ayurishchev/OpenVPN-Monitoring-Simple
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

new awesome build

Browse Source
This commit is contained in:
Антон
2026-01-28 22:37:47 +03:00
parent 848646003c
commit fcb8f6bac7
119 changed files with 7291 additions and 5575 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
DOCS/api_v3_endpoints.md → DOCS/Core_Monitoring/API_Reference.md
View File

@@ -204,4 +204,33 @@ SSL Certificate expiration tracking.
Simple list of clients (Common Name + Status) for UI dropdowns.
### `GET /health`
Database connectivity check. Returns `{"status": "healthy"}`.
Database connectivity check. Returns `{"status": "healthy"}`.
---
## 7. Active Sessions
Real-time list of currently connected clients.
### `GET /sessions`
#### Example Response
```json
{
"success": true,
"count": 1,
"data": [
{
"client_id": 5,
"common_name": "user-bob",
"real_address": "192.168.1.50",
"connected_since": "2026-01-09 10:00:00",
"last_seen": "2026-01-09 12:00:00",
"bytes_received": 1048576,
"bytes_sent": 524288,
"received_mb": 1.0,
"sent_mb": 0.5
}
]
}
```

114
DOCS/Core_Monitoring/Authentication.md Normal file
View File

@@ -0,0 +1,114 @@
# Процесс аутентификации в OpenVPN Monitor
Аутентификация в приложении реализована с использованием **Flask** и **JWT (JSON Web Tokens)**. Ниже приведено подробное описание механизмов и примеры использования API из консоли.
---
## 1. Логика работы
Механизм аутентификации поддерживает два режима: стандартный вход и вход с двухфакторной аутентификацией (2FA).
### Основные этапы:
1. **Запрос на вход (`POST /api/auth/login`)**:
* Клиент отправляет `username` и `password`.
* Сервер проверяет хеш пароля с использованием **BCrypt**.
* **Защита (Rate Limiting)**: После 5 неудачных попыток IP-адрес блокируется на 15 минут.
2. **Выдача токена**:
* **Если 2FA отключена**: Сервер возвращает финальный JWT-токен (валиден 8 часов).
* **Если 2FA включена**: Сервер возвращает `temp_token` (валиден 5 минут) и флаг `requires_2fa: true`.
3. **Верификация 2FA (`POST /api/auth/verify-2fa`)**:
* Клиент отправляет `temp_token` и 6-значный код (OTP).
* Сервер проверяет код с помощью библиотеки `pyotp`.
* При успешной проверке выдается финальный JWT-токен.
---
## 2. Использование API через консоль
Для выполнения прямых вызовов API необходимо получить JWT-токен и передавать его в заголовке `Authorization`.
### Шаг 1: Аутентификация
#### Вариант А: 2FA отключена
Выполните запрос для получения токена:
```bash
curl -X POST http://<SERVER_IP>:5001/api/auth/login \
-H "Content-Type: application/json" \
-d '{"username": "admin", "password": "ваш_пароль"}'
```
В ответе придет JSON с полем `"token"`.
#### Вариант Б: 2FA включена (двухэтапный вход)
1. Получите временный токен:
```bash
curl -X POST http://<SERVER_IP>:5001/api/auth/login \
-H "Content-Type: application/json" \
-d '{"username": "admin", "password": "ваш_пароль"}'
```
Скопируйте `temp_token` из ответа.
2. Подтвердите вход кодом OTP:
```bash
curl -X POST http://<SERVER_IP>:5001/api/auth/verify-2fa \
-H "Content-Type: application/json" \
-d '{"temp_token": "ВАШ_TEMP_TOKEN", "otp": "123456"}'
```
Скопируйте финальный `token` из ответа.
### Шаг 2: Вызов защищенных методов
Используйте полученный токен в заголовке `Bearer`:
**Пример: Получение списка клиентов**
```bash
curl -H "Authorization: Bearer ВАШ_ТОКЕН" \
http://<SERVER_IP>:5001/api/v1/stats
```
**Пример: Просмотр сертификатов**
```bash
curl -H "Authorization: Bearer ВАШ_ТОКЕН" \
http://<SERVER_IP>:5001/api/v1/certificates
```
---
## 3. Быстрое получение токена из браузера
Если вы уже вошли в веб-интерфейс, токен можно быстро скопировать без лишних запросов:
1. Откройте панель разработчика (**F12**).
2. Перейдите на вкладку **Application** (или **Storage**).
4. Найдите ключ `ovpmon_token` — это и есть ваш текущий JWT-токен.
---
## 4. Account Management & 2FA Configuration
Endpoints for managing the current user's security settings.
### User Profile
`GET /api/v1/user/me`
Returns current user info and 2FA status.
```json
{ "success": true, "username": "admin", "is_2fa_enabled": false }
```
### Password Change
`POST /api/auth/change-password`
**Payload**: `{"current_password": "old", "new_password": "new"}`
### 2FA Setup Flow
1. **Initiate Setup**
`POST /api/auth/setup-2fa`
Returns a secret and a `otpauth://` URI for QR code generation.
2. **Enable 2FA**
`POST /api/auth/enable-2fa`
**Payload**: `{"secret": "GENERATED_SECRET", "otp": "123456"}`
Verifies the code and enables 2FA for the user.
3. **Disable 2FA**
`POST /api/auth/disable-2fa`
Disables 2FA (No payload required).

2
DOCS/data_gathering_report.md → DOCS/Core_Monitoring/Data_Architecture.md
View File

@@ -39,7 +39,7 @@ To support long-term statistics without storing billions of rows, the `TimeSerie
A cleanup job runs once every 24 hours (on day change).
- It executes `DELETE FROM table WHERE timestamp < cutoff_date`.
- Thresholds are configurable in `config.ini` under `[retention]`.
- Thresholds are configurable in `APP_CORE/config.ini` under `[retention]`.
## Summary
The system employs a "Write-Optimized" approach. Instead of calculating heavy aggregates on-read (which would be slow), it pre-calculates them on-write. This ensures instant dashboard loading times even with years of historical data.

110
DOCS/General/Deployment.md Normal file
View File

@@ -0,0 +1,110 @@
# Deployment Guide: OpenVPN Monitor & Profiler
This guide describes how to deploy the full suite on a fresh Linux server (Ubuntu/Debian).
## Architecture Overview
- **Frontend**: Vue.js (Built and served by Nginx) - `APP_UI`
- **Monitoring API (APP_CORE)**: Flask (Port 5000) - Real-time statistics.
- **Profiler API (APP_PROFILER)**: FastAPI (Port 8000) - Profile & Server management.
---
## 1. Prerequisites
- Python 3.10+
- Nginx
- OpenVPN & Easy-RSA (for the Profiler)
- Node.js & NPM (only for building the UI)
---
## 2. Shared Security Setup (Critical)
Both API services must share the same `SECRET_KEY` to recognize the same JWT tokens.
### A. Environment Variable (Recommended)
Add this to your shell profile (`~/.bashrc`) or your Systemd service files:
```bash
export OVPMON_SECRET_KEY='your-very-long-random-secret-key'
```
### B. Configuration File
Alternatively, set it in `APP_CORE/config.ini`:
```ini
[api]
secret_key = your-very-long-random-secret-key
```
---
## 3. Backend Deployment
### Monitoring API (Flask)
1. Navigate to `APP_CORE/`.
2. Create virtual environment: `python3 -m venv venv`.
3. Install dependencies: `venv/bin/pip install -r requirements.txt`.
4. Run with Gunicorn (production):
```bash
venv/bin/gunicorn -w 4 -b 127.0.0.1:5000 openvpn_api_v3:app
```
### Profiler API (FastAPI)
1. Navigate to `APP_PROFILER/`.
2. Create virtual environment: `python3 -m venv venv`.
3. **Important**: Uninstall potential conflicts and install PyJWT:
```bash
venv/bin/pip uninstall jwt PyJWT
venv/bin/pip install -r requirements.txt PyJWT
```
4. Run with Uvicorn:
```bash
venv/bin/uvicorn main:app --host 127.0.0.1 --port 8000
```
---
## 4. Frontend Deployment (Nginx)
### Build the UI
1. Navigate to `UI/client`.
2. Install: `npm install`.
3. Build: `npm run build`.
4. Copy `dist/` contents to `/var/www/ovpmon/`.
### Nginx Configuration
Create `/etc/nginx/sites-available/ovpmon`:
```nginx
server {
listen 80;
server_name your_domain_or_ip;
root /var/www/ovpmon;
index index.html;
# Frontend Routing
location / {
try_files $uri $uri/ /index.html;
}
# Monitoring API (Flask)
location /api/v1/ {
proxy_pass http://127.0.0.1:5000/api/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
# Profiler API (FastAPI)
location /profiles-api/ {
proxy_pass http://127.0.0.1:8000/api/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
}
```
---
## 5. First Run & Initialization
1. Access the UI via browser.
2. Login with default credentials: `admin` / `password`.
3. **Immediately** change the password and set up 2FA in the Settings/Profile section.
4. If using the Profiler, ensure the `easy-rsa` directory is present and initialized via the UI.

22
DOCS/General/Index.md Normal file
View File

@@ -0,0 +1,22 @@
# OpenVPN Monitor & Profiler Documentation
Welcome to the documentation for the OpenVPN Monitor suite.
## 📚 General
- [Deployment Guide](Deployment.md): How to install and configure the application on a Linux server.
- [Service Management](Service_Management.md): Setting up systemd/OpenRC services.
- [Security Architecture](Security_Architecture.md): Details on Authentication, 2FA, and Security features.
## 🔍 Core Monitoring (`APP_CORE`)
The core module responsible for log parsing, real-time statistics, and the primary API.
- [API Reference](../Core_Monitoring/API_Reference.md): Endpoints for monitoring data.
- [Authentication](../Core_Monitoring/Authentication.md): How the Login and 2FA flows work.
- [Data Architecture](../Core_Monitoring/Data_Architecture.md): Internals of the Data Gatherer and TSDB.
## ⚙️ Profiler Management (`APP_PROFILER`)
The management module for PKI, Certificates, and User Profiles.
- [Overview](../Profiler_Management/Overview.md): Features and usage of the Profiler API.
## 💻 User Interface (`APP_UI`)
The Vue.js frontend application.
- [Architecture](../UI/Architecture.md): UI Tech stack and project structure.

124
DOCS/General/Nginx_Configuration.md Normal file
View File

@@ -0,0 +1,124 @@
# Nginx Configuration Guide
This guide details how to configure Nginx as a reverse proxy for the OpenVPN Monitor & Profiler application. Nginx is **required** in production to serve the frontend and route API requests to the appropriate backend services.
## Architecture Recap
- **Frontend (`APP_UI`)**: Static files (HTML, JS, CSS) served from `/var/www/ovpmon` (or similar).
- **Core API (`APP_CORE`)**: Python/Flask service running on **127.0.0.1:5001**.
- **Profiler API (`APP_PROFILER`)**: Python/FastAPI service running on **127.0.0.1:8000**.
## 1. Alpine Linux Setup
### Installation
```bash
apk add nginx
rc-update add nginx default
```
### Configuration
Create a new configuration file (e.g., `/etc/nginx/http.d/ovpmon.conf`).
```nginx
server {
listen 80;
server_name your-server-domain.com; # Replace with your IP or Domain
root /var/www/ovpmon;
index index.html;
# Gzip Compression
gzip on;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
# 1. Frontend (SPA Routing)
location / {
try_files $uri $uri/ /index.html;
}
# 2. Core Monitoring API (Flask :5001)
# Routes: /api/v1/stats, /api/auth, etc.
location /api/v1/ {
proxy_pass http://127.0.0.1:5001/api/v1/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location /api/auth/ {
proxy_pass http://127.0.0.1:5001/api/auth/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
# 3. Profiler Management API (FastAPI :8000)
# Routes: /api/profiles, /api/config, etc.
# Note: We capture /api/ but exclude /api/v1 (handled above)
location /api/ {
# Ensure this doesn't conflict with /api/v1. Nginx matching order:
# Longest prefix matches first. So /api/v1/ wins over /api/.
proxy_pass http://127.0.0.1:8000/api/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
```
### Apply Changes
```bash
rc-service nginx restart
```
---
## 2. Debian / Ubuntu Setup
### Installation
```bash
sudo apt update
sudo apt install nginx
```
### Configuration
1. Create a configuration file in `/etc/nginx/sites-available/ovpmon`:
*(Use the same Nginx configuration block provided in the Alpine section above)*
2. Enable the site:
```bash
sudo ln -s /etc/nginx/sites-available/ovpmon /etc/nginx/sites-enabled/
sudo rm /etc/nginx/sites-enabled/default # Optional: Remove default site
```
3. Test and Restart:
```bash
sudo nginx -t
sudo systemctl restart nginx
```
---
## 3. Deployment Checklist
1. **Frontend Build**:
Ensure you have built the UI and copied the files to your web root:
```bash
cd APP_UI
npm run build
sudo mkdir -p /var/www/ovpmon
sudo cp -r dist/* /var/www/ovpmon/
```
2. **Permissions**:
Ensure Nginx can read the web files:
```bash
sudo chown -R nginx:nginx /var/www/ovpmon # Alpine
# OR
sudo chown -R www-data:www-data /var/www/ovpmon # Debian/Ubuntu
```
3. **SELinux (RedHat/CentOS only)**:
If using SELinux, allow Nginx to make network connections:
```bash
setsebool -P httpd_can_network_connect 1
```

85
DOCS/General/Security_Architecture.md Normal file
View File

@@ -0,0 +1,85 @@
# Implementation Plan - Authentication & Security
## Goal Description
Add secure authentication to the OpenVPN Monitor application.
This includes:
- **Database Storage**: Store users and credentials in the existing SQLite database.
- **2FA**: Support Google Authenticator (TOTP) for two-factor authentication.
- **Brute-force Protection**: Rate limiting on login attempts.
- **Universal Access Control**: Secure all UI routes and API endpoints.
## User Review Required
> [!IMPORTANT]
> **Default Credentials**: We will create a default admin user (e.g., `admin` / `password`) on first run if no users exist. The user MUST change this immediately.
> [!WARNING]
> **Breaking Change**: Access to the current dashboard will be blocked until the user logs in.
## Proposed Changes
### Backend (Python/Flask)
#### [MODIFY] [requirements.txt](file:///Users/tstark/Documents/ovpmon_simple_gitea/APP_CORE/requirements.txt)
- Add `pyjwt`, `pyotp`, `qrcode`, `bcrypt`, `flask-bcrypt` (or `werkzeug.security`).
#### [MODIFY] [db.py](file:///Users/tstark/Documents/ovpmon_simple_gitea/APP_CORE/db.py)
- Update `init_database` to create:
- `users` table: `id`, `username`, `password_hash`, `totp_secret`, `is_2fa_enabled`.
- `login_attempts` table (for brute-force protection): `ip_address`, `attempts`, `last_attempt`.
#### [MODIFY] [openvpn_api_v3.py](file:///Users/tstark/Documents/ovpmon_simple_gitea/APP_CORE/openvpn_api_v3.py)
- **New Imports**: `jwt`, `pyotp`, `functools.wraps`.
- **Helper Functions**:
- `check_rate_limit(ip)`: Verify login attempts.
- `token_required(f)`: Decorator to check `Authorization` header.
- **New Routes**:
- `POST /api/auth/login`: Validate user/pass. Returns JWT (or 2FA required status).
- `POST /api/auth/verify-2fa`: Validate TOTP. Returns access JWT.
- `POST /api/auth/setup-2fa`: Generate secret & QR code.
- `POST /api/auth/enable-2fa`: Confirm and save secret.
- **Protect Routes**: Apply `@token_required` to all existing API routes (except auth).
### Frontend (Vue.js)
#### [NEW] [Login.vue](file:///Users/tstark/Documents/ovpmon_simple_gitea/APP_UI/src/views/Login.vue)
- Login form (Username/Password).
- 2FA Input (conditional, appears if server responses "2FA required").
#### [NEW] [Setup2FA.vue](file:///Users/tstark/Documents/ovpmon_simple_gitea/APP_UI/src/views/Setup2FA.vue)
- Screen to show QR code and verify OTP to enable 2FA for the first time.
#### [MODIFY] [router/index.js](file:///Users/tstark/Documents/ovpmon_simple_gitea/APP_UI/src/router/index.js)
- Add `/login` route.
- Add global `beforeEach` guard:
- Check if route `requiresAuth`.
- Check if token exists in `localStorage`.
- Redirect to `/login` if unauthorized.
#### [MODIFY] [App.vue](file:///Users/tstark/Documents/ovpmon_simple_gitea/APP_UI/src/App.vue)
- Add `Logout` button to the sidebar.
- Conditionally render Sidebar only if logged in (optional, or just redirect).
#### [MODIFY] [main.js](file:///Users/tstark/Documents/ovpmon_simple_gitea/APP_UI/src/main.js)
- Setup `axios` interceptors:
- **Request**: Add `Authorization: Bearer <token>`.
- **Response**: On `401 Unauthorized`, clear token and redirect to `/login`.
## Verification Plan
### Automated Tests
Since this project does not have a comprehensive test suite, we will verify manually and with targeted scripts.
### Manual Verification
1. **Initial Setup**:
- Start backend and frontend.
- Visit root URL -> Should redirect to `/login`.
2. **Login Flow**:
- Attempt login with wrong password -> Should show error.
- Attempt brute force (5x wrong) -> Should block for X minutes.
- Login with `admin` / `password` -> Should succeed.
3. **2FA Setup**:
- Go to 2FA Setup page (or trigger via API).
- Scan QR code with Google Auth.
- enter code -> Success.
- Logout and Login again -> Should ask for 2FA code.
4. **API Security**:
- Try `curl http://localhost:5000/api/v1/stats` without header -> Should return 401.
- Try with header -> Should return 200.

93
DOCS/General/Service_Management.md Normal file
View File

@@ -0,0 +1,93 @@
# Service Setup Guide
This guide describes how to set up the OpenVPN Monitor components as system services.
## Components
1. **ovpmon-api**: The main Flask API (`APP/openvpn_api_v3.py`).
2. **ovpmon-gatherer**: The background data gatherer (`APP/openvpn_gatherer_v3.py`).
3. **ovpmon-profiler**: The new FastAPI profiler module (`NEW_MODULES/main.py`).
## Common Prerequisites
- **Install Directory**: `/opt/ovpmon` (Recommended)
- **Virtual Environment**: `/opt/ovpmon/venv`
---
## 1. Alpine Linux (OpenRC)
### Installation
1. **Copy Service Scripts**:
Copy the scripts from `Deployment/APP/openrc/` to `/etc/init.d/`.
```sh
cp DOCS/General/openrc/ovpmon-api /etc/init.d/
cp DOCS/General/openrc/ovpmon-gatherer /etc/init.d/
cp DOCS/General/openrc/ovpmon-profiler /etc/init.d/
```
2. **Set Permissions**:
```sh
chmod +x /etc/init.d/ovpmon-*
```
3. **Enable Services**:
```sh
rc-update add ovpmon-api default
rc-update add ovpmon-gatherer default
rc-update add ovpmon-profiler default
```
4. **Start Services**:
```sh
rc-service ovpmon-api start
rc-service ovpmon-gatherer start
rc-service ovpmon-profiler start
```
### Configuration
To override defaults (e.g., if you installed to a different directory), create files in `/etc/conf.d/`:
**File:** `/etc/conf.d/ovpmon-api` (example)
```sh
directory="/var/www/my-monitoring"
command_args="/var/www/my-monitoring/APP_CORE/openvpn_api_v3.py"
```
---
## 2. Debian / Ubuntu (Systemd)
### Installation Steps
1. **Copy Service Files**:
Copy the provided service files from `DOCS/General/systemd/` to `/etc/systemd/system/`.
```bash
cp DOCS/General/systemd/ovpmon-api.service /etc/systemd/system/
cp DOCS/General/systemd/ovpmon-gatherer.service /etc/systemd/system/
cp DOCS/General/systemd/ovpmon-profiler.service /etc/systemd/system/
```
2. **Reload Daemon**:
```bash
systemctl daemon-reload
```
3. **Enable Services** (Start on boot):
```bash
systemctl enable ovpmon-api ovpmon-gatherer ovpmon-profiler
```
4. **Start Services**:
```bash
systemctl start ovpmon-api ovpmon-gatherer ovpmon-profiler
```
5. **Check Status**:
```bash
systemctl status ovpmon-api
```

49
DOCS/General/openrc/INSTALL.md Normal file
View File

@@ -0,0 +1,49 @@
# OpenRC Service Installation Guide
This guide explains how to install and enable the `ovpmon-api` and `ovpmon-gatherer` services on an Alpine Linux (or other OpenRC-based) system.
## Prerequisites
- **Paths**: The scripts assume the application is installed at `/opt/ovpmon`.
- **Virtualenv**: A python virtual environment should exist at `/opt/ovpmon/venv`.
If your paths differ, you can edit the scripts directly or create configuration files in `/etc/conf.d/`.
## Installation Steps
1. **Copy the scripts to `/etc/init.d/`**:
```sh
cp ovpmon-api /etc/init.d/
cp ovpmon-gatherer /etc/init.d/
```
2. **Make them executable**:
```sh
chmod 755 /etc/init.d/ovpmon-api
chmod 755 /etc/init.d/ovpmon-gatherer
```
3. **Add to default runlevel** (to start on boot):
```sh
rc-update add ovpmon-api default
rc-update add ovpmon-gatherer default
```
4. **Start the services**:
```sh
rc-service ovpmon-api start
rc-service ovpmon-gatherer start
```
## Configuration (Optional)
You can override default variables without editing the script by creating files in `/etc/conf.d/`.
**Example `/etc/conf.d/ovpmon-api`**:
```sh
# Override installation directory
directory="/var/www/ovpmon/APP"
# Override command arguments
command_args="/var/www/ovpmon/APP/openvpn_api_v3.py --debug"
```

16
DOCS/General/openrc/ovpmon-api Normal file
View File

@@ -0,0 +1,16 @@
#!/sbin/openrc-run
name="ovpmon-api"
description="OpenVPN Monitor API Service"
supervisor="supervise-daemon"
: ${directory:="/opt/ovpmon/APP"}
: ${command_user:="root"}
command="/opt/ovpmon/venv/bin/python"
command_args="/opt/ovpmon/APP/openvpn_api_v3.py"
depend() {
need net
after firewall
}

16
DOCS/General/openrc/ovpmon-gatherer Normal file
View File

@@ -0,0 +1,16 @@
#!/sbin/openrc-run
name="ovpmon-gatherer"
description="OpenVPN Monitor Gatherer Service"
supervisor="supervise-daemon"
: ${directory:="/opt/ovpmon/APP"}
: ${command_user:="root"}
command="/opt/ovpmon/venv/bin/python"
command_args="/opt/ovpmon/APP/openvpn_gatherer_v3.py"
depend() {
need net
after firewall
}

16
DOCS/General/openrc/ovpmon-profiler Normal file
View File

@@ -0,0 +1,16 @@
#!/sbin/openrc-run
name="ovpmon-profiler"
description="OpenVPN Monitor Profiler Service (FastAPI)"
supervisor="supervise-daemon"
: ${directory:="/opt/ovpmon/NEW_MODULES"}
: ${command_user:="root"}
command="/opt/ovpmon/venv/bin/python"
command_args="/opt/ovpmon/NEW_MODULES/main.py"
depend() {
need net
after firewall
}

14
DOCS/General/systemd/ovpmon-api.service Normal file
View File

@@ -0,0 +1,14 @@
[Unit]
Description=OpenVPN Monitor API
After=network.target
[Service]
Type=simple
User=root
WorkingDirectory=/opt/ovpmon/APP_CORE
ExecStart=/opt/ovpmon/venv/bin/python /opt/ovpmon/APP_CORE/openvpn_api_v3.py
Restart=always
RestartSec=5
[Install]
WantedBy=multi-user.target

14
DOCS/General/systemd/ovpmon-gatherer.service Normal file
View File

@@ -0,0 +1,14 @@
[Unit]
Description=OpenVPN Monitor Gatherer
After=network.target
[Service]
Type=simple
User=root
WorkingDirectory=/opt/ovpmon/APP_CORE
ExecStart=/opt/ovpmon/venv/bin/python /opt/ovpmon/APP_CORE/openvpn_gatherer_v3.py
Restart=always
RestartSec=10
[Install]
WantedBy=multi-user.target

15
DOCS/General/systemd/ovpmon-profiler.service Normal file
View File

@@ -0,0 +1,15 @@
[Unit]
Description=OpenVPN Profiler API
After=network.target
[Service]
Type=simple
User=root
WorkingDirectory=/opt/ovpmon/APP_PROFILER
# Running directly via python as main.py has uvicorn.run
ExecStart=/opt/ovpmon/venv/bin/python /opt/ovpmon/APP_PROFILER/main.py
Restart=always
RestartSec=5
[Install]
WantedBy=multi-user.target

77
DOCS/Profiler_Management/API_Reference.md Normal file
View File

@@ -0,0 +1,77 @@
# OpenVPN Profiler API Reference
This module (`APP_PROFILER`) is built with **FastAPI** and provides management capabilities.
**Base URL**: `http://<your-server>:8000/api`
## Authentication
All endpoints (except initial setup) require a Bearer Token.
**Header**: `Authorization: Bearer <JWT_TOKEN>`
*Note: The token is shared with the Core Monitoring API.*
---
## 1. User Profiles
Manage OpenVPN Client profiles (`.ovpn` configs and certificates).
### `GET /profiles`
List all user profiles.
- **Response**: Array of profile objects (id, username, status, expiration_date, etc.).
### `POST /profiles`
Create a new user profile.
- **Body**: `{"username": "jdoe"}`
- **Action**: Generates keys, requests certificate, builds `.ovpn` file.
### `DELETE /profiles/{id}`
Revoke a user profile.
- **Action**: Revokes certificate in CRL and marks profile as revoked in DB.
### `GET /profiles/{id}/download`
Download the `.ovpn` configuration file for a user.
- **Response**: File stream (application/x-openvpn-profile).
---
## 2. System Configuration
Manage global settings for the server and PKI.
### `GET /config`
Get current configuration.
- **Query Params**: `section` (optional: 'server' or 'pki')
- **Response**: `{ "server": {...}, "pki": {...} }`
### `PUT /config/server`
Update OpenVPN Server settings (e.g., protocol, port, DNS).
- **Body**: JSON object matching `SystemSettings` schema.
### `PUT /config/pki`
Update PKI settings (e.g., Key Size, Certificate Expiry).
- **Body**: JSON object matching `PKISetting` schema.
### `POST /system/init`
Initialize the PKI infrastructure (InitCA, GenDH, BuildServerCert).
- **Note**: Only runs if PKI is empty.
### `DELETE /system/pki`
**DANGER**: Completely wipes the PKI directory.
---
## 3. Server Management
### `POST /server/configure`
Generate the `server.conf` file based on current database settings.
- **Response**: `{"message": "Server configuration generated", "path": "/etc/openvpn/server.conf"}`
### `POST /server/process/{action}`
Control the OpenVPN system service.
- **Path Param**: `action` (start, stop, restart)
- **Response**: Status of the command execution.
### `GET /server/process/stats`
Get telemetry for the OpenVPN process.
- **Response**: `{ "status": "running", "cpu_percent": 1.2, "memory_mb": 45.0 }`

49
DOCS/Profiler_Management/Overview.md Normal file
View File

@@ -0,0 +1,49 @@
# OpenVPN Profiler API
A modern, Python-based REST API for managing OpenVPN servers, Public Key Infrastructure (PKI), and user profiles. This component is located in `APP_PROFILER/`.
## Features
* **REST API**: Built with FastAPI for robust performance and automatic documentation.
* **Database Storage**: Configurations and user profiles are stored in SQLite (extensible to other DBs via SQLAlchemy).
* **PKI Management**: Integrated management of EasyRSA for CA, Server, and Client certificate generation.
* **Dynamic Configuration**: Templated generation of `server.conf` and client `.ovpn` files using Jinja2.
## Quick Start
### Prerequisites
* Python 3.10 or higher
* OpenVPN (installed and available in PATH)
* Easy-RSA 3 (must be present in the `easy-rsa` directory in the project root)
### Usage
Once the server is running (see [Deployment Guide](../General/Deployment.md)), the full interactive API documentation is available at:
* **Swagger UI**: `http://<your-server>:8000/docs`
* **ReDoc**: `http://<your-server>:8000/redoc`
### Common Operations
**Create a new User Profile:**
```bash
curl -X POST "http://localhost:8000/profiles" \
-H "Content-Type: application/json" \
-d '{"username": "jdoe"}'
```
**Download User Config:**
```bash
# Get the ID from the profile creation response or list
curl -O -J http://localhost:8000/profiles/1/download
```
**Revoke User:**
```bash
curl -X DELETE http://localhost:8000/profiles/1
```
**Get System Configuration:**
```bash
curl http://localhost:8000/config
```

35
DOCS/UI/Architecture.md Normal file
View File

@@ -0,0 +1,35 @@
# UI Architecture
The frontend is a Single Page Application (SPA) built with **Vue 3** and **Vite**. It is located in `APP_UI/`.
## Technology Stack
- **Framework**: Vue 3 (Composition API, Script Setup)
- **Build Tool**: Vite
- **Styling**: Bootstrap 5 + Custom CSS (`src/assets/main.css`)
- **Routing**: Vue Router
- **HTTP Client**: Axios
## Key Features
- **Responsive Design**: Mobile-friendly sidebar and layouts.
- **Theme Support**: Built-in Light/Dark mode toggling.
- **Real-Time Data**: Polls the Monitoring API (`APP_CORE`) for live statistics.
- **Authentication**: JWT-based auth flow with support for 2FA.
## Configuration
Run-time configuration is loaded from `/public/config.json`. This allows the Vue app to be built once and deployed to any environment.
**File Structure (`config.json`):**
```json
{
"api_base_url": "/api/v1", // Proxy path to Core Monitoring API
"profiles_api_base_url": "/api", // Proxy path to Profiler API
"refresh_interval": 30000 // Poll interval in ms
}
```
## Integration
The UI is served by Nginx in production and proxies API requests to:
- `/api/v1/` -> **APP_CORE** (Flask, Port 5000)
- `/profiles-api/` -> **APP_PROFILER** (FastAPI, Port 8000)
See [Deployment Guide](../General/Deployment.md) for Nginx configuration details.