initial commit

Author: Adam Wałach

.gitignore

@@ -0,0 +1,3 @@
+/data.db
+/openvpn-web-ui*
+/lastupdate.tmp

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2017 Adam Wałach
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -0,0 +1,114 @@
+# OpenVPN-web-ui
+
+## Summary
+OpenVPN server web administration interface.
+
+Goal: create quick to deploy and easy to use solution that makes work with small OpenVPN environments a breeze.
+
+![Status page](docs/images/preview_status.png?raw=true)
+
+Please note this project is in alpha stage. It still needs some work to make it secure and feature complete.
+
+## Motivation
+
+
+
+## Features
+
+* status page that shows server statistics and list of connected clients
+* easy creation of client certificates
+* ability to download client certificates as a zip package with client configuration inside
+* log preview
+* modification of OpenVPN configuration file through web interface
+
+## Screenshots
+
+[Screenshots](docs/screenshots.md)
+
+## Usage
+
+After startup web service is visible on port 8080. To login use the following default credentials:
+
+username: admin
+
+password: b3secure (this will be soon replaced with random password)
+
+Please change password to your own immediately!
+
+### Prod
+
+Requirements:
+* docker and docker-compose
+* on firewall open ports: 1194/udp and 8080/tcp
+
+Execute commands
+
+    curl -O https://raw.githubusercontent.com/adamwalach/openvpn-web-ui/master/docs/docker-compose.yml
+    docker-compose up -d
+
+It starts two docker containers. One with OpenVPN server and second with OpenVPNAdmin web application. Through a docker volume it creates following directory structure:
+
+
+    .
+    ├── docker-compose.yml
+    └── openvpn-data
+        ├── conf
+        │   ├── dh2048.pem
+        │   ├── ipp.txt
+        │   ├── keys
+        │   │   ├── 01.pem
+        │   │   ├── ca.crt
+        │   │   ├── ca.key
+        │   │   ├── index.txt
+        │   │   ├── index.txt.attr
+        │   │   ├── index.txt.old
+        │   │   ├── serial
+        │   │   ├── serial.old
+        │   │   ├── server.crt
+        │   │   ├── server.csr
+        │   │   ├── server.key
+        │   │   └── vars
+        │   ├── openvpn.log
+        │   └── server.conf
+        └── db
+            └── data.db
+
+
+
+### Dev
+
+Requirements:
+* golang environments
+* [beego](https://beego.me/docs/install/)
+
+Execute commands:
+
+    go get github.com/adamwalach/openvpn-web-ui
+    cd $GOPATH/src/github.com/adamwalach/openvpn-web-ui
+    bee run -gendoc=true
+
+## Todo
+
+* add option to modify certificate properties
+* generate random admin password at initialization phase
+* add versioning
+
+
+## License
+
+This project uses [MIT license](LICENSE)
+
+## Remarks
+
+### Vendoring
+https://github.com/kardianos/govendor is used for vendoring.
+
+To update dependencies from GOPATH:
+
+`govendor update +v`
+
+### Template
+AdminLTE - dashboard & control panel theme. Built on top of Bootstrap 3.
+
+Preview: https://almsaeedstudio.com/themes/AdminLTE/index2.html
+

build/Dockerfile

@@ -0,0 +1,15 @@
+FROM debian:jessie
+WORKDIR /opt
+EXPOSE 8080
+
+RUN apt-get update && apt-get install -y easy-rsa
+RUN chmod 755 /usr/share/easy-rsa/*
+ADD assets/start.sh /opt/start.sh
+ADD assets/generate_ca_and_server_certs.sh /opt/scripts/generate_ca_and_server_certs.sh
+ADD assets/vars.template /opt/scripts/
+
+ADD openvpn-web-ui.tar.gz /opt/openvpn-gui/
+RUN rm -f /opt/openvpn-gui/data.db
+ADD assets/app.conf /opt/openvpn-gui/conf/app.conf
+
+CMD /opt/start.sh

build/assets/app.conf

@@ -0,0 +1,9 @@
+appname = openvpn-web-ui
+httpport = 8080
+runmode = prod
+EnableGzip = true
+EnableAdmin = false
+sessionon = true
+CopyRequestBody = true
+
+DbPath = "/opt/openvpn-gui/db/data.db"

build/assets/generate_ca_and_server_certs.sh

@@ -0,0 +1,25 @@
+#!/bin/bash -e
+
+CA_NAME=LocalCA
+SERVER_NAME=server
+EASY_RSA=/usr/share/easy-rsa
+
+mkdir -p /etc/openvpn/keys
+touch /etc/openvpn/keys/index.txt
+echo 01 > /etc/openvpn/keys/serial
+cp -f /opt/scripts/vars.template /etc/openvpn/keys/vars
+
+$EASY_RSA/clean-all
+source /etc/openvpn/keys/vars
+export KEY_NAME=$CA_NAME
+echo "Generating CA cert"
+#$EASY_RSA/build-ca
+export EASY_RSA="${EASY_RSA:-.}"
+
+$EASY_RSA/pkitool --initca $*
+
+export KEY_NAME=$SERVER_NAME
+
+echo "Generating server cert"
+#$EASY_RSA/build-key-server $SERVER_NAME
+$EASY_RSA/pkitool --server $SERVER_NAME

build/assets/start.sh

@@ -0,0 +1,19 @@
+#!/bin/bash
+
+set -e
+OVDIR=/etc/openvpn
+
+cd /opt/
+
+if [ ! -f $OVDIR/.provisioned ]; then
+  echo "Preparing certificates"
+  mkdir -p $OVDIR
+  ./scripts/generate_ca_and_server_certs.sh
+  openssl dhparam -dsaparam -out $OVDIR/dh2048.pem 2048
+  touch $OVDIR/.provisioned
+fi
+cd /opt/openvpn-gui
+mkdir -p db
+./openvpn-web-ui
+echo "Starting!"
+

build/assets/vars.template

@@ -0,0 +1,80 @@
+# easy-rsa parameter settings
+
+# NOTE: If you installed from an RPM,
+# don't edit this file in place in
+# /usr/share/openvpn/easy-rsa --
+# instead, you should copy the whole
+# easy-rsa directory to another location
+# (such as /etc/openvpn) so that your
+# edits will not be wiped out by a future
+# OpenVPN package upgrade.
+
+# This variable should point to
+# the top level of the easy-rsa
+# tree.
+export EASY_RSA="/usr/share/easy-rsa"
+
+#
+# This variable should point to
+# the requested executables
+#
+export OPENSSL="openssl"
+export PKCS11TOOL="pkcs11-tool"
+export GREP="grep"
+
+
+# This variable should point to
+# the openssl.cnf file included
+# with easy-rsa.
+export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
+
+# Edit this variable to point to
+# your soon-to-be-created key
+# directory.
+#
+# WARNING: clean-all will do
+# a rm -rf on this directory
+# so make sure you define
+# it correctly!
+export KEY_DIR="/etc/openvpn/keys"
+
+# Issue rm -rf warning
+echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
+
+# PKCS11 fixes
+export PKCS11_MODULE_PATH="dummy"
+export PKCS11_PIN="dummy"
+
+# Increase this to 2048 if you
+# are paranoid.  This will slow
+# down TLS negotiation performance
+# as well as the one-time DH parms
+# generation process.
+export KEY_SIZE=2048
+
+# In how many days should the root CA key expire?
+export CA_EXPIRE=3650
+
+# In how many days should certificates expire?
+export KEY_EXPIRE=3650
+
+# These are the default values for fields
+# which will be placed in the certificate.
+# Don't leave any of these fields blank.
+export KEY_COUNTRY="US"
+export KEY_PROVINCE="NY"
+export KEY_CITY="New York"
+export KEY_ORG="dummy"
+export KEY_EMAIL="[email protected]"
+export KEY_OU="IT"
+
+# X509 Subject Field
+export KEY_NAME="iXa-CA"
+
+# PKCS11 Smart Card
+# export PKCS11_MODULE_PATH="/usr/lib/changeme.so"
+# export PKCS11_PIN=1234
+
+# If you'd like to sign all keys with the same Common Name, uncomment the KEY_CN export below
+# You will also need to make sure your OpenVPN server config has the duplicate-cn option set
+# export KEY_CN="CommonName"

build/build.sh

@@ -0,0 +1,11 @@
+#!/bin/bash
+
+set -e
+
+PKGFILE=openvpn-web-ui.tar.gz
+
+cp -f ../$PKGFILE ./
+
+docker build -t awalach/openvpn-web-ui .
+
+rm -f $PKGFILE

build/pack.sh

@@ -0,0 +1,10 @@
+#!/bin/bash
+
+set -e
+
+time docker run \
+    -v "$PWD/../":/go/src/github.com/adamwalach/openvpn-web-ui \
+    --rm \
+    -w /usr/src/myapp \
+    awalach/beego:1.8.1 \
+    sh -c "cd /go/src/github.com/adamwalach/openvpn-web-ui/ && bee version && bee pack -exr='^vendor|^data.db|^build|^README.md|^docs'"

conf/app.conf

@@ -0,0 +1,9 @@
+appname = openvpn-web-ui
+httpport = 8080
+runmode = dev
+EnableGzip = true
+EnableAdmin = true
+sessionon = true
+CopyRequestBody = true
+
+DbPath = "./data.db"

conf/openvpn-client-config.tpl

@@ -0,0 +1,18 @@
+dev tun
+persist-tun
+persist-key
+client
+resolv-retry infinite
+remote {{ .ServerAddress }} {{ .Port }} {{ .Proto }}
+lport 0
+
+cipher {{ .Cipher }}
+keysize {{ .Keysize }}
+auth {{ .Auth }}
+tls-client
+
+ca {{ .Ca }}
+cert {{ .Cert }}
+key {{ .Key }}
+
+comp-lzo

conf/openvpn-server-config.tpl

@@ -0,0 +1,34 @@
+management {{ .Management }}
+
+port {{ .Port }}
+proto {{ .Proto }}
+
+dev tun
+
+ca {{ .Ca }}
+cert {{ .Cert }}
+key {{ .Key }}
+
+cipher {{ .Cipher }}
+keysize {{ .Keysize }}
+auth {{ .Auth }}
+dh {{ .Dh }}
+
+server 10.8.0.0 255.255.255.0
+ifconfig-pool-persist {{ .IfconfigPoolPersist }}
+push "route 10.8.0.0 255.255.255.0"
+push "dhcp-option DNS 8.8.8.8"
+push "dhcp-option DNS 8.8.4.4"
+
+keepalive {{ .Keepalive }}
+
+comp-lzo
+max-clients {{ .MaxClients }}
+
+persist-key
+persist-tun
+
+log         openvpn.log
+verb 3
+
+mute 10