SafeVPN is an open-source secure remote access solution licensed under GPLv3, designed to provide a secure remote access channel while preventing data leakage and unauthorized access, and enhance auditing mechanisms. SafeVPN是一个开源的安全远程访问解决方案,采用GPLv3协议,旨在提供安全的远程接入通道,同时防止数据泄露和未授权访问,并加强审计。
Pain Point: Some important clients require external technicians to remotely handle server-side issues, but their data must not be leaked. How to prevent data leakage in such scenarios? 痛点问题:部分重要客户需外部技术人员远程处理服务器端问题,但客户数据严禁泄露,在此场景下如何有效防止数据泄露?
Solution: Allow remote access via VPN while prohibiting data copying, and simultaneously enhance operation recording and auditing mechanisms. 解决方案:允许通过VPN进行远程接入,同时禁止数据拷贝操作,同步加强操作记录与审计机制。
- Secure Remote Access Channel: Encrypted tunnels based on OpenVPN/WireGuard
- Traffic Control: Restrict traffic and access via iptables/ufw
- Mandatory Audit Logging: Non-erasable audit logs with centralized management support
- Permission Isolation: Principle of least privilege to prevent unauthorized operations
SafeVPN adopts a multi-layered security architecture:
- VPN/Remote Access Channel: Provides encrypted remote connections
- Traffic Control: Limits data transmission and access scope
- Mandatory Logging: Records all operations and prevents log tampering
- Permission Isolation: Principle of least privilege to prevent privilege escalation
| Functional Module | Recommended Open-Source Tools | Core Capabilities |
|---|---|---|
| Remote Access Channel | OpenVPN/WireGuard | Encrypted tunnels, identity authentication, access control |
| Traffic & Copy Restriction | iptables/ufw, SSH Configuration | Port blocking, traffic throttling, file transfer prohibition |
| Mandatory Audit Logging | syslog-ng/rsyslog + Log Server | Centralized logging, read-only storage, tamper prevention |
| Session Management | OpenSSH+PAM, Teleport | Session auditing, command logging, privilege minimization |
- Linux server (Ubuntu 20.04+ recommended)
- Network connectivity
- Sufficient storage space for log retention
- Clone the Project
git clone https://github.com/chinagloud/SafeVPN.git
cd SafeVPN- Execute the Installation Script
chmod +x install.sh
./install.sh- Configure Services
Modify configuration files according to actual requirements:
config/openvpn/server.conf- OpenVPN server configurationconfig/iptables/rules.v4- iptables rules configurationconfig/ssh/sshd_config- SSH service configurationconfig/syslog-ng/syslog-ng.conf- Logging configuration
- Start Services
systemctl start openvpn@server
systemctl start syslog-ng
systemctl restart ssh-
Configure OpenVPN Server
- Enable certificate authentication (CA-signed)
- Disable password-based login
- Allow only authorized clients to connect
-
Configure iptables Rules
- Restrict clients to access only specified service ports
- Block access to file sharing ports
-
SSH Server Configuration
- Disable SCP and SFTP subsystems
- Allow only remote command execution
- Prohibit file transfer operations
-
File System Permissions
- Set read-only permissions for critical directories
- Use AppArmor/SELinux to restrict process read/write scope
-
Configure syslog-ng
- Forward logs to an independent log server in real-time
- Deploy log server with read-only storage
-
Enable OpenSSH Logging
- Record all session operations
- Include timestamp, IP address, username, commands, and other details
-
Use PAM Modules
- Log all user input
- Implement session recording with tools like Teleport
-
Principle of Least Privilege
- Assign dedicated accounts to remote users
- Grant only necessary permissions for task completion
- Prohibit root account login
- Log Tamper Protection: Use RAID storage and regular offline backups
- Traffic Anomaly Detection: Deploy IDS systems such as Suricata
- Multi-Factor Authentication: Enable two-factor authentication for OpenVPN and SSH access
| Solution Combination | Advantages | Limitations | Application Scenarios |
|---|---|---|---|
| OpenVPN+iptables+syslog-ng | Easy deployment, low cost | Manual rule configuration required, log analysis relies on third-party tools | Small and medium-sized enterprises, personal servers |
| WireGuard+Teleport+Rsyslog | High performance, robust audit capabilities | Steeper learning curve, Teleport requires paid enterprise edition for advanced features | Scenarios with high performance and audit requirements |
| RustDesk (self-hosted) + Local Permission Control | Graphical remote desktop, high usability | Weak data copy restriction capabilities, requires additional system permission configuration | Remote assistance, non-sensitive data access |
-
VPN Connection Failure
- Check network connectivity
- Verify certificate configuration
- Review OpenVPN logs
-
Missing Log Records
- Check syslog-ng service status
- Validate logging configuration
- Verify log server connectivity
-
Ineffective Traffic Restrictions
- Check iptables rules
- Verify firewall status
- Test connection ports
Contributions in the form of code, documentation, or suggestions are welcome. Please follow these steps:
- Fork the project
- Create a feature branch
- Commit your changes
- Submit a Pull Request
This project is licensed under the GPLv3 License - see the LICENSE file for details.
- Project URL: https://github.com/chinagloud/SafeVPN
- Issue Reporting: https://github.com/chinagloud/SafeVPN/issues
Security Note: Regularly update the system and components to maintain up-to-date security configurations.
SafeVPN是一个开源的安全远程访问解决方案,采用GPLv3协议,旨在提供安全的远程接入通道,同时防止数据泄露和未授权访问。
- 安全的远程接入通道:基于OpenVPN/WireGuard的加密隧道
- 流量管控:通过iptables/ufw限制流量和访问
- 强制审计日志:不可删除的审计日志,支持集中管理
- 权限隔离:最小权限原则,防止未授权操作
SafeVPN采用多层防护架构:
- VPN/远程访问通道:提供加密的远程连接
- 流量管控:限制数据传输和访问范围
- 强制日志:记录所有操作,防止日志篡改
- 权限隔离:最小权限原则,防止越权操作
| 功能模块 | 推荐开源工具 | 核心能力 |
|---|---|---|
| 远程接入通道 | OpenVPN/WireGuard | 加密隧道、身份认证、访问控制 |
| 流量与拷贝限制 | iptables/ufw、SSH 配置 | 端口封禁、流量限速、禁止文件传输 |
| 强制审计日志 | syslog-ng/rsyslog + 日志服务器 | 集中日志、只读存储、防止篡改 |
| 会话管控 | OpenSSH+PAM、Teleport | 会话审计、命令记录、权限最小化 |
- Linux服务器(推荐Ubuntu 20.04+)
- 网络连接
- 足够的存储空间用于日志存储
- 克隆项目
git clone https://github.com/chinagloud/SafeVPN.git
cd SafeVPN- 执行安装脚本
chmod +x install.sh
./install.sh- 配置服务
根据实际需求修改配置文件:
config/openvpn/server.conf- OpenVPN服务器配置config/iptables/rules.v4- iptables规则配置config/ssh/sshd_config- SSH服务配置config/syslog-ng/syslog-ng.conf- 日志配置
- 启动服务
systemctl start openvpn@server
systemctl start syslog-ng
systemctl restart ssh-
配置OpenVPN服务器
- 启用证书认证(CA签名)
- 禁用密码登录
- 仅允许授权客户端接入
-
配置iptables规则
- 限制客户端仅能访问指定服务端口
- 禁止访问文件共享端口
-
SSH服务端配置
- 禁用SCP、SFTP子系统
- 仅允许远程命令执行
- 禁止文件传输
-
文件系统权限
- 对关键目录设置只读权限
- 使用AppArmor/SELinux限制进程读写范围
-
配置syslog-ng
- 将日志实时转发至独立日志服务器
- 日志服务器采用只读存储
-
启用OpenSSH日志记录
- 记录所有会话操作
- 包含时间、IP、用户名、命令等信息
-
使用PAM模块
- 记录所有用户输入
- 结合Teleport等工具实现会话录像
-
最小权限原则
- 为远程用户分配专用账号
- 仅授予完成任务必需的权限
- 禁止使用root账号登录
- 日志防篡改:使用RAID存储,定期备份至离线介质
- 流量异常检测:部署Suricata等IDS系统
- 多因素认证:为OpenVPN、SSH接入启用双因素认证
| 方案组合 | 优势 | 局限性 | 适用场景 |
|---|---|---|---|
| OpenVPN+iptables+syslog-ng | 部署简单、成本低 | 需手动配置规则,日志分析依赖第三方工具 | 中小企业、个人服务器 |
| WireGuard+Teleport+Rsyslog | 性能高、审计功能强 | 学习曲线较陡,Teleport需付费企业版解锁高级功能 | 对性能和审计要求高的场景 |
| RustDesk(自建服务器)+ 本地权限管控 | 图形化远程桌面、易用性好 | 数据拷贝限制能力较弱,需额外配置系统权限 | 远程协助、非敏感数据访问 |
-
VPN连接失败
- 检查网络连接
- 验证证书配置
- 查看OpenVPN日志
-
日志未记录
- 检查syslog-ng服务状态
- 验证日志配置
- 检查日志服务器连接
-
流量限制不生效
- 检查iptables规则
- 验证防火墙状态
- 测试连接端口
欢迎贡献代码、文档或提出建议。请按照以下步骤:
- Fork本项目
- 创建功能分支
- 提交更改
- 发起Pull Request
本项目采用GPLv3许可证,详见LICENSE文件。
安全提示:请定期更新系统和组件,保持安全配置的最新状态。