OpenVPN TAP/bridge or TUN (host-based) server web administration interface in a Docker container. Intended for use with PiVPN (on amd64/arm64/armv7 versions of Debian or Ubuntu, or on ARM64/ARMv7 with Raspberry Pi OS). PiVPN should be installed first and OpenVPN 2.5.x or above required!
Here's a post on setting PiVPN in TAP server mode. It's written for the Raspberry Pi, but the steps are the same on Debian or Ubuntu. One exception is your physical ethernet adapter, which will likely not be eth0 in the openvpn-bridge script:
IMPORTANT: On Debian 11 and its derivations, the bridge-conf, bridge-start and bridge-stop scripts defined here work much better than the classic openvpn-bridge script for TAP installations:
No need to replace your openvpn@.service file, just insert the bridge-start and bridge-stop lines in the same relative locations in your existing file. build-client and server.conf are not needed either.
Goal: create quick to deploy and easy to use solution that makes work with small OpenVPN environments a breeze.
If you have docker and Portainer installed, you can jump directly to installation.
If you have a functioning OpenVPN TAP or TUN Server on the same host as your Docker containers, you should be able to use this fork to monitor OpenVPN connections.
Certificate generation and management is also available, and should be compatible with PiVPN. You can use either this web-ui to create client certificates, or use PiVPN from the commandline. Use PiVPN from the commandline (with elevated privileges) to revoke certificates.
- to create a version of this project that will work with OpenVPN TAP and TUN servers created using PiVPN (amd64, arm64 or ARMv7 )
- status page that shows server statistics and list of connected clients
- easy creation of client certificates
- ability to download client certificates as a zip package with client configuration inside or as a single .ovpn file
- log preview
- modification of OpenVPN configuration file through web interface
- this fork is especially designed to use an external version of OpenVPN configured for TAP (bridge) -- which is probably not possible via Docker
- works with host-based PiVPN TUN servers now too!
After startup web service is visible on port 8080. To login use the following default credentials:
- username: admin
- password: b3secure
Please change password to your own immediately!
Requirements:
- Docker, Portainer, PiVPN, Debian or Ubuntu
- on firewall open ports: 8080/tcp
Setup your Portainer Stacks page as shown on an amd64/arm64/armv7 machine running Debian or its derivations, inserting environment variables for creating certificates. Also, you'll need the unique ID assigned by PiVPN to the server (the name used for the server certificate and key, which is the hostname followed by a series of numbers, letters and dashes). And finally, you'll need to supply the name of the server configuration file you'd like to use (usually server.conf):
Copy and paste this into the Portainer Environment variables section in Advanced Mode, then switch to Simple mode to input your values. Replace the ${variable} with your actual values, and remove the comment portions that begin with #. Leave USERNAME and PASSWORD default values, as you'll change those after you login for the first time by clicking on Admistrator - Profile:
OPENVPN_ADMIN_USERNAME=admin # Leave this default as-is and update on first-run
OPENVPN_ADMIN_PASSWORD=b3secure # Leave this default as-is and update on first-run
COUNTRY=${COUNTRY} # Two character country code. Country, Province, City, Org and OU are used by EasyRSA
PROVINCE=${PROVINCE} # Province or State
CITY=${CITY}
ORG=${ORG} # Organization - Use your company name here or make one up
EMAIL=${EMAIL}
OU=${OU} # Organizational Unit - Use your company department name or make one up
PIVPN_SERVER=${PIVPN_SERVER} # The unique name used for your server's certificate and key. Found in the /etc/openvpn/server.conf file.
PIVPN_CONF=${PIVPN_CONF} # Filename for your OpenVPN server configuration - usually server.conf
TZ=${TZ} # Your OpenVPN server's timezoneThis fork uses a single docker container with the OpenVPNAdmin web application. Through a docker volume it creates following directory structure for the database, but otherwise links to /etc/openvpn in the host. The intention is for PiVPN to be able to operate as usual, with PiVPN commanline options still available:
.
├── docker-compose.yml
└── openvpn-data
└── db
└── data.db
Requirements:
Optional, but highly recommended:
Portainer, Cockpit and pivpn-tap-web-ui can all be added as "vertical" tabs in organizr, for a clean single tab in your browser. All are iFrame compatible when accessed via http:// -- it'll work with https:// too, but not in the iFrame (new tab will open). watchtower can be setup to run once and then stop, updating all of your containers (including Portainer and watchtower itself).
Requirements:
Optional, but recommended:
Execute commands:
go get github.com/bnhf/openvpn-admin-plus
cd $GOPATH/src/github.com/bnhf/openvpn-admin-plus
go mod tidy
bee run -gendoc=true
bee pack -exr='^vendor|^data.db|^build|^README.md|^docs'
cd build
./build.sh
For building on ARM64 or ARMv7:
In the dockerfile inside the build folder, comment out debian:bullseye as a source,
and uncomment balenalib/raspberry-pi-debian:latest (ARMv7 only)
In build.sh, change the docker build to <your-docker-hub-repo-here>/pivpn-tap-web-ui:arm64 (or armv7)
It's highly recommended that you use Visual Studio Code with the "Remote - SSH" extension
(in addition to the "Go" extension of course) from a more powerful machine
- Test with TUN and TAP running concurrently
This project uses MIT license
Numerous things have been updated to bring this project forward from its 2017 roots. It's now based on Debian 11 (in the container build), and is using the latest OpenVPN and EasyRSA, thanks to PiVPN. All of the project dependencies (vendoring) have been updated to current levels in 2022.
Courtsey of @tyzbit, the ability to specify DNS servers, and additional client/server options have been added. Also @mendoza-conicet contributed code for being able to download a single .ovpn file. Many issues have been addressed related to adapting this package for use with a host-based server, and related to all of the latest versions of the dependencies.
And, of course, many thanks to @adamwalach for his excellent original work to create this project!
AdminLTE - dashboard & control panel theme. Built on top of Bootstrap 3.
