OpenVPN Control Panel for Restricted Network.
Project description
OpenVPN Control Panel for Restricted Network
Installation
In order to run along with OpenVPN server, the ROOT privilege is required.
sudo pipx install ovpncp
OpenVPN Server Setup
Make sure the client-to-client directive is disabled:
;client-to-client
Enable CCD & make it exclusive:
client-config-dir /etc/openvpn/ccd
ccd_exclusive
Enable the scripts of client connection:
client-connect /opt/ovpncp/scripts/client-connect.sh
client-disconnect /opt/ovpncp/scripts/client-disconnect.sh
Start the application:
sudo -i ovpncp
Restart the server:
sudo systemctl restart openvpn
Running as a systemd Service (Recommended)
To ensure the application starts automatically on boot and restarts if it crashes:
- Create a service file at
/etc/systemd/system/ovpncp.service:
[Unit]
Description=OpenVPN Control Panel
After=network.target openvpn.service
[Service]
Type=simple
User=root
Group=root
# Use 'which ovpncp' to find the absolute path if different
ExecStart=/root/.local/bin/ovpncp
# Path to your environment variables file
EnvironmentFile=/opt/ovpncp/.env
Restart=always
RestartSec=5
[Install]
WantedBy=multi-user.target
- Enable and start the service:
sudo systemctl daemon-reload
sudo systemctl enable ovpncp
sudo systemctl start ovpncp
API - Basic Usage
Init server by calling API with cURL:
curl -X POST http://127.0.0.1:8000/server
Check the health of OpenVPN server:
curl -X GET http://127.0.0.1:8000/server/health
Client Setup
Create a client:
curl -X POST http://127.0.0.1:8000/clients \
--data-binary @- << EOF
{
"name": "client_1"
}
EOF
Import existing clients from Easy-RSA:
curl -X POST http://127.0.0.1:8000/clients/import
Create a gateway client with the private network behind it:
curl -X POST http://127.0.0.1:8000/clients \
--data-binary @- << EOF
{
"name": "gateway_1",
"cidr": "192.168.1.0/24"
}
EOF
Package the client certificate:
curl -X PUT http://127.0.0.1:8000/clients/client_1/package-cert
Download the archive:
curl -X GET http://127.0.0.1:8000/clients/client_1/download-cert
Assign IP to the client:
curl -X PUT http://127.0.0.1:8000/clients/client_1/assign-ip \
--data-binary @- << EOF
{
"ip": "10.8.0.2"
}
EOF
Unassign IP from the client:
curl -X DELETE http://127.0.0.1:8000/clients/client_1/unassign-ip
Restricted Network Setup
IMPORTANT:
make sure drop all forwarding on tun0 by default:
sudo iptables -A FORWARD -i tun0 -j DROP
Create a restricted network between two clients:
curl -X POST http://127.0.0.1:8000/networks \
--data-binary @- << EOF
{
"source_name": "client_1",
"destination_name": "edge_device_1",
}
EOF
Create a restricted network between a client and a gateway:
curl -X POST http://127.0.0.1:8000/networks \
--data-binary @- << EOF
{
"source_name": "client_1",
"destination_name": "edge_gateway_1",
"private_network_addresses": "192.168.1.1,192.168.1.2,192.168.1.3"
}
EOF
Add an IP route for allowing traffic on the OpenVPN server:
curl -X POST http://127.0.0.1:8000/server/routes \
--data-binary @- << EOF
{
"network": 192.168.1.0/24"
}
EOF
Drop the network:
curl -X DELETE http://127.0.0.1:8000/networks/1
[Optional] Enable Security with Azure Entra ID
Register this app on Azure Entra ID first, then sets three ENVs to enable the security middleware:
-
AZURE_ENTRAID_TENANT_ID- the tenant ID of Azure Entra ID directory. -
AZURE_ENTRAID_APP_CLIENT_ID- the application (client) ID of this app that registered. -
AZURE_ENTRAID_APP_ROLE- the app role assigned by this app.
Notice: for the consumer client app, two things must be configured on the client app registration:
- copy
Application ID URIof the previous registered App. - add permission of the previous registered App on the
API permissions, and grant admin consent.
Example of calling API with an access token:
# Request an access token
curl -X POST -H "Content-Type: application/x-www-form-urlencoded" \
-d "client_id=$AZURE_ENTRAID_CONSUMER_CLIENT_ID" \
-d "scope=api://$EXPOSED_API_ID/.default" \
-d "client_secret=$AZURE_ENTRAID_CONSUMER_CLIENT_SECRET" \
-d "grant_type=client_credentials" \
"https://login.microsoftonline.com/$AZURE_ENTRAID_TENANT_ID/oauth2/v2.0/token"
# Call an API
curl -X POST http://REMOTE_HOST/clients -H "Authorization: Bearer $ACCESS_TOKEN"
[Optional] Enable Cert Management with Azure Blob Storage
-
Create a storage account on Azure Portal.
-
Create a container named
ovpncpon the storage account. -
Obtain the access key and set it to the
AZURE_STORAGE_CONNECTION_STRING
Project details
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file ovpncp-0.1.6.tar.gz.
File metadata
- Download URL: ovpncp-0.1.6.tar.gz
- Upload date:
- Size: 31.0 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
97bfa17d90bb5450b6beb2f8e48ac04a56b6542b03b3bc931f99f228b24d3434
|
|
| MD5 |
9b8d6564caf6bac7c9db28776748cef7
|
|
| BLAKE2b-256 |
6ef00a83b3bf81f2a2f0e4f2a5ba91db8fd73f0f3b6a5cb51f8d287a5403a721
|
Provenance
The following attestation bundles were made for ovpncp-0.1.6.tar.gz:
Publisher:
package.yml on scia-iot/ovpncp
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
ovpncp-0.1.6.tar.gz -
Subject digest:
97bfa17d90bb5450b6beb2f8e48ac04a56b6542b03b3bc931f99f228b24d3434 - Sigstore transparency entry: 1688585029
- Sigstore integration time:
-
Permalink:
scia-iot/ovpncp@3c9228292139c4fa6637740df1cb319f8693e449 -
Branch / Tag:
refs/tags/v0.1.6 - Owner: https://github.com/scia-iot
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
package.yml@3c9228292139c4fa6637740df1cb319f8693e449 -
Trigger Event:
release
-
Statement type:
File details
Details for the file ovpncp-0.1.6-py3-none-any.whl.
File metadata
- Download URL: ovpncp-0.1.6-py3-none-any.whl
- Upload date:
- Size: 28.7 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
0fd35eb9e0947fc008aada4af781a1c8af1f1be5c8d7d94021c003a7a1ade397
|
|
| MD5 |
1bb5cfddb9bc854a900e3b8bc9eb20dd
|
|
| BLAKE2b-256 |
37e51fa45e75d7bb283136328c501a378a5752e984194d7122a5e9363d6a20d9
|
Provenance
The following attestation bundles were made for ovpncp-0.1.6-py3-none-any.whl:
Publisher:
package.yml on scia-iot/ovpncp
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
ovpncp-0.1.6-py3-none-any.whl -
Subject digest:
0fd35eb9e0947fc008aada4af781a1c8af1f1be5c8d7d94021c003a7a1ade397 - Sigstore transparency entry: 1688585077
- Sigstore integration time:
-
Permalink:
scia-iot/ovpncp@3c9228292139c4fa6637740df1cb319f8693e449 -
Branch / Tag:
refs/tags/v0.1.6 - Owner: https://github.com/scia-iot
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
package.yml@3c9228292139c4fa6637740df1cb319f8693e449 -
Trigger Event:
release
-
Statement type: