ovpm

package module
v0.2.12 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 27, 2021 License: AGPL-3.0 Imports: 27 Imported by: 3

README

OVPM - OpenVPN Management Server

Build Status GitHub version codecov GoDoc

OVPM allows you to administrate an OpenVPN server on linux easily via command line and web interface.

With OVPM you can create and run an OpenVPN server, add/remove VPN users, generate client .ovpn files for your users etc.

This software is not stable yet. We recommend against using it for anything serious until, version 1.0 is released.

NOTICE: Version 0.2.8 comes with comp-lzo option disabled by default as it is deprecated by OpenVPN.

Roadmap

  • OpenVPN management functionality
  • User management functionality
  • Network management functionality
  • Command Line Interface (CLI)
  • API (REST and gRPC)
  • Web User Interface (WebUI)
  • Import/Export/Backup OVPM config
  • Effortless client profile (.ovpn file) delivery over Web
  • Monitoring and Quota functionality

Demo Here is a little demo of what it looks on terminal to init the server, create a vpn user and generate .ovpn file for the created user.

asciicast

Installation

from RPM (CentOS/Fedora):

# Add YUM Repo
$ sudo yum install yum-utils -y
$ sudo yum install epel-release -y
$ sudo yum-config-manager --add-repo https://cad.github.io/ovpm/rpm/ovpm.repo

# Install OVPM
$ sudo yum install ovpm

# Enable and start ovpmd service
$ systemctl start ovpmd
$ systemctl enable ovpmd

from DEB (Ubuntu/Debian):

This is tested only on Ubuntu >=16.04.3 LTS

# Add APT Repo
$ sudo sh -c 'echo "deb [trusted=yes] https://cad.github.io/ovpm/deb/ ovpm main" >> /etc/apt/sources.list'
$ sudo apt update

# Install OVPM
$ sudo apt install ovpm

# Enable and start ovpmd service
$ systemctl start ovpmd
$ systemctl enable ovpmd

from Source (go get):

Only dependency for ovpm is OpenVPN>=2.3.3.

$ go get -u github.com/cad/ovpm/...

# Make sure user nobody and group nogroup is available
# on the system
$ sudo useradd nobody
$ sudo groupadd nogroup

# Start ovpmd on a seperate terminal
$ sudo ovpmd

Now ovpmd should be running.

Quickstart

Create a vpn user and export vpn profile for the created user.

# We should init the server after fresh install
$ ovpm vpn init --hostname <vpn.example.com>
INFO[0004] ovpm server initialized

# Now, lets create a new vpn user
$ ovpm user create -u joe -p verySecretPassword
INFO[0000] user created: joe

# Finally export the vpn profile for, the created user, joe
$ ovpm user genconfig -u joe
INFO[0000] exported to joe.ovpn

OpenVPN profile for user joe is exported to joe.ovpn file. You can simply use this file with OpenVPN to connect to the vpn server from another computer.

Next Steps

Troubleshooting

Q: My clients cannot connect to VPN after updating OVPM to v0.2.8

Since comp-lzo is disabled by default in OVPM v0.2.8, existing clients' .ovpn profiles became invalid.

In order to solve this you have the options below:

  • Generate new .ovpn profile for existing clients
  • Or manually remove comp-lzo line from clients .ovpn profiles yourself.
  • Or you can upgrade to v0.2.9 and enable lzo option back by invoking the following command.
$ ovpm vpn update --enable-use-lzo

But please note that this is not recommended as lzo option is deprecated in OpenVPN.

Documentation

Overview

Package ovpm provides the implementation of core OVPM API.

ovpm can create and destroy OpenVPN servers, manage vpn users, handle certificates etc...

Index

Constants

View Source 
const (
	// DefaultVPNPort is the default OpenVPN port to listen.
	DefaultVPNPort = "1197"

	// DefaultVPNProto is the default OpenVPN protocol to use.
	DefaultVPNProto = UDPProto

	// DefaultVPNNetwork is the default OpenVPN network to use.
	DefaultVPNNetwork = "10.9.0.0/24"

	// DefaultVPNDNS is the default DNS to push to clients.
	DefaultVPNDNS = "8.8.8.8"

	// DefaultDaemonPort is the port OVPMD will listen by default if something else is not specified.
	DefaultDaemonPort = 9090

	// DefaultKeepalivePeriod is the default ping period to check if the remote peer is alive.
	DefaultKeepalivePeriod = "2"

	// DefaultKeepaliveTimeout is the default ping timeout to assume that remote peer is down.
	DefaultKeepaliveTimeout = "4"
)
View Source 
const (
	// User permissions
	CreateUserPerm permset.Perm = iota
	GetAnyUserPerm
	GetSelfPerm
	UpdateAnyUserPerm
	UpdateSelfPerm
	DeleteAnyUserPerm
	RenewAnyUserPerm
	GenConfigAnyUserPerm
	GenConfigSelfPerm

	// VPN permissions
	GetVPNStatusPerm
	InitVPNPerm
	UpdateVPNPerm
	RestartVPNPerm

	// Network permissions
	ListNetworksPerm
	CreateNetworkPerm
	DeleteNetworkPerm
	GetNetworkTypesPerm
	GetNetworkAssociatedUsersPerm
	AssociateNetworkUserPerm
	DissociateNetworkUserPerm
)

OVPM available permissions.

View Source 
const (
	TCPProto string = "tcp"
	UDPProto string = "udp"
)

Possible VPN protocols.

Variables

View Source 
var Testing = false

Testing is used to determine whether we are testing or running normally. Set it to true when testing.

View Source 
var Version = "development"

Version defines the version of ovpm.

Functions

func AdminPerms added in v0.2.0 

func AdminPerms() []permset.Perm

AdminPerms returns the list of permissions that admin type user has.

func HostID2IP 

func HostID2IP(hostid uint32) net.IP

HostID2IP converts a host id (32-bit unsigned integer) to an IP address.

func IP2HostID 

func IP2HostID(ip net.IP) uint32

IP2HostID converts an IP address to a host id (32-bit unsigned integer).

func IncrementIP 

func IncrementIP(ip, mask string) (string, error)

IncrementIP will return next ip address within the network.

func IsNetworkType added in v0.2.7 

func IsNetworkType(s string) bool

IsNetworkType returns if the s is a valid network type or not.

func UserPerms added in v0.2.0 

func UserPerms() []permset.Perm

UserPerms returns the collection of permissions that the regular users have.

Types

type DB 

type DB struct {
	*gorm.DB
}

DB represents a persistent storage.

func CreateDB 

func CreateDB(dialect string, args ...interface{}) *DB

CreateDB prepares and returns new storage.

It should be run at the start of the program.

func (*DB) Cease 

func (db *DB) Cease()

Cease closes the database.

It should be run at the exit of the program.

type Network 

type Network struct {
	// contains filtered or unexported fields
}

Network represents a VPN related network.

func CreateNewNetwork 

func CreateNewNetwork(name, cidr string, nettype NetworkType, via string) (*Network, error)

CreateNewNetwork creates a new network definition in the system.

func GetAllNetworks 

func GetAllNetworks() []*Network

GetAllNetworks returns all networks defined in the system.

func GetNetwork 

func GetNetwork(name string) (*Network, error)

GetNetwork returns a network specified by its name.

func (*Network) Associate 

func (n *Network) Associate(username string) error

Associate allows the given user access to this network.

func (*Network) Delete 

func (n *Network) Delete() error

Delete deletes a network definition in the system.

func (*Network) Dissociate 

func (n *Network) Dissociate(username string) error

Dissociate breaks up the given users association to the said network.

func (*Network) GetAssociatedUsernames 

func (n *Network) GetAssociatedUsernames() []string

GetAssociatedUsernames returns network's associated user names.

func (*Network) GetAssociatedUsers 

func (n *Network) GetAssociatedUsers() []*User

GetAssociatedUsers returns network's associated users.

func (*Network) GetCIDR 

func (n *Network) GetCIDR() string

GetCIDR returns network's CIDR.

func (*Network) GetCreatedAt 

func (n *Network) GetCreatedAt() string

GetCreatedAt returns network's name.

func (*Network) GetName 

func (n *Network) GetName() string

GetName returns network's name.

func (*Network) GetType 

func (n *Network) GetType() NetworkType

GetType returns network's network type.

func (*Network) GetVia 

func (n *Network) GetVia() string

GetVia returns network' via.

type NetworkType 

type NetworkType uint

NetworkType distinguishes different types of networks that is defined in the networks table. 

const (
	UNDEFINEDNET NetworkType = iota
	SERVERNET
	ROUTE
)

NetworkTypes

func GetAllNetworkTypes 

func GetAllNetworkTypes() []NetworkType

GetAllNetworkTypes returns all network types defined in the system.

func NetworkTypeFromString 

func NetworkTypeFromString(typ string) NetworkType

NetworkTypeFromString returns string representation of the network type.

func (NetworkType) Description 

func (nt NetworkType) Description() string

Description gives description about the network type.

func (NetworkType) String 

func (nt NetworkType) String() string

type Server 

type Server struct {
	// contains filtered or unexported fields
}

Server represents VPN server.

func TheServer added in v0.2.7 

func TheServer() *Server

TheServer returns a pointer to the server instance.

Server instance is a singleton instance that is initialized on the first call made to the TheServer().

func (*Server) CAExpiresAt added in v0.2.7 

func (svr *Server) CAExpiresAt() time.Time

CAExpiresAt returns the expiry date time of the CA.

func (*Server) CheckSerial 

func (svr *Server) CheckSerial(serial string) bool

CheckSerial takes a serial number and checks it against the current server's serial number.

func (*Server) Deinit added in v0.2.7 

func (svr *Server) Deinit() error

Deinit deletes the VPN server from the database and frees the allocated resources.

func (*Server) DumpClientConfig added in v0.2.7 

func (svr *Server) DumpClientConfig(username, path string) error

DumpClientConfig generates .ovpn file for the given vpn user and dumps it to outPath.

func (*Server) DumpsClientConfig added in v0.2.7 

func (svr *Server) DumpsClientConfig(username string) (string, error)

DumpsClientConfig generates .ovpn file for the given vpn user and returns it as a string.

func (*Server) Emit added in v0.2.7 

func (svr *Server) Emit() error

Emit generates all needed files for the OpenVPN server and dumps them to their corresponding paths defined in the config.

func (*Server) EmitWithRestart added in v0.2.7 

func (svr *Server) EmitWithRestart() error

EmitWithRestart restarts vpnProc after calling EmitWithRestart().

func (*Server) ExpiresAt added in v0.2.7 

func (svr *Server) ExpiresAt() time.Time

ExpiresAt returns the expiry date time of the server cert.

func (*Server) GetCACert 

func (svr *Server) GetCACert() string

GetCACert returns vpn server's cacert.

func (*Server) GetCAKey 

func (svr *Server) GetCAKey() string

GetCAKey returns vpn server's cakey.

func (*Server) GetCRL 

func (svr *Server) GetCRL() string

GetCRL returns vpn server's crl.

func (*Server) GetConnectedUsers added in v0.2.7 

func (svr *Server) GetConnectedUsers() ([]User, error)

GetConnectedUsers will return a list of users who are currently connected to the VPN service.

func (*Server) GetCreatedAt 

func (svr *Server) GetCreatedAt() string

GetCreatedAt returns server's created at.

func (*Server) GetDNS 

func (svr *Server) GetDNS() string

GetDNS returns vpn server's dns.

func (*Server) GetHostname 

func (svr *Server) GetHostname() string

GetHostname returns vpn server's hostname.

func (*Server) GetKeepalivePeriod added in v0.2.8 

func (svr *Server) GetKeepalivePeriod() string

func (*Server) GetKeepaliveTimeout added in v0.2.8 

func (svr *Server) GetKeepaliveTimeout() string

func (*Server) GetKey 

func (svr *Server) GetKey() string

GetKey returns vpn server's key.

func (*Server) GetMask 

func (svr *Server) GetMask() string

GetMask returns vpn server's mask.

func (*Server) GetNet 

func (svr *Server) GetNet() string

GetNet returns vpn server's net.

func (*Server) GetPort 

func (svr *Server) GetPort() string

GetPort returns vpn server's port.

func (*Server) GetProto 

func (svr *Server) GetProto() string

GetProto returns vpn server's proto.

func (*Server) GetSerialNumber 

func (svr *Server) GetSerialNumber() string

GetSerialNumber returns server's serial number.

func (*Server) GetServerName 

func (svr *Server) GetServerName() string

GetServerName returns server's name.

func (*Server) GetSystemCA added in v0.2.7 

func (svr *Server) GetSystemCA() (*pki.CA, error)

GetSystemCA returns the system CA from the database if available.

func (*Server) Init added in v0.2.7 

func (svr *Server) Init(hostname string, port string, proto string, ipblock string, dns string, keepalivePeriod string, keepaliveTimeout string, useLZO bool) error

Init regenerates keys and certs for a Root CA, gets initial settings for the VPN server and saves them in the database.

'proto' can be either "udp" or "tcp" and if it's "" it defaults to "udp".

'ipblock' is a IP network in the CIDR form. VPN clients get their IP addresses from this network. It defaults to const 'DefaultVPNNetwork'.

'keepalivePeriod' is the ping period to check if the remote peer is alive. It defaults to const 'DefaultKeepalivePeriod'

'keeapliveTimeout' is the ping timeout to assume that remote peer is down. It defaults to const 'DefaultKeepaliveTimeout'

'useLZO' is used to determine whether to use the lzo compression algorithm to support older clients. It defaults to false due to security issues and deprecation

Please note that, Init is potentially destructive procedure, it will cause invalidation of existing .ovpn profiles of the current users. So it should be used carefully.

func (*Server) IsInitialized added in v0.2.7 

func (svr *Server) IsInitialized() bool

IsInitialized checks if there is a default VPN server configured in the database or not.

func (*Server) IsUseLZO added in v0.2.8 

func (svr *Server) IsUseLZO() bool

func (*Server) Refresh added in v0.2.7 

func (svr *Server) Refresh() error

Refresh synchronizes the server instance from db.

func (*Server) RestartVPNProc added in v0.2.7 

func (svr *Server) RestartVPNProc()

RestartVPNProc restarts the OpenVPN process.

func (*Server) StartVPNProc added in v0.2.7 

func (svr *Server) StartVPNProc()

StartVPNProc starts the OpenVPN process.

func (*Server) StopVPNProc added in v0.2.7 

func (svr *Server) StopVPNProc()

StopVPNProc stops the OpenVPN process.

func (*Server) Update added in v0.2.7 

func (svr *Server) Update(ipblock string, dns string, useLzo *bool) error

Update updates VPN server attributes.

type User 

type User struct {
	// contains filtered or unexported fields
}

User represents a vpn user.

func CreateNewUser 

func CreateNewUser(username, password string, nogw bool, hostid uint32, admin bool, description string) (*User, error)

CreateNewUser creates a new user with the given username and password in the database. If nogw is true, then ovpm doesn't push vpn server as the default gw for the user.

It also generates the necessary client keys and signs certificates with the current server's CA.

func GetAllUsers 

func GetAllUsers() ([]*User, error)

GetAllUsers returns all recorded users in the database.

func GetUser 

func GetUser(username string) (*User, error)

GetUser finds and returns the user with the given username from database.

func GetUserByToken added in v0.1.15 

func GetUserByToken(token string) (*User, error)

GetUserByToken finds and returns the user with the given token from database.

func (*User) CheckPassword 

func (u *User) CheckPassword(password string) bool

CheckPassword returns whether the given password is correct for the user.

func (*User) ConnectionStatus added in v0.2.7 

func (u *User) ConnectionStatus() (isConnected bool, connectedSince time.Time, bytesSent uint64, bytesReceived uint64)

ConnectionStatus returns information about user's connection to the VPN server.

func (*User) Delete 

func (u *User) Delete() error

Delete deletes a user by the given username from the database.

func (*User) ExpiresAt added in v0.2.7 

func (u *User) ExpiresAt() time.Time

ExpiresAt returns user's certificate expiration date time.

func (*User) GetCert 

func (u *User) GetCert() string

GetCert returns user's public certificate.

func (*User) GetCreatedAt 

func (u *User) GetCreatedAt() string

GetCreatedAt returns user's creation time.

func (*User) GetDescription added in v0.2.8 

func (u *User) GetDescription() string

func (*User) GetHostID 

func (u *User) GetHostID() uint32

GetHostID returns user's Host ID.

func (*User) GetIPNet 

func (u *User) GetIPNet() string

GetIPNet returns user's vpn ip network. (e.g. 192.168.0.1/24)

func (*User) GetServerSerialNumber 

func (u *User) GetServerSerialNumber() string

GetServerSerialNumber returns user's server serial number.

func (*User) GetUsername 

func (u *User) GetUsername() string

GetUsername returns user's username.

func (*User) IsAdmin 

func (u *User) IsAdmin() bool

IsAdmin returns whether user is admin or not.

func (*User) IsNoGW 

func (u *User) IsNoGW() bool

IsNoGW returns whether user is set to get the vpn server as their default gateway.

func (*User) Renew 

func (u *User) Renew() error

Renew creates a key and a ceritificate signed by the current server's CA.

This is often used to sign users when the current CA is changed while there are still existing users in the database.

Also it can be used when a user cert is expired or user's private key stolen, missing etc.

func (*User) RenewToken added in v0.1.15 

func (u *User) RenewToken() (string, error)

RenewToken generates a new AuthToken and sets it to the db.

func (*User) ResetPassword 

func (u *User) ResetPassword(password string) error

ResetPassword resets the users password into the provided password.

func (*User) Update 

func (u *User) Update(password string, nogw bool, hostid uint32, admin bool, description string) error

Update updates the user's attributes and writes them to the database.

How this method works is similiar to PUT semantics of REST. It sets the user record fields to the provided function arguments.

func (*User) ValidateToken added in v0.1.15 

func (u *User) ValidateToken(token string) bool

ValidateToken returns whether the given token is valid or not.

Source Files

View all Source files

Directories

Path Synopsis
api
pb
Package pb is a reverse proxy.
 Package pb is a reverse proxy.
cmd
ovpm
ovpmd
Package permset provides primitives for permission management.
 Package permset provides primitives for permission management.
Package pki contains bits and pieces to work with OpenVPN PKI related operations.
 Package pki contains bits and pieces to work with OpenVPN PKI related operations.
Package supervisor provides a generic API to watch and manage Unix processes.
 Package supervisor provides a generic API to watch and manage Unix processes.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.