OpenVPN Manager is a comprehensive system for automated certificate management and OpenVPN profile generation. It provides a complete solution for organizations that need to manage OpenVPN access at scale while maintaining security controls and audit trails.
Traditional OpenVPN deployments often suffer from several critical issues:
- Manual certificate management leading to security vulnerabilities and operational overhead
- Lack of audit trails for issued certificates and access grants
- Poor user experience with complex manual configuration processes
- Security risks from shared certificates or weak key management
- Operational complexity in managing certificates across multiple users and devices
OpenVPN Manager addresses these challenges by providing:
- Automated certificate lifecycle management with secure key isolation
- Complete audit trail through Certificate Transparency logging
- Self-service user portal with OIDC authentication
- API-driven automation for server and client deployments
- Microservice architecture with clear separation of concerns
The system consists of three core microservices that work together to provide secure, auditable OpenVPN certificate management:
- Frontend Service - Web UI and REST API for users and administrators
- Signing Service - Isolated certificate signing service
- Certificate Transparency Service - Immutable audit log of all issued certificates
- PKI Tool - Offline root and intermediate CA generation
- OpenVPN Config Tool - Client CLI for profile retrieval and management
- Architecture Overview - Detailed system design and component interactions
- Deployment Guide - Production deployment with Docker Compose and Kubernetes
- Using the Service - End-user guide for generating OpenVPN profiles
- Administrator Guide - Admin workflows for PSK management and certificate review
- API Documentation - Complete REST API specification
- Function Call Mapping - Complete function dependency mapping across all services
- Route Execution Chains - Detailed execution traces from routes to leaf functions
- Docker Deployment - Production Docker Compose setup
- Kubernetes Deployment - Production Kubernetes Helm charts
- Microservice architecture with service isolation and defined interfaces
- Service separation patterns for user/admin service isolation and scaling
- Certificate Transparency logging for complete audit trail
- OIDC integration with enterprise identity providers
- Modern cryptography with Ed25519 and RSA key support
- Network segmentation between frontend, signing, and database tiers
- API authentication with secure token-based access control
- Comprehensive security testing defending against OWASP Top 10 vulnerabilities
- Attack resistance including SQL injection, XSS, timing attacks, and DoS protection
- Input validation and sanitization with constant-time comparison algorithms
- Generate PKI materials: Use the PKI tool to create root and intermediate CAs
- Deploy services: Follow the Docker deployment guide for a quick start
- Configure OIDC: Set up authentication with your identity provider
- Create server certificates: Use the admin interface to generate server configurations
- Issue user certificates: Users can self-service through the web portal
- Python 3.9+
- Docker and Docker Compose
- PostgreSQL (for production) or SQLite (for development)
- OIDC-compatible identity provider
make testAll services maintain 100% test coverage with comprehensive unit, integration, and end-to-end testing, including:
- 44 comprehensive security tests covering red team, blue team, and bug bounty attack scenarios
- OWASP Top 10 vulnerability testing with real vulnerability discovery and remediation
- Constant-time comparison algorithms preventing timing attacks
- Complete input validation coverage with edge case and Unicode handling
# Clone the repository
git clone https://github.com/openvpn-manager/end-to-end-tests openvpn-manager --recurse-submodules
cd openvpn-manager
# Start development environment
cd tests
docker-compose up -d
# Run integration tests
make testContributions are welcome! Since this is Free Software:
- No copyright assignment needed, but will be gratefully received
- Feature requests and improvements are gratefully received, however they may not be implemented due to time constraints or if they don't align with the developer's vision for the project
- Please ensure all tests pass and maintain 100% code coverage
- Follow the existing code style and architectural patterns
- All code must pass linting and security checks
- 100% test coverage requirement for all new code
- Security-first design principles
- Comprehensive function documentation with examples, security considerations, and parameter documentation
- Complete route traceability from API endpoints to leaf functions for debugging
- Security-focused documentation including timing attack prevention and cryptographic rationale
This software is released under the GNU Affero General Public License version 3.
The AGPL v3 license ensures that any modifications to this software, including those used to provide network services, must be made available under the same license terms. This promotes collaborative development while preventing proprietary capture of the codebase.
This code was developed with assistance from AI tools. While released under a permissive license that allows unrestricted reuse, we acknowledge that portions of the implementation may have been influenced by AI training data. Should any copyright assertions or claims arise regarding uncredited imported code, the affected portions will be rewritten to remove or properly credit any unlicensed or uncredited work.
- Documentation: Start with this README and explore the linked guides
- Issues: Report bugs and feature requests through the project issue tracker
- Security: Report security vulnerabilities to jon+openvpnmanagersecurity@sprig.gs
Built with security, scalability, and user experience in mind. Deploy with confidence.