README
¶
OVPM - OpenVPN Management Server
OVPM allows you to administrate an OpenVPN server on linux easily via command line and web interface.
With OVPM you can create and run an OpenVPN server, add/remove VPN users, generate client .ovpn files for your users etc.
This software is not stable yet. We recommend against using it for anything serious until, version 1.0 is released.
NOTICE: Version 0.2.8 comes with comp-lzo option disabled by default as it is deprecated by OpenVPN.
Roadmap
- OpenVPN management functionality
- User management functionality
- Network management functionality
- Command Line Interface (CLI)
- API (REST and gRPC)
- Web User Interface (WebUI)
- Import/Export/Backup OVPM config
- Effortless client profile (.ovpn file) delivery over Web
- Monitoring and Quota functionality
Demo Here is a little demo of what it looks on terminal to init the server, create a vpn user and generate .ovpn file for the created user.
Installation
from RPM (CentOS/Fedora):
# Add YUM Repo
$ sudo yum install yum-utils -y
$ sudo yum install epel-release -y
$ sudo yum-config-manager --add-repo https://cad.github.io/ovpm/rpm/ovpm.repo
# Install OVPM
$ sudo yum install ovpm
# Enable and start ovpmd service
$ systemctl start ovpmd
$ systemctl enable ovpmd
from DEB (Ubuntu/Debian):
This is tested only on Ubuntu >=16.04.3 LTS
# Add APT Repo
$ sudo sh -c 'echo "deb [trusted=yes] https://cad.github.io/ovpm/deb/ ovpm main" >> /etc/apt/sources.list'
$ sudo apt update
# Install OVPM
$ sudo apt install ovpm
# Enable and start ovpmd service
$ systemctl start ovpmd
$ systemctl enable ovpmd
from Source (go get):
Only dependency for ovpm is OpenVPN>=2.3.3.
$ go get -u github.com/cad/ovpm/...
# Make sure user nobody and group nogroup is available
# on the system
$ sudo useradd nobody
$ sudo groupadd nogroup
# Start ovpmd on a seperate terminal
$ sudo ovpmd
Now ovpmd should be running.
Quickstart
Create a vpn user and export vpn profile for the created user.
# We should init the server after fresh install
$ ovpm vpn init --hostname <vpn.example.com>
INFO[0004] ovpm server initialized
# Now, lets create a new vpn user
$ ovpm user create -u joe -p verySecretPassword
INFO[0000] user created: joe
# Finally export the vpn profile for, the created user, joe
$ ovpm user genconfig -u joe
INFO[0000] exported to joe.ovpn
OpenVPN profile for user joe is exported to joe.ovpn file. You can simply use this file with OpenVPN to connect to the vpn server from another computer.
Next Steps
Troubleshooting
Q: My clients cannot connect to VPN after updating OVPM to v0.2.8
Since comp-lzo is disabled by default in OVPM v0.2.8, existing clients' .ovpn profiles became invalid.
In order to solve this you have the options below:
- Generate new .ovpn profile for existing clients
- Or manually remove
comp-lzoline from clients .ovpn profiles yourself. - Or you can upgrade to v0.2.9 and enable lzo option back by invoking the following command.
$ ovpm vpn update --enable-use-lzo
But please note that this is not recommended as lzo option is deprecated in OpenVPN.
Documentation
¶
Overview ¶
Package ovpm provides the implementation of core OVPM API.
ovpm can create and destroy OpenVPN servers, manage vpn users, handle certificates etc...
Index ¶
- Constants
- Variables
- func AdminPerms() []permset.Perm
- func HostID2IP(hostid uint32) net.IP
- func IP2HostID(ip net.IP) uint32
- func IncrementIP(ip, mask string) (string, error)
- func IsNetworkType(s string) bool
- func UserPerms() []permset.Perm
- type DB
- type Network
- func (n *Network) Associate(username string) error
- func (n *Network) Delete() error
- func (n *Network) Dissociate(username string) error
- func (n *Network) GetAssociatedUsernames() []string
- func (n *Network) GetAssociatedUsers() []*User
- func (n *Network) GetCIDR() string
- func (n *Network) GetCreatedAt() string
- func (n *Network) GetName() string
- func (n *Network) GetType() NetworkType
- func (n *Network) GetVia() string
- type NetworkType
- type Server
- func (svr *Server) CAExpiresAt() time.Time
- func (svr *Server) CheckSerial(serial string) bool
- func (svr *Server) Deinit() error
- func (svr *Server) DumpClientConfig(username, path string) error
- func (svr *Server) DumpsClientConfig(username string) (string, error)
- func (svr *Server) Emit() error
- func (svr *Server) EmitWithRestart() error
- func (svr *Server) ExpiresAt() time.Time
- func (svr *Server) GetCACert() string
- func (svr *Server) GetCAKey() string
- func (svr *Server) GetCRL() string
- func (svr *Server) GetConnectedUsers() ([]User, error)
- func (svr *Server) GetCreatedAt() string
- func (svr *Server) GetDNS() string
- func (svr *Server) GetHostname() string
- func (svr *Server) GetKeepalivePeriod() string
- func (svr *Server) GetKeepaliveTimeout() string
- func (svr *Server) GetKey() string
- func (svr *Server) GetMask() string
- func (svr *Server) GetNet() string
- func (svr *Server) GetPort() string
- func (svr *Server) GetProto() string
- func (svr *Server) GetSerialNumber() string
- func (svr *Server) GetServerName() string
- func (svr *Server) GetSystemCA() (*pki.CA, error)
- func (svr *Server) Init(hostname string, port string, proto string, ipblock string, dns string, ...) error
- func (svr *Server) IsInitialized() bool
- func (svr *Server) IsUseLZO() bool
- func (svr *Server) Refresh() error
- func (svr *Server) RestartVPNProc()
- func (svr *Server) StartVPNProc()
- func (svr *Server) StopVPNProc()
- func (svr *Server) Update(ipblock string, dns string, useLzo *bool) error
- type User
- func (u *User) CheckPassword(password string) bool
- func (u *User) ConnectionStatus() (isConnected bool, connectedSince time.Time, bytesSent uint64, ...)
- func (u *User) Delete() error
- func (u *User) ExpiresAt() time.Time
- func (u *User) GetCert() string
- func (u *User) GetCreatedAt() string
- func (u *User) GetDescription() string
- func (u *User) GetHostID() uint32
- func (u *User) GetIPNet() string
- func (u *User) GetServerSerialNumber() string
- func (u *User) GetUsername() string
- func (u *User) IsAdmin() bool
- func (u *User) IsNoGW() bool
- func (u *User) Renew() error
- func (u *User) RenewToken() (string, error)
- func (u *User) ResetPassword(password string) error
- func (u *User) Update(password string, nogw bool, hostid uint32, admin bool, description string) error
- func (u *User) ValidateToken(token string) bool
Constants ¶
const ( // DefaultVPNPort is the default OpenVPN port to listen. DefaultVPNPort = "1197" // DefaultVPNProto is the default OpenVPN protocol to use. DefaultVPNProto = UDPProto // DefaultVPNNetwork is the default OpenVPN network to use. DefaultVPNNetwork = "10.9.0.0/24" // DefaultVPNDNS is the default DNS to push to clients. DefaultVPNDNS = "8.8.8.8" // DefaultDaemonPort is the port OVPMD will listen by default if something else is not specified. DefaultDaemonPort = 9090 // DefaultKeepalivePeriod is the default ping period to check if the remote peer is alive. DefaultKeepalivePeriod = "2" // DefaultKeepaliveTimeout is the default ping timeout to assume that remote peer is down. DefaultKeepaliveTimeout = "4" )
const ( // User permissions CreateUserPerm permset.Perm = iota GetAnyUserPerm GetSelfPerm UpdateAnyUserPerm UpdateSelfPerm DeleteAnyUserPerm RenewAnyUserPerm GenConfigAnyUserPerm GenConfigSelfPerm // VPN permissions GetVPNStatusPerm InitVPNPerm UpdateVPNPerm RestartVPNPerm // Network permissions ListNetworksPerm CreateNetworkPerm DeleteNetworkPerm GetNetworkTypesPerm GetNetworkAssociatedUsersPerm AssociateNetworkUserPerm DissociateNetworkUserPerm )
OVPM available permissions.
const ( TCPProto string = "tcp" UDPProto string = "udp" )
Possible VPN protocols.
Variables ¶
var Testing = false
Testing is used to determine whether we are testing or running normally. Set it to true when testing.
var Version = "development"
Version defines the version of ovpm.
Functions ¶
func AdminPerms ¶ added in v0.2.0
AdminPerms returns the list of permissions that admin type user has.
func IncrementIP ¶
IncrementIP will return next ip address within the network.
func IsNetworkType ¶ added in v0.2.7
IsNetworkType returns if the s is a valid network type or not.
Types ¶
type DB ¶
DB represents a persistent storage.
type Network ¶
type Network struct {
// contains filtered or unexported fields
}
Network represents a VPN related network.
func CreateNewNetwork ¶
func CreateNewNetwork(name, cidr string, nettype NetworkType, via string) (*Network, error)
CreateNewNetwork creates a new network definition in the system.
func GetAllNetworks ¶
func GetAllNetworks() []*Network
GetAllNetworks returns all networks defined in the system.
func GetNetwork ¶
GetNetwork returns a network specified by its name.
func (*Network) Dissociate ¶
Dissociate breaks up the given users association to the said network.
func (*Network) GetAssociatedUsernames ¶
GetAssociatedUsernames returns network's associated user names.
func (*Network) GetAssociatedUsers ¶
GetAssociatedUsers returns network's associated users.
func (*Network) GetCreatedAt ¶
GetCreatedAt returns network's name.
func (*Network) GetType ¶
func (n *Network) GetType() NetworkType
GetType returns network's network type.
type NetworkType ¶
type NetworkType uint
NetworkType distinguishes different types of networks that is defined in the networks table.
const ( UNDEFINEDNET NetworkType = iota SERVERNET ROUTE )
NetworkTypes
func GetAllNetworkTypes ¶
func GetAllNetworkTypes() []NetworkType
GetAllNetworkTypes returns all network types defined in the system.
func NetworkTypeFromString ¶
func NetworkTypeFromString(typ string) NetworkType
NetworkTypeFromString returns string representation of the network type.
func (NetworkType) Description ¶
func (nt NetworkType) Description() string
Description gives description about the network type.
func (NetworkType) String ¶
func (nt NetworkType) String() string
type Server ¶
type Server struct {
// contains filtered or unexported fields
}
Server represents VPN server.
func TheServer ¶ added in v0.2.7
func TheServer() *Server
TheServer returns a pointer to the server instance.
Server instance is a singleton instance that is initialized on the first call made to the TheServer().
func (*Server) CAExpiresAt ¶ added in v0.2.7
CAExpiresAt returns the expiry date time of the CA.
func (*Server) CheckSerial ¶
CheckSerial takes a serial number and checks it against the current server's serial number.
func (*Server) Deinit ¶ added in v0.2.7
Deinit deletes the VPN server from the database and frees the allocated resources.
func (*Server) DumpClientConfig ¶ added in v0.2.7
DumpClientConfig generates .ovpn file for the given vpn user and dumps it to outPath.
func (*Server) DumpsClientConfig ¶ added in v0.2.7
DumpsClientConfig generates .ovpn file for the given vpn user and returns it as a string.
func (*Server) Emit ¶ added in v0.2.7
Emit generates all needed files for the OpenVPN server and dumps them to their corresponding paths defined in the config.
func (*Server) EmitWithRestart ¶ added in v0.2.7
EmitWithRestart restarts vpnProc after calling EmitWithRestart().
func (*Server) ExpiresAt ¶ added in v0.2.7
ExpiresAt returns the expiry date time of the server cert.
func (*Server) GetConnectedUsers ¶ added in v0.2.7
GetConnectedUsers will return a list of users who are currently connected to the VPN service.
func (*Server) GetCreatedAt ¶
GetCreatedAt returns server's created at.
func (*Server) GetHostname ¶
GetHostname returns vpn server's hostname.
func (*Server) GetKeepalivePeriod ¶ added in v0.2.8
func (*Server) GetKeepaliveTimeout ¶ added in v0.2.8
func (*Server) GetSerialNumber ¶
GetSerialNumber returns server's serial number.
func (*Server) GetServerName ¶
GetServerName returns server's name.
func (*Server) GetSystemCA ¶ added in v0.2.7
GetSystemCA returns the system CA from the database if available.
func (*Server) Init ¶ added in v0.2.7
func (svr *Server) Init(hostname string, port string, proto string, ipblock string, dns string, keepalivePeriod string, keepaliveTimeout string, useLZO bool) error
Init regenerates keys and certs for a Root CA, gets initial settings for the VPN server and saves them in the database.
'proto' can be either "udp" or "tcp" and if it's "" it defaults to "udp".
'ipblock' is a IP network in the CIDR form. VPN clients get their IP addresses from this network. It defaults to const 'DefaultVPNNetwork'.
'keepalivePeriod' is the ping period to check if the remote peer is alive. It defaults to const 'DefaultKeepalivePeriod'
'keeapliveTimeout' is the ping timeout to assume that remote peer is down. It defaults to const 'DefaultKeepaliveTimeout'
'useLZO' is used to determine whether to use the lzo compression algorithm to support older clients. It defaults to false due to security issues and deprecation
Please note that, Init is potentially destructive procedure, it will cause invalidation of existing .ovpn profiles of the current users. So it should be used carefully.
func (*Server) IsInitialized ¶ added in v0.2.7
IsInitialized checks if there is a default VPN server configured in the database or not.
func (*Server) RestartVPNProc ¶ added in v0.2.7
func (svr *Server) RestartVPNProc()
RestartVPNProc restarts the OpenVPN process.
func (*Server) StartVPNProc ¶ added in v0.2.7
func (svr *Server) StartVPNProc()
StartVPNProc starts the OpenVPN process.
func (*Server) StopVPNProc ¶ added in v0.2.7
func (svr *Server) StopVPNProc()
StopVPNProc stops the OpenVPN process.
type User ¶
type User struct {
// contains filtered or unexported fields
}
User represents a vpn user.
func CreateNewUser ¶
func CreateNewUser(username, password string, nogw bool, hostid uint32, admin bool, description string) (*User, error)
CreateNewUser creates a new user with the given username and password in the database. If nogw is true, then ovpm doesn't push vpn server as the default gw for the user.
It also generates the necessary client keys and signs certificates with the current server's CA.
func GetAllUsers ¶
GetAllUsers returns all recorded users in the database.
func GetUserByToken ¶ added in v0.1.15
GetUserByToken finds and returns the user with the given token from database.
func (*User) CheckPassword ¶
CheckPassword returns whether the given password is correct for the user.
func (*User) ConnectionStatus ¶ added in v0.2.7
func (u *User) ConnectionStatus() (isConnected bool, connectedSince time.Time, bytesSent uint64, bytesReceived uint64)
ConnectionStatus returns information about user's connection to the VPN server.
func (*User) GetCreatedAt ¶
GetCreatedAt returns user's creation time.
func (*User) GetDescription ¶ added in v0.2.8
func (*User) GetServerSerialNumber ¶
GetServerSerialNumber returns user's server serial number.
func (*User) IsNoGW ¶
IsNoGW returns whether user is set to get the vpn server as their default gateway.
func (*User) Renew ¶
Renew creates a key and a ceritificate signed by the current server's CA.
This is often used to sign users when the current CA is changed while there are still existing users in the database.
Also it can be used when a user cert is expired or user's private key stolen, missing etc.
func (*User) RenewToken ¶ added in v0.1.15
RenewToken generates a new AuthToken and sets it to the db.
func (*User) ResetPassword ¶
ResetPassword resets the users password into the provided password.
func (*User) Update ¶
func (u *User) Update(password string, nogw bool, hostid uint32, admin bool, description string) error
Update updates the user's attributes and writes them to the database.
How this method works is similiar to PUT semantics of REST. It sets the user record fields to the provided function arguments.
func (*User) ValidateToken ¶ added in v0.1.15
ValidateToken returns whether the given token is valid or not.
Source Files
¶
Directories
¶
| Path | Synopsis |
|---|---|
|
pb
Package pb is a reverse proxy.
|
Package pb is a reverse proxy. |
|
cmd
|
|
|
Package permset provides primitives for permission management.
|
Package permset provides primitives for permission management. |
|
Package pki contains bits and pieces to work with OpenVPN PKI related operations.
|
Package pki contains bits and pieces to work with OpenVPN PKI related operations. |
|
Package supervisor provides a generic API to watch and manage Unix processes.
|
Package supervisor provides a generic API to watch and manage Unix processes. |