Linux-Help/ovpn-admin
1
0
Fork 0
mirror of synced 2025-04-01 09:12:02 -04:00
Code Issues Projects Releases Packages Wiki Activity
Simple web UI to manage OpenVPN users.
167 commits 25 branches 27 tags 3.3 MiB
Go 69.5%
JavaScript 13.9%
HTML 9.8%
Shell 4%
Makefile 1.2%
Other 1.6%
Find a file
Dmitry Shurupov a591f3bec3
Merge pull request from palark/fix-easyrsa-prompt-2 
Fix easyrsa build-server-full prompt
2025-03-28 21:29:42 +07:00
.github Bump actions/checkout from 2 to 4 () 2025-03-23 08:31:31 +01:00
charts More CI fixes () 2025-03-04 09:41:47 +01:00
dashboard add variable for prometheus datasource to dashboard () 2023-09-08 17:45:34 +03:00
frontend Bump axios from 0.28.0 to 1.8.2 in /frontend () 2025-03-23 08:35:12 +01:00
img Fixing metrics screenshot in README 2021-03-17 16:53:00 +07:00
setup Fix easyrsa build-server-full prompt 2025-03-28 21:16:14 +07:00
templates Update client.conf.tpl 2021-10-19 16:47:27 +03:00
.dockerignore Add example dashboard 2022-08-04 15:13:41 +03:00
.editorconfig add option to specify custom user template path 2021-07-22 01:44:04 +03:00
.gitignore Add workflows for the chart to CI () 2025-03-04 07:24:24 +01:00
bootstrap.sh Prepare for release 1.7.0 2021-10-05 18:09:29 +03:00
build.sh Fix multiarch build 2022-09-05 11:48:34 +03:00
build_arm.sh fixed a broken release 2021-11-29 11:34:34 +03:00
certificates.go Added the ability to set the validity period of the client certificate. () 2025-03-03 13:45:33 +01:00
docker-compose-slave.yaml renaming; fixes 2021-03-17 13:44:12 +03:00
docker-compose.yaml fixing docker-compose.yaml to point to right dockerfile 2025-03-05 14:59:21 +01:00
Dockerfile.openvpn Multiplatform and staged builds () 2025-03-04 20:43:35 +01:00
Dockerfile.ovpn-admin Bump golang from 1.23.6-bullseye to 1.24.1-bullseye () 2025-03-23 08:34:21 +01:00
go.mod Bump github.com/google/uuid from 1.3.0 to 1.6.0 () 2025-03-16 22:20:30 +01:00
go.sum Bump github.com/google/uuid from 1.3.0 to 1.6.0 () 2025-03-16 22:20:30 +01:00
helpers.go refactoring 2022-08-12 13:52:45 +03:00
install-deps-arm.sh node 16.13 2022-01-29 02:22:08 +03:00
install-deps.sh node 16.13 2022-01-29 02:22:08 +03:00
kubernetes.go fix absent labels for secrets 2022-09-01 13:15:22 +03:00
LICENSE Initial commit 2020-05-15 02:09:31 +03:00
main.go Added the ability to set the validity period of the client certificate. () 2025-03-03 13:45:33 +01:00
Makefile Add workflows for the chart to CI () 2025-03-04 07:24:24 +01:00
README.md Ovpn user call and mgmt fixes + added new flag for init users db () 2025-03-03 12:19:53 +01:00
start-with-slave.sh Addded master-slave mode for openvpn-admin 2020-11-17 20:48:26 +03:00
start.sh Comment the docker-compose plugin () 2025-03-23 08:33:30 +01:00
werf.yaml Use .Env in werf.yaml 2025-03-04 21:29:02 +01:00

README.md

ovpn-admin

Simple web UI to manage OpenVPN users, their certificates & routes in Linux. While backend is written in Go, frontend is based on Vue.js.

DISCLAIMER! This project was created for experienced users (system administrators) and private (e.g., protected by network policies) environments only. Thus, it is not implemented with security in mind (e.g., it doesn't strictly check all parameters passed by users, etc.). It also relies heavily on files and fails if required files aren't available.

Features

  • Adding, deleting OpenVPN users (generating certificates for them);
  • Revoking/restoring/rotating users certificates;
  • Generating ready-to-user config files;
  • Providing metrics for Prometheus, including certificates expiration date, number of (connected/total) users, information about connected users;
  • (optionally) Specifying CCD (client-config-dir) for each user;
  • (optionally) Operating in a master/slave mode (syncing certs & CCD with other server);
  • (optionally) Specifying/changing password for additional authorization in OpenVPN;
  • (optionally) Specifying the Kubernetes LoadBalancer if it's used in front of the OpenVPN server (to get an automatically defined remote in the client.conf.tpl template).
  • (optionally) Storing certificates and other files in Kubernetes Secrets (Attention, this feature is experimental!).

Screenshots

Managing users in ovpn-admin: ovpn-admin UI

An example of dashboard made using ovpn-admin metrics: ovpn-admin metrics

Installation

1. Docker

There is a ready-to-use docker-compose.yaml, so you can just change/add values you need and start it with start.sh.

Requirements: You need Docker and docker-compose installed.

Commands to execute:

git clone https://github.com/palark/ovpn-admin.git
cd ovpn-admin
./start.sh

1.1

Ready docker images available on Docker Hub . Tags are simple: $VERSION or latest for ovpn-admin and openvpn-$VERSION or openvpn-latest for openvpn-server

2. Building from source

Requirements. You need Linux with the following components installed:

Commands to execute:

git clone https://github.com/palark/ovpn-admin.git
cd ovpn-admin
./bootstrap.sh
./build.sh
./ovpn-admin

(Please don't forget to configure all needed params in advance.)

3. Prebuilt binary

You can also download and use prebuilt binaries from the releases page — just choose a relevant tar.gz file.

Notes

  • This tool uses external calls for bash, coreutils and easy-rsa, thus Linux systems only are supported at the moment.
  • To enable additional password authentication, provide --auth and --auth.db="/etc/easyrsa/pki/users.db" flags and install openvpn-user. This tool should be available in your $PATH and its binary should be executable (+x).
  • If you use --ccd and --ccd.path="/etc/openvpn/ccd" and plan to use static address setup for users, do not forget to provide --ovpn.network="172.16.100.0/24" with valid openvpn-server network.
  • If you want to pass all the traffic generated by the user, you need to edit ovpn-admin/templates/client.conf.tpl and uncomment redirect-gateway def1.
  • Tested with openvpn-server versions 2.4 and 2.5 and with tls-auth mode only.
  • Not tested with Easy-RSA version > 3.0.8.
  • Status of user connections update every 28 seconds.
  • Master-replica synchronization and additional password authentication do not work with --storage.backend=kubernetes.secrets - WIP

Usage

usage: ovpn-admin [<flags>]

Flags:
  --help                       show context-sensitive help (try also --help-long and --help-man)

  --listen.host="0.0.0.0"      host for ovpn-admin
  (or OVPN_LISTEN_HOST)

  --listen.port="8080"         port for ovpn-admin
  (or OVPN_LISTEN_PORT)

  --listen.base-url="/"        base URL for ovpn-admin web files
  (or $OVPN_LISTEN_BASE_URL)

  --role="master"              server role, master or slave
  (or OVPN_ROLE)

  --master.host="http://127.0.0.1"  
  (or OVPN_MASTER_HOST)       URL for the master server

  --master.basic-auth.user=""  user for master server's Basic Auth
  (or OVPN_MASTER_USER)
 
  --master.basic-auth.password=""  
  (or OVPN_MASTER_PASSWORD)   password for master server's Basic Auth

  --master.sync-frequency=600  master host data sync frequency in seconds
  (or OVPN_MASTER_SYNC_FREQUENCY)

  --master.sync-token=TOKEN    master host data sync security token
  (or OVPN_MASTER_TOKEN)

  --ovpn.network="172.16.100.0/24"  
  (or OVPN_NETWORK)           NETWORK/MASK_PREFIX for OpenVPN server

  --ovpn.server=HOST:PORT:PROTOCOL ...  
  (or OVPN_SERVER)            HOST:PORT:PROTOCOL for OpenVPN server
                               can have multiple values

  --ovpn.server.behindLB       enable if your OpenVPN server is behind Kubernetes
  (or OVPN_LB)                Service having the LoadBalancer type

  --ovpn.service="openvpn-external"  
  (or OVPN_LB_SERVICE)        the name of Kubernetes Service having the LoadBalancer
                               type if your OpenVPN server is behind it

  --mgmt=main=127.0.0.1:8989 ...  
  (or OVPN_MGMT)              ALIAS=HOST:PORT for OpenVPN server mgmt interface;
                               can have multiple values

  --metrics.path="/metrics"    URL path for exposing collected metrics
  (or OVPN_METRICS_PATH)

  --easyrsa.path="./easyrsa/"  path to easyrsa dir
  (or EASYRSA_PATH)

  --easyrsa.index-path="./easyrsa/pki/index.txt"  
  (or OVPN_INDEX_PATH)        path to easyrsa index file

  --ccd                        enable client-config-dir
  (or OVPN_CCD)

  --ccd.path="./ccd"           path to client-config-dir
  (or OVPN_CCD_PATH)

  --templates.clientconfig-path=""  
  (or OVPN_TEMPLATES_CC_PATH) path to custom client.conf.tpl

  --templates.ccd-path=""      path to custom ccd.tpl
  (or OVPN_TEMPLATES_CCD_PATH)

  --auth.password              enable additional password authorization
  (or OVPN_AUTH)

  --auth.db="./easyrsa/pki/users.db"
  (or OVPN_AUTH_DB_PATH)      database path for password authorization

  --auth.db-init
  (or OVPN_AUTH_DB_INIT)      enable database init if user db not exists or size is 0
   
  --log.level                  set log level: trace, debug, info, warn, error (default info)
  (or LOG_LEVEL)
  
  --log.format                 set log format: text, json (default text)
  (or LOG_FORMAT)
  
  --storage.backend            storage backend: filesystem, kubernetes.secrets (default filesystem)
  (or STORAGE_BACKEND)
 
  --version                    show application version

Authors

ovpn-admin was originally created in Flant and used internally for years.

In March 2021, it went public and was still developed in Flant. Namely, @vitaliy-sn created its first version in Python, and @pashcovich rewrote it in Go.

In November 2024, this project was moved to Palark, which is currently responsible for its maintenance and development.