automatic Let’s Encrypt SSL
- PostgreSQL
- Redis
- RabbitMQ
- Fully secured Debian 12 VPS
The official Tactical installer configures Nginx as a production reverse proxy and installs all required backend services automatically on a clean supported Debian system.
Recommended VPS Specifications
Before we deploy Tactical RMM on Debian VPS, ensure your environment meets the following minimal system requirements:
- 2 vCPU
- 4 GB RAM
- 60 GB SSD
- Debian 12
- Static Public IP
Recommended
- 4 vCPU
- 8 GB RAM
- 100 GB NVMe
- Daily backups
Debian 12 is the preferred operating system because of its significantly lower baseline memory usage compared to Ubuntu.
Required DNS Records
Before beginning, point three DNS names at your VPS.
Example:
rmm.example.com api.example.com mesh.example.com
Each should have an A record pointing to your server’s public IP.
The Tactical installer requires three subdomains on the same DNS level for the frontend, API, and MeshCentral services.
Compare Debian VPS Plans
How to Deploy Tactical RMM on Debian VPS
To deploy Tactical RMM on Debian VPS, follow the steps provided below:
-
Deploy Debian
Create a fresh Debian 12 VPS.
Login:
ssh root@SERVER_IP
Verify:
cat /etc/os-release
Expected:
Debian GNU/Linux 12
-
Update the Server
apt update apt upgrade -y apt install -y curl wget sudo ufw git
If the kernel updates:
reboot
Reconnect afterward.
-
Set the Hostname
Example:
hostnamectl set-hostname rmm
Edit hosts:
nano /etc/hosts
Example:
127.0.0.1 localhost 127.0.1.1 rmm
-
Create a Non-Root User
adduser tactical
Add sudo privileges:
usermod -aG sudo tactical
Test:
su - tactical sudo whoami
Expected:
root
-
Configure Firewall
Allow HTTPS
sudo ufw default deny incoming sudo ufw default allow outgoing sudo ufw allow 443/tcp sudo ufw allow 22/tcp
Enable:
sudo ufw enable
Verify:
sudo ufw status
The official documentation recommends exposing only HTTPS (443) and SSH (22) on publicly accessible servers.
-
Verify DNS
Run:
dig rmm.example.com +short dig api.example.com +short dig mesh.example.com +short
All should return your VPS IP.
-
Download the Official Installer
Switch to the Tactical user.
su - tactical
Download:
wget https://raw.githubusercontent.com/amidaware/tacticalrmm/master/install.sh chmod +x install.sh
Alternatively:
curl -O https://raw.githubusercontent.com/amidaware/tacticalrmm/master/install.sh chmod +x install.sh
-
Run the Installer
Execute (do not use
sudo):./install.sh
The installer will prompt for:
- Email address
- Domain names
- Let’s Encrypt configuration
- Administrator credentials
It automatically installs:
- PostgreSQL
- Redis
- RabbitMQ
- Nginx
- Tactical API
- Tactical Frontend
- MeshCentral
- SSL certificates
- System services
The installer is designed for a fresh Debian VM and should not be run on servers already hosting unrelated applications.
-
Wait for Installation
Installation typically takes 10–30 minutes depending on VPS speed.
Eventually you’ll see something similar to:
Installation Complete
-
Verify Services
Check:
systemctl status nginx
systemctl status tacticalrmm
systemctl status meshcentral
systemctl status redis
systemctl status postgresql
Every service should show:
Active: active (running)
-
Verify SSL
Open:
https://rmm.example.com
Your browser should show:
🔒 Secure Connection
Certificates are automatically issued via Let’s Encrypt by the installer.
-
Login
Tactical rmm – admin login Navigate to
https://rmm.example.com
Login using the administrator credentials you created.
Tactical rmm – dashboard -
Configure SMTP
Navigate:
Settings → SMTP
Example:
Server
smtp.example.com
Port
587
Encryption
STARTTLS
Test:
Send Test Email
Email alerts are critical for receiving notifications about failed checks and monitoring events.
-
Enable Two-Factor Authentication
Navigate:
Profile
Enable:
Two Factor Authentication
Scan the QR code with:
- Microsoft Authenticator
- Google Authenticator
- Authy
-
Install the First Agent
Navigate:
Agents
Choose:
Windows
Generate installer.
Run the installer on the client machine.
Within a minute the device should appear online.
-
Verify MeshCentral
Click:
Take Control
A remote desktop session should launch.
Tactical RMM uses MeshCentral for:
- Remote desktop
- Remote shell
- File browser
The bundled MeshCentral instance is the recommended configuration because it is pre-integrated and supported by the Tactical installation process.
-
Create Monitoring Policies
Example checks:
CPU
>90%
Memory
>90%
Disk
<10%
Windows Service
Stopped
Ping
Unavailable
Event Logs
Critical Errors
-
Schedule Scripts
Navigate:
Automation
Example PowerShell:
Get-Service
Example Bash:
uptime
Example Python:
print("Hello")Assign schedules such as:
Daily
Weekly
Monthly
-
Configure Backups
Backup:
/rmm
Database
PostgreSQL
MeshCentral data
/meshcentral-data
Certificates
/etc/letsencrypt
Store backups offsite.
-
Keep Tactical Updated
Run:
sudo apt update sudo apt upgrade -y
Update Tactical:
sudo ./install.sh --update
Always consult the release notes before upgrading production environments.
Useful Service Commands
Restart everything
sudo systemctl restart tacticalrmm sudo systemctl restart meshcentral sudo systemctl restart nginx
Check logs
journalctl -u tacticalrmm -f
journalctl -u meshcentral -f
journalctl -u nginx -f
Restart Nginx
sudo systemctl restart nginx
Restart MeshCentral
sudo systemctl restart meshcentral
Security Best Practices
- Disable root SSH login.
- Use SSH keys instead of passwords.
- Keep Debian updated with security patches.
- Restrict SSH access to trusted IP addresses where possible.
- Enable two-factor authentication for all technician accounts.
- Use strong unique passwords.
- Back up PostgreSQL and the
/rmmdirectory regularly. - Monitor disk usage and certificate expiration.
- Enable VPS snapshots or automated backups before performing upgrades.
Troubleshooting
-
SSL certificate failed
Verify DNS:
dig rmm.example.com
Ensure TCP port 80 and 443 are reachable during certificate issuance.
-
Agent won’t connect
Verify:
systemctl status tacticalrmm
Confirm firewall allows HTTPS.
-
Mesh won’t open
Check:
systemctl status meshcentral
Restart:
sudo systemctl restart meshcentral
-
Nginx won’t start
Test configuration:
sudo nginx -t
Restart:
sudo systemctl restart nginx
-
View listening ports
ss -tulpn
Final Thoughts
Tactical RMM provides a feature-rich, self-hosted alternative to commercial RMM platforms while giving you full ownership of your infrastructure. With its integrated MeshCentral remote access, automated monitoring, script execution, software inventory, and alerting capabilities, it is well-suited for MSPs, enterprise IT teams, and homelab administrators alike.
By deploying it on a clean Debian 12 VPS and following security best practices, you can build a reliable and scalable remote management platform that is easy to maintain and expand as your managed environment grows.
Conclusion
You now know how to deploy Tactical RMM on Debian VPS.











