• Stars
    star
    1,344
  • Rank 34,950 (Top 0.7 %)
  • Language
    Go
  • License
    Apache License 2.0
  • Created about 4 years ago
  • Updated 3 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Simple web UI to manage OpenVPN users.

ovpn-admin

Simple web UI to manage OpenVPN users, their certificates & routes in Linux. While backend is written in Go, frontend is based on Vue.js.

Originally created in Flant for internal needs & used for years, then updated to be more modern and publicly released in March'21. Your contributions are welcome!

DISCLAIMER! This project was created for experienced users (system administrators) and private (e.g., protected by network policies) environments only. Thus, it is not implemented with security in mind (e.g., it doesn't strictly check all parameters passed by users, etc.). It also relies heavily on files and fails if required files aren't available.

Features

  • Adding, deleting OpenVPN users (generating certificates for them);
  • Revoking/restoring/rotating users certificates;
  • Generating ready-to-user config files;
  • Providing metrics for Prometheus, including certificates expiration date, number of (connected/total) users, information about connected users;
  • (optionally) Specifying CCD (client-config-dir) for each user;
  • (optionally) Operating in a master/slave mode (syncing certs & CCD with other server);
  • (optionally) Specifying/changing password for additional authorization in OpenVPN;
  • (optionally) Specifying the Kubernetes LoadBalancer if it's used in front of the OpenVPN server (to get an automatically defined remote in the client.conf.tpl template).
  • (optionally) Storing certificates and other files in Kubernetes Secrets (Attention, this feature is experimental!).

Screenshots

Managing users in ovpn-admin: ovpn-admin UI

An example of dashboard made using ovpn-admin metrics: ovpn-admin metrics

Installation

1. Docker

There is a ready-to-use docker-compose.yaml, so you can just change/add values you need and start it with start.sh.

Requirements: You need Docker and docker-compose installed.

Commands to execute:

git clone https://github.com/flant/ovpn-admin.git
cd ovpn-admin
./start.sh

1.1

Ready docker images available on Docker Hub . Tags are simple: $VERSION or latest for ovpn-admin and openvpn-$VERSION or openvpn-latest for openvpn-server

2. Building from source

Requirements. You need Linux with the following components installed:

Commands to execute:

git clone https://github.com/flant/ovpn-admin.git
cd ovpn-admin
./bootstrap.sh
./build.sh
./ovpn-admin 

(Please don't forget to configure all needed params in advance.)

3. Prebuilt binary

You can also download and use prebuilt binaries from the releases page — just choose a relevant tar.gz file.

Notes

  • this tool uses external calls for bash, coreutils and easy-rsa, thus Linux systems only are supported at the moment.
  • to enable additional password authentication provide --auth and --auth.db="/etc/easyrsa/pki/users.db" flags and install openvpn-user. This tool should be available in your $PATH and its binary should be executable (+x).
  • master-replica synchronization does not work with --storage.backend=kubernetes.secrets - WIP
  • additional password authentication does not work with --storage.backend=kubernetes.secrets - WIP
  • if you use --ccd and --ccd.path="/etc/openvpn/ccd" abd plan to use static address setup for users do not forget to provide --ovpn.network="172.16.100.0/24" with valid openvpn-server network
  • tested only with Openvpn-server versions 2.4 and 2.5 with only tls-auth mode
  • not tested with EasyRsa version > 3.0.8
  • status of users connections update every 28 second(no need to ask why =))

Usage

usage: ovpn-admin [<flags>]

Flags:
  --help                       show context-sensitive help (try also --help-long and --help-man)

  --listen.host="0.0.0.0"      host for ovpn-admin
  (or OVPN_LISTEN_HOST)

  --listen.port="8080"         port for ovpn-admin
  (or OVPN_LISTEN_PORT)

  --role="master"              server role, master or slave
  (or OVPN_ROLE)

  --master.host="http://127.0.0.1"  
  (or OVPN_MASTER_HOST)       URL for the master server

  --master.basic-auth.user=""  user for master server's Basic Auth
  (or OVPN_MASTER_USER)
 
  --master.basic-auth.password=""  
  (or OVPN_MASTER_PASSWORD)   password for master server's Basic Auth

  --master.sync-frequency=600  master host data sync frequency in seconds
  (or OVPN_MASTER_SYNC_FREQUENCY)

  --master.sync-token=TOKEN    master host data sync security token
  (or OVPN_MASTER_TOKEN)

  --ovpn.network="172.16.100.0/24"  
  (or OVPN_NETWORK)           NETWORK/MASK_PREFIX for OpenVPN server

  --ovpn.server=HOST:PORT:PROTOCOL ...  
  (or OVPN_SERVER)            HOST:PORT:PROTOCOL for OpenVPN server
                               can have multiple values

  --ovpn.server.behindLB       enable if your OpenVPN server is behind Kubernetes
  (or OVPN_LB)                Service having the LoadBalancer type

  --ovpn.service="openvpn-external"  
  (or OVPN_LB_SERVICE)        the name of Kubernetes Service having the LoadBalancer
                               type if your OpenVPN server is behind it

  --mgmt=main=127.0.0.1:8989 ...  
  (or OVPN_MGMT)              ALIAS=HOST:PORT for OpenVPN server mgmt interface;
                               can have multiple values

  --metrics.path="/metrics"    URL path for exposing collected metrics
  (or OVPN_METRICS_PATH)

  --easyrsa.path="./easyrsa/"  path to easyrsa dir
  (or EASYRSA_PATH)

  --easyrsa.index-path="./easyrsa/pki/index.txt"  
  (or OVPN_INDEX_PATH)        path to easyrsa index file

  --ccd                        enable client-config-dir
  (or OVPN_CCD)

  --ccd.path="./ccd"           path to client-config-dir
  (or OVPN_CCD_PATH)

  --templates.clientconfig-path=""  
  (or OVPN_TEMPLATES_CC_PATH) path to custom client.conf.tpl

  --templates.ccd-path=""      path to custom ccd.tpl
  (or OVPN_TEMPLATES_CCD_PATH)

  --auth.password              enable additional password authorization
  (or OVPN_AUTH)

  --auth.db="./easyrsa/pki/users.db"
  (or OVPN_AUTH_DB_PATH)      database path for password authorization
  
  --log.level                  set log level: trace, debug, info, warn, error (default info)
  (or LOG_LEVEL)
  
  --log.format                 set log format: text, json (default text)
  (or LOG_FORMAT)
  
  --storage.backend            storage backend: filesystem, kubernetes.secrets (default filesystem)
  (or STORAGE_BACKEND)
 
  --version                    show application version

Further information

Please feel free to use issues and discussions to get help from maintainers & community.

More Repositories

1

shell-operator

Shell-operator is a tool for running event-driven scripts in a Kubernetes cluster
Go
2,381
star
2

loghouse

Ready to use log management solution for Kubernetes storing data in ClickHouse and providing web UI.
Ruby
925
star
3

grafana-statusmap

Grafana panel plugin to visualize status of multiple objects over time
TypeScript
829
star
4

addon-operator

A system to manage additional components for Kubernetes cluster in a simple, consistent and automated way.
Go
482
star
5

nginx-http-rdns

Nginx HTTP rDNS module
C
144
star
6

examples

Configurations, scripts & samples used in guides and other articles from Flant engineers.
JavaScript
105
star
7

curator-opensearch

Curator for OpenSearch.
Python
75
star
8

glaball

A CLI tool to manage self-hosted GitLab instances in bulk.
Go
71
star
9

pam_docker

C
61
star
10

elasticsearch-extractor

Simple web UI to extract any index from Elasticsearch snapshot into repository.
Go
46
star
11

netgwm

NetGWM (Network Gateway Manager)
Python
38
star
12

helm-charts

Public Helm charts from Flant.
Smarty
36
star
13

cert-manager-webhook-regru

The webhook and the ClusterIssuer resource for automatic provisioning of reg.ru SSL certificates in Kubernetes
Go
33
star
14

helm-apps

Smarty
24
star
15

gitlab-ci-examples

22
star
16

negentropy

S - security
Go
21
star
17

libjq-go

CGO bindings for jq with cache for compiled programs
Go
15
star
18

flunch

open source non-alcohol drink
14
star
19

jekyll_include_plugin

Plugin for including contents of local/remote plain text files (or parts of them) into your pages. Allows for multilang comments in the included files.
Ruby
13
star
20

uuidable

With this gem you can use UUID instead of id in routes. But id is still primary key.
Ruby
9
star
21

artery

Main messaging system between Rails [micro]services implementing message bus pattern on NATS (for now).
Ruby
9
star
22

clickhouse_exporter

Image for Percona-Lab/clickhouse_exporter
Dockerfile
7
star
23

php_fpm_docker

Run php_fpm pools in docker containers
7
star
24

ipm

ipm (IP Manager)
Python
7
star
25

nginx_saml_authenticator

Ruby
6
star
26

kubernetes-efk

ElasticSearch + Fluentd + Kibana in Kubernetes
Shell
5
star
27

docker_penetration_experiment

C
5
star
28

external_services

Gem helps syncronize objects to different external services like Gitlab, Redmine and any other.
Ruby
5
star
29

superhosting

Ruby
4
star
30

kube-ca-auth-proxy

Shell
4
star
31

kube-client

Kubernetes client wrapper
Go
4
star
32

charts

Smarty
4
star
33

htop

This repository contains htop package for buildizer as native package: package build rules and upstream source.
C
3
star
34

elasticsearch-oneday-exporter

Go
3
star
35

runtex

Python
3
star
36

LMPD

Lightweight Modular Policy Daemon
C
3
star
37

dapp_bot

Telegram dapp bot
Go
3
star
38

elasticsearch-snapshot-exporter

Go
3
star
39

simple_saml

Ruby
3
star
40

kube-resource-unit-converter

Convert Kubernetes Resource Quantity representation to bytes
Go
3
star
41

machine-controller-manager-provider-yandex

Go
3
star
42

redmine_issue_priorities_per_tracker

Ruby
2
star
43

gogost

Go
2
star
44

kube-controller-manager

Dockerfile
2
star
45

flant.github.io

HTML
2
star
46

buildizer

Ruby
2
star
47

redmine_attachments_database_storage

This is a plugin for Redmine which allows to store attachments in database.
Ruby
2
star
48

kube-rabbitmq

Go
1
star
49

jekyll_remote_plantuml_plugin

Plugin for including local/remote PlantUML diagrams into your pages
Ruby
1
star
50

dumpdb

Shell
1
star
51

buildizer-env-ubuntu

1
star
52

shellfold

Ruby
1
star
53

path_mapper

Ruby
1
star
54

buildizer-env-centos

1
star
55

gogomonia-utils

Shell
1
star
56

promicher

Prometheus alerts enricher
Go
1
star
57

rpmchange

Rpm spec change tool.
Ruby
1
star
58

cert-manager-webhook-nicru

Go
1
star
59

website-core

Ruby
1
star