Skip to main content

OpenVPN Control Panel for Restricted Network.

Project description

OpenVPN Control Panel for Restricted Network

Tests CodeQL Advanced Package

Installation

In order to run along with OpenVPN server, the ROOT privilege is required.

sudo pipx install ovpncp

OpenVPN Server Setup

Make sure the client-to-client directive is disabled:

;client-to-client

Enable CCD & make it exclusive:

client-config-dir /etc/openvpn/ccd
ccd_exclusive

Enable the scripts of client connection:

client-connect /opt/ovpncp/scripts/client-connect.sh
client-disconnect /opt/ovpncp/scripts/client-disconnect.sh

Start the application:

sudo -i ovpncp

Restart the server:

sudo systemctl restart openvpn

Running as a systemd Service (Recommended)

To ensure the application starts automatically on boot and restarts if it crashes:

  1. Create a service file at /etc/systemd/system/ovpncp.service:
[Unit]
Description=OpenVPN Control Panel
After=network.target openvpn.service

[Service]
Type=simple
User=root
Group=root
# Use 'which ovpncp' to find the absolute path if different
ExecStart=/root/.local/bin/ovpncp
# Path to your environment variables file
EnvironmentFile=/opt/ovpncp/.env
Restart=always
RestartSec=5

[Install]
WantedBy=multi-user.target
  1. Enable and start the service:
sudo systemctl daemon-reload
sudo systemctl enable ovpncp
sudo systemctl start ovpncp

API - Basic Usage

Init server by calling API with cURL:

curl -X POST http://127.0.0.1:8000/server

Check the health of OpenVPN server:

curl -X GET http://127.0.0.1:8000/server/health

Client Setup

Create a client:

curl -X POST http://127.0.0.1:8000/clients \ 
    --data-binary @- << EOF
    {
        "name": "client_1"
    }
    EOF

Import existing clients from Easy-RSA:

curl -X POST http://127.0.0.1:8000/clients/import

Create a gateway client with the private network behind it:

curl -X POST http://127.0.0.1:8000/clients \ 
    --data-binary @- << EOF 
    {
        "name": "gateway_1", 
        "cidr": "192.168.1.0/24"
    }
    EOF

Package the client certificate:

curl -X PUT http://127.0.0.1:8000/clients/client_1/package-cert

Download the archive:

curl -X GET http://127.0.0.1:8000/clients/client_1/download-cert

Assign IP to the client:

curl -X PUT http://127.0.0.1:8000/clients/client_1/assign-ip \ 
    --data-binary @- << EOF  
    {
        "ip": "10.8.0.2"
    }
    EOF

Unassign IP from the client:

curl -X DELETE http://127.0.0.1:8000/clients/client_1/unassign-ip

Restricted Network Setup

IMPORTANT: make sure drop all forwarding on tun0 by default:

sudo iptables -A FORWARD -i tun0 -j DROP

Create a restricted network between two clients:

curl -X POST http://127.0.0.1:8000/networks \ 
    --data-binary @- << EOF 
    {
        "source_name": "client_1", 
        "destination_name": "edge_device_1",
    }
    EOF

Create a restricted network between a client and a gateway:

curl -X POST http://127.0.0.1:8000/networks \ 
    --data-binary @- << EOF 
    {
        "source_name": "client_1", 
        "destination_name": "edge_gateway_1", 
        "private_network_addresses": "192.168.1.1,192.168.1.2,192.168.1.3"
    }
    EOF

Add an IP route for allowing traffic on the OpenVPN server:

curl -X POST http://127.0.0.1:8000/server/routes \
    --data-binary @- << EOF 
    {
        "network": 192.168.1.0/24"
    }
    EOF

Drop the network:

curl -X DELETE http://127.0.0.1:8000/networks/1

[Optional] Enable Security with Azure Entra ID

Register this app on Azure Entra ID first, then sets three ENVs to enable the security middleware:

  1. AZURE_ENTRAID_TENANT_ID - the tenant ID of Azure Entra ID directory.

  2. AZURE_ENTRAID_APP_CLIENT_ID - the application (client) ID of this app that registered.

  3. AZURE_ENTRAID_APP_ROLE - the app role assigned by this app.

Notice: for the consumer client app, two things must be configured on the client app registration:

  1. copy Application ID URI of the previous registered App.
  2. add permission of the previous registered App on the API permissions, and grant admin consent.

Example of calling API with an access token:

# Request an access token 
curl -X POST -H "Content-Type: application/x-www-form-urlencoded" \
    -d "client_id=$AZURE_ENTRAID_CONSUMER_CLIENT_ID" \
    -d "scope=api://$EXPOSED_API_ID/.default" \
    -d "client_secret=$AZURE_ENTRAID_CONSUMER_CLIENT_SECRET" \
    -d "grant_type=client_credentials" \
    "https://login.microsoftonline.com/$AZURE_ENTRAID_TENANT_ID/oauth2/v2.0/token"

# Call an API
curl -X POST http://REMOTE_HOST/clients -H "Authorization: Bearer $ACCESS_TOKEN"

[Optional] Enable Cert Management with Azure Blob Storage

  1. Create a storage account on Azure Portal.

  2. Create a container named ovpncp on the storage account.

  3. Obtain the access key and set it to the AZURE_STORAGE_CONNECTION_STRING

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

ovpncp-0.1.6.tar.gz (31.0 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

ovpncp-0.1.6-py3-none-any.whl (28.7 kB view details)

Uploaded Python 3

File details

Details for the file ovpncp-0.1.6.tar.gz.

File metadata

  • Download URL: ovpncp-0.1.6.tar.gz
  • Upload date:
  • Size: 31.0 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for ovpncp-0.1.6.tar.gz
Algorithm Hash digest
SHA256 97bfa17d90bb5450b6beb2f8e48ac04a56b6542b03b3bc931f99f228b24d3434
MD5 9b8d6564caf6bac7c9db28776748cef7
BLAKE2b-256 6ef00a83b3bf81f2a2f0e4f2a5ba91db8fd73f0f3b6a5cb51f8d287a5403a721

See more details on using hashes here.

Provenance

The following attestation bundles were made for ovpncp-0.1.6.tar.gz:

Publisher: package.yml on scia-iot/ovpncp

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file ovpncp-0.1.6-py3-none-any.whl.

File metadata

  • Download URL: ovpncp-0.1.6-py3-none-any.whl
  • Upload date:
  • Size: 28.7 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for ovpncp-0.1.6-py3-none-any.whl
Algorithm Hash digest
SHA256 0fd35eb9e0947fc008aada4af781a1c8af1f1be5c8d7d94021c003a7a1ade397
MD5 1bb5cfddb9bc854a900e3b8bc9eb20dd
BLAKE2b-256 37e51fa45e75d7bb283136328c501a378a5752e984194d7122a5e9363d6a20d9

See more details on using hashes here.

Provenance

The following attestation bundles were made for ovpncp-0.1.6-py3-none-any.whl:

Publisher: package.yml on scia-iot/ovpncp

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page