ovpm

package module
v0.0.0-...-ef898ae Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Nov 6, 2025 License: AGPL-3.0 Imports: 30 Imported by: 0

README

OVPM - OpenVPN Management Server

Build Status GitHub version codecov GoDoc

OVPM allows you to administrate an OpenVPN server on linux easily via command line and web interface.

With OVPM you can create and run an OpenVPN server, add/remove VPN users, generate client .ovpn files for your users etc.

This software is not stable yet. We recommend against using it for anything serious until, version 1.0 is released.

NOTICE: Version 0.2.8 comes with comp-lzo option disabled by default as it is deprecated by OpenVPN.

Roadmap

  • OpenVPN management functionality
  • User management functionality
  • Network management functionality
  • Command Line Interface (CLI)
  • API (REST and gRPC)
  • Web User Interface (WebUI)
  • Import/Export/Backup OVPM config
  • Effortless client profile (.ovpn file) delivery over Web
  • Monitoring and Quota functionality

Demo Here is a little demo of what it looks on terminal to init the server, create a vpn user and generate .ovpn file for the created user.

asciicast

Installation

from RPM (CentOS/Fedora):

# Add YUM Repo
$ sudo yum install yum-utils -y
$ sudo yum install epel-release -y
$ sudo yum-config-manager --add-repo https://cad.github.io/ovpm/rpm/ovpm.repo

# Install OVPM
$ sudo yum install ovpm

# Enable and start ovpmd service
$ systemctl start ovpmd
$ systemctl enable ovpmd

from DEB (Ubuntu/Debian):

This is tested only on Ubuntu >=16.04.3 LTS

# Add APT Repo
$ sudo sh -c 'echo "deb [trusted=yes] https://cad.github.io/ovpm/deb/ ovpm main" >> /etc/apt/sources.list'
$ sudo apt update

# Install OVPM
$ sudo apt install ovpm

# Enable and start ovpmd service
$ systemctl start ovpmd
$ systemctl enable ovpmd

from Source (go get):

Only dependency for ovpm is OpenVPN>=2.3.3.

$ go get -u github.com/GoldenRUS/ovpm/...

# Make sure user nobody and group nogroup is available
# on the system
$ sudo useradd nobody
$ sudo groupadd nogroup

# Start ovpmd on a seperate terminal
$ sudo ovpmd

Now ovpmd should be running.

Quickstart

Create a vpn user and export vpn profile for the created user.

# We should init the server after fresh install
$ ovpm vpn init --hostname <vpn.example.com>
INFO[0004] ovpm server initialized

# Now, lets create a new vpn user
$ ovpm user create -u joe -p verySecretPassword
INFO[0000] user created: joe

# Finally export the vpn profile for, the created user, joe
$ ovpm user genconfig -u joe
INFO[0000] exported to joe.ovpn

OpenVPN profile for user joe is exported to joe.ovpn file. You can simply use this file with OpenVPN to connect to the vpn server from another computer.

Web Interface Binding

Since v0.2.20: Use --web-ip parameter to specify REST API binding address for enhanced security and reverse proxy support.

./ovpmd --web-ip 192.168.0.100  # Bind to specific IP
./ovpmd --web-ip 127.0.0.1      # Localhost only

Default: 0.0.0.0 (all interfaces)

Next Steps

Troubleshooting

Q: My clients cannot connect to VPN after updating OVPM to v0.2.8

Since comp-lzo is disabled by default in OVPM v0.2.8, existing clients' .ovpn profiles became invalid.

In order to solve this you have the options below:

  • Generate new .ovpn profile for existing clients
  • Or manually remove comp-lzo line from clients .ovpn profiles yourself.
  • Or you can upgrade to v0.2.9 and enable lzo option back by invoking the following command.
$ ovpm vpn update --enable-use-lzo

But please note that this is not recommended as lzo option is deprecated in OpenVPN.

Documentation

Overview

Package ovpm provides the implementation of core OVPM API.

ovpm can create and destroy OpenVPN servers, manage vpn users, handle certificates etc...

Index

Constants

View Source 
const (
	// DefaultVPNPort is the default OpenVPN port to listen.
	DefaultVPNPort = "1197"

	// DefaultVPNProto is the default OpenVPN protocol to use.
	DefaultVPNProto = UDPProto

	// DefaultVPNNetwork is the default OpenVPN network to use.
	DefaultVPNNetwork = "10.9.0.0/24"

	// DefaultVPNDNS is the default DNS to push to clients.
	DefaultVPNDNS = "8.8.8.8"

	// DefaultDaemonPort is the port OVPMD will listen by default if something else is not specified.
	DefaultDaemonPort = 9090

	// DefaultKeepalivePeriod is the default ping period to check if the remote peer is alive.
	DefaultKeepalivePeriod = "2"

	// DefaultKeepaliveTimeout is the default ping timeout to assume that remote peer is down.
	DefaultKeepaliveTimeout = "4"
)
View Source 
const (
	// User permissions
	CreateUserPerm permset.Perm = iota
	GetAnyUserPerm
	GetSelfPerm
	UpdateAnyUserPerm
	UpdateSelfPerm
	DeleteAnyUserPerm
	RenewAnyUserPerm
	GenConfigAnyUserPerm
	GenConfigSelfPerm

	// VPN permissions
	GetVPNStatusPerm
	InitVPNPerm
	UpdateVPNPerm
	RestartVPNPerm

	// Network permissions
	ListNetworksPerm
	CreateNetworkPerm
	DeleteNetworkPerm
	GetNetworkTypesPerm
	GetNetworkAssociatedUsersPerm
	AssociateNetworkUserPerm
	DissociateNetworkUserPerm

	// Statistic permissions
	ListStatisticPerm
)

OVPM available permissions.

View Source 
const (
	TCPProto string = "tcp"
	UDPProto string = "udp"
)

Possible VPN protocols.

Variables

View Source 
var Testing = false

Testing is used to determine whether we are testing or running normally. Set it to true when testing.

View Source 
var Version = "development"

Version defines the version of ovpm.

Functions

func AdminPerms 

func AdminPerms() []permset.Perm

AdminPerms returns the list of permissions that admin type user has.

func ConnectionList 

func ConnectionList() (list []clEntry, lastUpdate time.Time)

ConnectionList returns information about user's connections to the VPN server.

func GetAvailableInterfaces 

func GetAvailableInterfaces() ([]string, error)

GetAvailableInterfaces возвращает список доступных интерфейсов из /proc/net/dev

func GetDetailedStatistics 

func GetDetailedStatistics(filters StatisticFilters) ([]dbStatisticModel, error)

GetDetailedStatistics возвращает детальные записи с различными фильтрами

func HostID2IP 

func HostID2IP(hostid uint32) net.IP

HostID2IP converts a host id (32-bit unsigned integer) to an IP address.

func IP2HostID 

func IP2HostID(ip net.IP) uint32

IP2HostID converts an IP address to a host id (32-bit unsigned integer).

func IncrementIP 

func IncrementIP(ip, mask string) (string, error)

IncrementIP will return next ip address within the network.

func InitializeFileWatcher 

func InitializeFileWatcher() error

InitializeFileWatcher инициализирует глобальный FileWatcher

func IsNetworkType 

func IsNetworkType(s string) bool

IsNetworkType returns if the s is a valid network type or not.

func UserPerms 

func UserPerms() []permset.Perm

UserPerms returns the collection of permissions that the regular users have.

Types

type DB 

type DB struct {
	*gorm.DB
}

DB represents a persistent storage.

func CreateDB 

func CreateDB(dialect string, args ...interface{}) *DB

CreateDB prepares and returns new storage.

It should be run at the start of the program.

func (*DB) Cease 

func (db *DB) Cease()

Cease closes the database.

It should be run at the exit of the program.

type DiskUsage 

type DiskUsage struct {
	Mount          string
	Total          uint64
	Used           uint64
	UsedPercentage float64
}

DiskUsage представляет использование диска

type FileWatcher 

type FileWatcher struct {
	// contains filtered or unexported fields
}

func GetFileWatcher 

func GetFileWatcher() *FileWatcher

GetFileWatcher возвращает глобальный экземпляр FileWatcher

func NewFileWatcher 

func NewFileWatcher(filename string) (*FileWatcher, error)

func NewStatisticFileWatcher 

func NewStatisticFileWatcher() (*FileWatcher, error)

func (*FileWatcher) Close 

func (fw *FileWatcher) Close()

func (*FileWatcher) GetStatistics 

func (fw *FileWatcher) GetStatistics() []SpeedStat

func (*FileWatcher) Watch 

func (fw *FileWatcher) Watch()

type InterfaceStats 

type InterfaceStats struct {
	InterfaceName string    `json:"interface_name"`
	TXBytes       uint64    `json:"tx_bytes"`
	RXBytes       uint64    `json:"rx_bytes"`
	TXBytesPerSec uint64    `json:"tx_bytes_per_sec"`
	RXBytesPerSec uint64    `json:"rx_bytes_per_sec"`
	TXPackets     uint64    `json:"tx_packets"`
	RXPackets     uint64    `json:"rx_packets"`
	Timestamp     time.Time `json:"timestamp"`
}

InterfaceStats представляет статистику сетевого интерфейса

type InterfaceStatsResponse 

type InterfaceStatsResponse struct {
	Stats InterfaceStats `json:"stats"`
}

InterfaceStatsResponse представляет ответ со статистикой интерфейса

func GetInterfaceStats 

func GetInterfaceStats(interfaceName string) (*InterfaceStatsResponse, error)

GetInterfaceStats возвращает статистику для указанного интерфейса

type Network 

type Network struct {
	// contains filtered or unexported fields
}

Network represents a VPN related network.

func CreateNewNetwork 

func CreateNewNetwork(name, cidr string, nettype NetworkType, via string) (*Network, error)

CreateNewNetwork creates a new network definition in the system.

func GetAllNetworks 

func GetAllNetworks() []*Network

GetAllNetworks returns all networks defined in the system.

func GetNetwork 

func GetNetwork(name string) (*Network, error)

GetNetwork returns a network specified by its name.

func (*Network) Associate 

func (n *Network) Associate(username string) error

Associate allows the given user access to this network.

func (*Network) Delete 

func (n *Network) Delete() error

Delete deletes a network definition in the system.

func (*Network) Dissociate 

func (n *Network) Dissociate(username string) error

Dissociate breaks up the given users association to the said network.

func (*Network) GetAssociatedUsernames 

func (n *Network) GetAssociatedUsernames() []string

GetAssociatedUsernames returns network's associated user names.

func (*Network) GetAssociatedUsers 

func (n *Network) GetAssociatedUsers() []*User

GetAssociatedUsers returns network's associated users.

func (*Network) GetCIDR 

func (n *Network) GetCIDR() string

GetCIDR returns network's CIDR.

func (*Network) GetCreatedAt 

func (n *Network) GetCreatedAt() string

GetCreatedAt returns network's name.

func (*Network) GetName 

func (n *Network) GetName() string

GetName returns network's name.

func (*Network) GetType 

func (n *Network) GetType() NetworkType

GetType returns network's network type.

func (*Network) GetVia 

func (n *Network) GetVia() string

GetVia returns network' via.

type NetworkInterface 

type NetworkInterface struct {
	Name string
	IP   string
	MAC  string
	IsUp bool
}

NetworkInterface представляет информацию о сетевом интерфейсе

type NetworkInterfacesResponse 

type NetworkInterfacesResponse struct {
	Interfaces []NetworkInterface
}

NetworkInterfacesResponse представляет ответ со списком интерфейсов

func GetNetworkInterfaces 

func GetNetworkInterfaces() (*NetworkInterfacesResponse, error)

GetNetworkInterfaces возвращает список сетевых интерфейсов

type NetworkType 

type NetworkType uint

NetworkType distinguishes different types of networks that is defined in the networks table. 

const (
	UNDEFINEDNET NetworkType = iota
	SERVERNET
	ROUTE
)

NetworkTypes

func GetAllNetworkTypes 

func GetAllNetworkTypes() []NetworkType

GetAllNetworkTypes returns all network types defined in the system.

func NetworkTypeFromString 

func NetworkTypeFromString(typ string) NetworkType

NetworkTypeFromString returns string representation of the network type.

func (NetworkType) Description 

func (nt NetworkType) Description() string

Description gives description about the network type.

func (NetworkType) String 

func (nt NetworkType) String() string

type Server 

type Server struct {
	// contains filtered or unexported fields
}

Server represents VPN server.

func TheServer 

func TheServer() *Server

TheServer returns a pointer to the server instance.

Server instance is a singleton instance that is initialized on the first call made to the TheServer().

func (*Server) CAExpiresAt 

func (svr *Server) CAExpiresAt() time.Time

CAExpiresAt returns the expiry date time of the CA.

func (*Server) CheckSerial 

func (svr *Server) CheckSerial(serial string) bool

CheckSerial takes a serial number and checks it against the current server's serial number.

func (*Server) Deinit 

func (svr *Server) Deinit() error

Deinit deletes the VPN server from the database and frees the allocated resources.

func (*Server) DumpClientConfig 

func (svr *Server) DumpClientConfig(username, path string) error

DumpClientConfig generates .ovpn file for the given vpn user and dumps it to outPath.

func (*Server) DumpsClientConfig 

func (svr *Server) DumpsClientConfig(username string) (string, error)

DumpsClientConfig generates .ovpn file for the given vpn user and returns it as a string.

func (*Server) Emit 

func (svr *Server) Emit() error

Emit generates all needed files for the OpenVPN server and dumps them to their corresponding paths defined in the config.

func (*Server) EmitWithRestart 

func (svr *Server) EmitWithRestart() error

EmitWithRestart restarts vpnProc after calling EmitWithRestart().

func (*Server) ExpiresAt 

func (svr *Server) ExpiresAt() time.Time

ExpiresAt returns the expiry date time of the server cert.

func (*Server) GetCACert 

func (svr *Server) GetCACert() string

GetCACert returns vpn server's cacert.

func (*Server) GetCAKey 

func (svr *Server) GetCAKey() string

GetCAKey returns vpn server's cakey.

func (*Server) GetCRL 

func (svr *Server) GetCRL() string

GetCRL returns vpn server's crl.

func (*Server) GetConnectedUsers 

func (svr *Server) GetConnectedUsers() ([]User, error)

GetConnectedUsers will return a list of users who are currently connected to the VPN service.

func (*Server) GetCreatedAt 

func (svr *Server) GetCreatedAt() string

GetCreatedAt returns server's created at.

func (*Server) GetDNS 

func (svr *Server) GetDNS() string

GetDNS returns vpn server's dns.

func (*Server) GetHostname 

func (svr *Server) GetHostname() string

GetHostname returns vpn server's hostname.

func (*Server) GetKeepalivePeriod 

func (svr *Server) GetKeepalivePeriod() string

func (*Server) GetKeepaliveTimeout 

func (svr *Server) GetKeepaliveTimeout() string

func (*Server) GetKey 

func (svr *Server) GetKey() string

GetKey returns vpn server's key.

func (*Server) GetMask 

func (svr *Server) GetMask() string

GetMask returns vpn server's mask.

func (*Server) GetNet 

func (svr *Server) GetNet() string

GetNet returns vpn server's net.

func (*Server) GetPort 

func (svr *Server) GetPort() string

GetPort returns vpn server's port.

func (*Server) GetProto 

func (svr *Server) GetProto() string

GetProto returns vpn server's proto.

func (*Server) GetSerialNumber 

func (svr *Server) GetSerialNumber() string

GetSerialNumber returns server's serial number.

func (*Server) GetServerName 

func (svr *Server) GetServerName() string

GetServerName returns server's name.

func (*Server) GetSystemCA 

func (svr *Server) GetSystemCA() (*pki.CA, error)

GetSystemCA returns the system CA from the database if available.

func (*Server) Init 

func (svr *Server) Init(hostname string, port string, proto string, ipblock string, dns string, keepalivePeriod string, keepaliveTimeout string, useLZO bool) error

Init regenerates keys and certs for a Root CA, gets initial settings for the VPN server and saves them in the database.

'proto' can be either "udp" or "tcp" and if it's "" it defaults to "udp".

'ipblock' is a IP network in the CIDR form. VPN clients get their IP addresses from this network. It defaults to const 'DefaultVPNNetwork'.

'keepalivePeriod' is the ping period to check if the remote peer is alive. It defaults to const 'DefaultKeepalivePeriod'

'keeapliveTimeout' is the ping timeout to assume that remote peer is down. It defaults to const 'DefaultKeepaliveTimeout'

'useLZO' is used to determine whether to use the lzo compression algorithm to support older clients. It defaults to false due to security issues and deprecation

Please note that, Init is potentially destructive procedure, it will cause invalidation of existing .ovpn profiles of the current users. So it should be used carefully.

func (*Server) IsInitialized 

func (svr *Server) IsInitialized() bool

IsInitialized checks if there is a default VPN server configured in the database or not.

func (*Server) IsUseLZO 

func (svr *Server) IsUseLZO() bool

func (*Server) Refresh 

func (svr *Server) Refresh() error

Refresh synchronizes the server instance from db.

func (*Server) RestartVPNProc 

func (svr *Server) RestartVPNProc()

RestartVPNProc restarts the OpenVPN process.

func (*Server) StartVPNProc 

func (svr *Server) StartVPNProc()

StartVPNProc starts the OpenVPN process.

func (*Server) StopVPNProc 

func (svr *Server) StopVPNProc()

StopVPNProc stops the OpenVPN process.

func (*Server) Update 

func (svr *Server) Update(ipblock string, dns string, useLzo *bool) error

Update updates VPN server attributes.

type SpeedStat 

type SpeedStat struct {
	// contains filtered or unexported fields
}

type StatisticFilters 

type StatisticFilters struct {
	StartDate   time.Time `form:"start_date"`
	EndDate     time.Time `form:"end_date"`
	CommonName  string    `form:"common_name"`
	RealAddress string    `form:"real_address"`
	UserID      uint      `form:"user_id"`
	SortBy      string    `form:"sort_by"`
	SortOrder   string    `form:"sort_order"`
	Limit       int       `form:"limit"`
	Offset      int       `form:"offset"`
}

StatisticFilters структура для фильтров

type StatisticSummary 

type StatisticSummary struct {
	CommonName                string  `json:"common_name"`
	ConnectionCount           int64   `json:"connection_count"`
	TotalBytesReceived        int64   `json:"total_bytes_received"`
	TotalBytesSent            int64   `json:"total_bytes_sent"`
	TotalBytes                int64   `json:"total_bytes"`
	AvgConnectionDurationSecs float64 `json:"avg_connection_duration_seconds"`
}

StatisticSummary структура для результатов группировки

func GetStatisticList 

func GetStatisticList() ([]StatisticSummary, error)

func GetStatisticsByDateRange 

func GetStatisticsByDateRange(startDate, endDate *time.Time, commonNameFilter string) ([]StatisticSummary, error)

GetStatisticsByDateRange возвращает статистику за указанный период с группировкой по CommonName

type SystemStatus 

type SystemStatus struct {
	CPUUsage    float64
	MemoryTotal uint64
	MemoryUsed  uint64
	SwapTotal   uint64
	SwapUsed    uint64
	LoadAverage []float64
	DiskUsage   []DiskUsage
	Timestamp   time.Time
}

SystemStatus представляет данные о состоянии системы

func GetSystemStatus 

func GetSystemStatus() (*SystemStatus, error)

GetSystemStatus возвращает полную статистику системы

type User 

type User struct {
	// contains filtered or unexported fields
}

User represents a vpn user.

func CreateNewUser 

func CreateNewUser(username, password string, nogw bool, hostid uint32, admin bool, description string) (*User, error)

CreateNewUser creates a new user with the given username and password in the database. If nogw is true, then ovpm doesn't push vpn server as the default gw for the user.

It also generates the necessary client keys and signs certificates with the current server's CA.

func GetAllUsers 

func GetAllUsers() ([]*User, error)

GetAllUsers returns all recorded users in the database.

func GetUser 

func GetUser(username string) (*User, error)

GetUser finds and returns the user with the given username from database.

func GetUserByToken 

func GetUserByToken(token string) (*User, error)

GetUserByToken finds and returns the user with the given token from database.

func (*User) CheckPassword 

func (u *User) CheckPassword(password string) bool

CheckPassword returns whether the given password is correct for the user.

func (*User) ConnectionStatus 

func (u *User) ConnectionStatus() (isConnected bool, connectedSince time.Time, bytesSent uint64, bytesReceived uint64, tx float32, rx float32)

ConnectionStatus returns information about user's connection to the VPN server.

func (*User) Delete 

func (u *User) Delete() error

Delete deletes a user by the given username from the database.

func (*User) ExpiresAt 

func (u *User) ExpiresAt() time.Time

ExpiresAt returns user's certificate expiration date time.

func (*User) GetCert 

func (u *User) GetCert() string

GetCert returns user's public certificate.

func (*User) GetCreatedAt 

func (u *User) GetCreatedAt() string

GetCreatedAt returns user's creation time.

func (*User) GetDescription 

func (u *User) GetDescription() string

func (*User) GetHostID 

func (u *User) GetHostID() uint32

GetHostID returns user's Host ID.

func (*User) GetIPNet 

func (u *User) GetIPNet() string

GetIPNet returns user's vpn ip network. (e.g. 192.168.0.1/24)

func (*User) GetServerSerialNumber 

func (u *User) GetServerSerialNumber() string

GetServerSerialNumber returns user's server serial number.

func (*User) GetUsername 

func (u *User) GetUsername() string

GetUsername returns user's username.

func (*User) IsAdmin 

func (u *User) IsAdmin() bool

IsAdmin returns whether user is admin or not.

func (*User) IsNoGW 

func (u *User) IsNoGW() bool

IsNoGW returns whether user is set to get the vpn server as their default gateway.

func (*User) Renew 

func (u *User) Renew() error

Renew creates a key and a ceritificate signed by the current server's CA.

This is often used to sign users when the current CA is changed while there are still existing users in the database.

Also it can be used when a user cert is expired or user's private key stolen, missing etc.

func (*User) RenewToken 

func (u *User) RenewToken() (string, error)

RenewToken generates a new AuthToken and sets it to the db.

func (*User) ResetPassword 

func (u *User) ResetPassword(password string) error

ResetPassword resets the users password into the provided password.

func (*User) Update 

func (u *User) Update(password string, nogw bool, hostid uint32, admin bool, description string) error

Update updates the user's attributes and writes them to the database.

How this method works is similiar to PUT semantics of REST. It sets the user record fields to the provided function arguments.

func (*User) ValidateToken 

func (u *User) ValidateToken(token string) bool

ValidateToken returns whether the given token is valid or not.

type UserStatistics 

type UserStatistics struct {
	Username                  string    `json:"username"`
	UserID                    uint      `json:"user_id"`
	TotalConnections          int64     `json:"total_connections"`
	TotalBytesReceived        int64     `json:"total_bytes_received"`
	TotalBytesSent            int64     `json:"total_bytes_sent"`
	TotalBytes                int64     `json:"total_bytes"`
	AvgConnectionDurationSecs float64   `json:"avg_connection_duration_seconds"`
	LastConnection            time.Time `json:"last_connection"`
}

UserStatistics структура для статистики пользователя

func GetUserStatistics 

func GetUserStatistics(commonName string, startDate, endDate time.Time) (*UserStatistics, error)

GetUserStatistics возвращает статистику по конкретному пользователю

Source Files

View all Source files

Directories

Path Synopsis
api
pb
Package pb is a reverse proxy.
 Package pb is a reverse proxy.
cmd
ovpm command
ovpmd command
Package permset provides primitives for permission management.
 Package permset provides primitives for permission management.
Package pki contains bits and pieces to work with OpenVPN PKI related operations.
 Package pki contains bits and pieces to work with OpenVPN PKI related operations.
Package supervisor provides a generic API to watch and manage Unix processes.
 Package supervisor provides a generic API to watch and manage Unix processes.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.