openvpn-tap-external-web-ui

README

OpenVPN-TAP-external-web-ui

Summary

OpenVPN TAP (bridge) external server (non-Docker) web administration interface. Intended for use with PiVPN (on amd64 versions of Debian or Ubuntu, or on ARM64/ARMv7 with Raspberry Pi OS). PiVPN should be installed first! Recently adapted to work with host-installed TUN servers too.

Here's a post on setting PiVPN in TAP server mode. It's written for the Raspberry Pi, but the steps are the same on Debian or Ubuntu. One exception is your physical ethernet adapter, which will likely not be eth0 in the openvpn-bridge script:

https://technologydragonslayer.com/2022/01/16/installing-an-openvpn-tap-server-on-a-raspberry-pi-using-pivpn/

Goal: create quick to deploy and easy to use solution that makes work with small OpenVPN environments a breeze.

If you have docker and Portainer installed, you can jump directly to installation.

If you have a functioning OpenVPN TAP or TUN Server on the same host as your Docker containers, you should be able to use this fork to monitor OpenVPN connections.

Certificate generation and management is also available, and should be compatible with PiVPN. You can use either this web-ui to create client certificates, or use PiVPN from the commandline. Use PiVPN from the commandline (with elevated priveleges) to revoke certificates.

Motivation

• to create a version of this project that will work with OpenVPN TAP and TUN servers created using PiVPN (amd64, arm64 or ARMv7 )

Features

• status page that shows server statistics and list of connected clients
• easy creation of client certificates
• ability to download client certificates as a zip package with client configuration inside or as a single .ovpn file
• log preview
• modification of OpenVPN configuration file through web interface
• this fork is especially designed to use an external version of OpenVPN configured for TAP (bridge) -- which is probably not possible via Docker
• works with host-base PiVPN TUN servers now too!

Screenshots

Screenshots

Usage

After startup web service is visible on port 8080. To login use the following default credentials:

• username: admin
• password: b3secure

Please change password to your own immediately!

Prod

Requirements:

• Docker, Portainer, PiVPN, Debian or Ubuntu
• on firewall open ports: 8080/tcp

Setup your Portainer Stacks page as shown on an amd64 machine running Debian or Ubuntu, inserting environment variables for creating certificates. Also, you'll need the unique ID assigned by PiVPN to the server (the name used for the server certificate and key, which is the hostname followed by a series of numbers, letters and dashes):

Setup your Portainer Stacks page as shown on an ARMv7 running the Raspberry Pi OS, inserting environment variables for creating certificates (grab the contents of the docker-compose.yml in the docs folder, and add a :armv7 as a tag after the container name):

Setup your Portainer Stacks page as shown on an ARM64 running the Raspberry Pi OS, inserting environment variables for creating certificates. Also, you'll need the unique ID assigned by PiVPN to the server (grab the contents of the docker-compose.yml in the docs folder, and add a :arm64 as a tag after the container name):

This fork uses a single docker container with the OpenVPNAdmin web application. Through a docker volume it creates following directory structure for the database, but otherwise links to /etc/openvpn in the host. The intention is for PiVPN to be able to operate as usual, with PiVPN commanline options still available:

.
├── docker-compose.yml
└── openvpn-data
     └── db
        └── data.db

Dev

Requirements:

• golang environments
• beego
• bee
• docker

Optional, but recommended:

• Portainer
• GitHub Desktop for Linux
• Visual Studio Code

Execute commands:

go get github.com/bnhf/openvpn-tap-external-web-ui
cd $GOPATH/src/github.com/bnhf/openvpn-tap-external-web-ui
go mod tidy
bee run -gendoc=true
bee pack -exr='^vendor|^data.db|^build|^README.md|^docs'
cd build
./build.sh

For building on ARMv7:

In the dockerfile inside the build folder, comment out debian:bullseye as a source, and uncomment balenalib/raspberry-pi-debian:latest
In build.sh, change the docker build to <your-docker-hub-repo-here>/openvpn-tap-external-web-ui:armv7
It's highly recommended that you use Visual Studio Code with the "Remote - SSH" extension (in addition to the "Go" extension of course) from a more powerful machine

Todo

• ARMv7 version for the Raspberry Pi -- Done!
• Update "Memory usage" on the status page to display more accurate data
• Add certificate revocation from the GUI -- currently can be done only from the commandline via PiVPN -r username

License

This project uses MIT license

Remarks

Numerous things have been updated to bring this project forward from its 2017 roots. It's now based on Debian 11 (in the container build), and is using the latest OpenVPN and EasyRSA, thanks to PiVPN. All of the project dependencies (vendoring) have been updated to current levels in 2022.

Courtsey of @tyzbit, the ability to specify DNS servers, and additional client/server options have been added. Also @mendoza-conicet contributed code for being able to download a single .ovpn file. Many issues have been addressed related to adapting this package for use with a host-based server, and related to all of the latest versions of the dependencies.

And, of course, many thanks to @adamwalach for his excellent original work to create this project!

Template

AdminLTE - dashboard & control panel theme. Built on top of Bootstrap 3.