ayurishchev/OpenVPN-Monitoring-Simple
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

new awesome build

Browse Source
This commit is contained in:
Антон
2026-01-28 22:37:47 +03:00
parent 848646003c
commit fcb8f6bac7
119 changed files with 7291 additions and 5575 deletions
Download Patch File Download Diff File Expand all files Collapse all files

110
DOCS/General/Deployment.md Normal file
View File

@@ -0,0 +1,110 @@
# Deployment Guide: OpenVPN Monitor & Profiler
This guide describes how to deploy the full suite on a fresh Linux server (Ubuntu/Debian).
## Architecture Overview
- **Frontend**: Vue.js (Built and served by Nginx) - `APP_UI`
- **Monitoring API (APP_CORE)**: Flask (Port 5000) - Real-time statistics.
- **Profiler API (APP_PROFILER)**: FastAPI (Port 8000) - Profile & Server management.
---
## 1. Prerequisites
- Python 3.10+
- Nginx
- OpenVPN & Easy-RSA (for the Profiler)
- Node.js & NPM (only for building the UI)
---
## 2. Shared Security Setup (Critical)
Both API services must share the same `SECRET_KEY` to recognize the same JWT tokens.
### A. Environment Variable (Recommended)
Add this to your shell profile (`~/.bashrc`) or your Systemd service files:
```bash
export OVPMON_SECRET_KEY='your-very-long-random-secret-key'
```
### B. Configuration File
Alternatively, set it in `APP_CORE/config.ini`:
```ini
[api]
secret_key = your-very-long-random-secret-key
```
---
## 3. Backend Deployment
### Monitoring API (Flask)
1. Navigate to `APP_CORE/`.
2. Create virtual environment: `python3 -m venv venv`.
3. Install dependencies: `venv/bin/pip install -r requirements.txt`.
4. Run with Gunicorn (production):
```bash
venv/bin/gunicorn -w 4 -b 127.0.0.1:5000 openvpn_api_v3:app
```
### Profiler API (FastAPI)
1. Navigate to `APP_PROFILER/`.
2. Create virtual environment: `python3 -m venv venv`.
3. **Important**: Uninstall potential conflicts and install PyJWT:
```bash
venv/bin/pip uninstall jwt PyJWT
venv/bin/pip install -r requirements.txt PyJWT
```
4. Run with Uvicorn:
```bash
venv/bin/uvicorn main:app --host 127.0.0.1 --port 8000
```
---
## 4. Frontend Deployment (Nginx)
### Build the UI
1. Navigate to `UI/client`.
2. Install: `npm install`.
3. Build: `npm run build`.
4. Copy `dist/` contents to `/var/www/ovpmon/`.
### Nginx Configuration
Create `/etc/nginx/sites-available/ovpmon`:
```nginx
server {
listen 80;
server_name your_domain_or_ip;
root /var/www/ovpmon;
index index.html;
# Frontend Routing
location / {
try_files $uri $uri/ /index.html;
}
# Monitoring API (Flask)
location /api/v1/ {
proxy_pass http://127.0.0.1:5000/api/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
# Profiler API (FastAPI)
location /profiles-api/ {
proxy_pass http://127.0.0.1:8000/api/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
}
```
---
## 5. First Run & Initialization
1. Access the UI via browser.
2. Login with default credentials: `admin` / `password`.
3. **Immediately** change the password and set up 2FA in the Settings/Profile section.
4. If using the Profiler, ensure the `easy-rsa` directory is present and initialized via the UI.

22
DOCS/General/Index.md Normal file
View File

@@ -0,0 +1,22 @@
# OpenVPN Monitor & Profiler Documentation
Welcome to the documentation for the OpenVPN Monitor suite.
## 📚 General
- [Deployment Guide](Deployment.md): How to install and configure the application on a Linux server.
- [Service Management](Service_Management.md): Setting up systemd/OpenRC services.
- [Security Architecture](Security_Architecture.md): Details on Authentication, 2FA, and Security features.
## 🔍 Core Monitoring (`APP_CORE`)
The core module responsible for log parsing, real-time statistics, and the primary API.
- [API Reference](../Core_Monitoring/API_Reference.md): Endpoints for monitoring data.
- [Authentication](../Core_Monitoring/Authentication.md): How the Login and 2FA flows work.
- [Data Architecture](../Core_Monitoring/Data_Architecture.md): Internals of the Data Gatherer and TSDB.
## ⚙️ Profiler Management (`APP_PROFILER`)
The management module for PKI, Certificates, and User Profiles.
- [Overview](../Profiler_Management/Overview.md): Features and usage of the Profiler API.
## 💻 User Interface (`APP_UI`)
The Vue.js frontend application.
- [Architecture](../UI/Architecture.md): UI Tech stack and project structure.

124
DOCS/General/Nginx_Configuration.md Normal file
View File

@@ -0,0 +1,124 @@
# Nginx Configuration Guide
This guide details how to configure Nginx as a reverse proxy for the OpenVPN Monitor & Profiler application. Nginx is **required** in production to serve the frontend and route API requests to the appropriate backend services.
## Architecture Recap
- **Frontend (`APP_UI`)**: Static files (HTML, JS, CSS) served from `/var/www/ovpmon` (or similar).
- **Core API (`APP_CORE`)**: Python/Flask service running on **127.0.0.1:5001**.
- **Profiler API (`APP_PROFILER`)**: Python/FastAPI service running on **127.0.0.1:8000**.
## 1. Alpine Linux Setup
### Installation
```bash
apk add nginx
rc-update add nginx default
```
### Configuration
Create a new configuration file (e.g., `/etc/nginx/http.d/ovpmon.conf`).
```nginx
server {
listen 80;
server_name your-server-domain.com; # Replace with your IP or Domain
root /var/www/ovpmon;
index index.html;
# Gzip Compression
gzip on;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
# 1. Frontend (SPA Routing)
location / {
try_files $uri $uri/ /index.html;
}
# 2. Core Monitoring API (Flask :5001)
# Routes: /api/v1/stats, /api/auth, etc.
location /api/v1/ {
proxy_pass http://127.0.0.1:5001/api/v1/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location /api/auth/ {
proxy_pass http://127.0.0.1:5001/api/auth/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
# 3. Profiler Management API (FastAPI :8000)
# Routes: /api/profiles, /api/config, etc.
# Note: We capture /api/ but exclude /api/v1 (handled above)
location /api/ {
# Ensure this doesn't conflict with /api/v1. Nginx matching order:
# Longest prefix matches first. So /api/v1/ wins over /api/.
proxy_pass http://127.0.0.1:8000/api/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
```
### Apply Changes
```bash
rc-service nginx restart
```
---
## 2. Debian / Ubuntu Setup
### Installation
```bash
sudo apt update
sudo apt install nginx
```
### Configuration
1. Create a configuration file in `/etc/nginx/sites-available/ovpmon`:
*(Use the same Nginx configuration block provided in the Alpine section above)*
2. Enable the site:
```bash
sudo ln -s /etc/nginx/sites-available/ovpmon /etc/nginx/sites-enabled/
sudo rm /etc/nginx/sites-enabled/default # Optional: Remove default site
```
3. Test and Restart:
```bash
sudo nginx -t
sudo systemctl restart nginx
```
---
## 3. Deployment Checklist
1. **Frontend Build**:
Ensure you have built the UI and copied the files to your web root:
```bash
cd APP_UI
npm run build
sudo mkdir -p /var/www/ovpmon
sudo cp -r dist/* /var/www/ovpmon/
```
2. **Permissions**:
Ensure Nginx can read the web files:
```bash
sudo chown -R nginx:nginx /var/www/ovpmon # Alpine
# OR
sudo chown -R www-data:www-data /var/www/ovpmon # Debian/Ubuntu
```
3. **SELinux (RedHat/CentOS only)**:
If using SELinux, allow Nginx to make network connections:
```bash
setsebool -P httpd_can_network_connect 1
```

85
DOCS/General/Security_Architecture.md Normal file
View File

@@ -0,0 +1,85 @@
# Implementation Plan - Authentication & Security
## Goal Description
Add secure authentication to the OpenVPN Monitor application.
This includes:
- **Database Storage**: Store users and credentials in the existing SQLite database.
- **2FA**: Support Google Authenticator (TOTP) for two-factor authentication.
- **Brute-force Protection**: Rate limiting on login attempts.
- **Universal Access Control**: Secure all UI routes and API endpoints.
## User Review Required
> [!IMPORTANT]
> **Default Credentials**: We will create a default admin user (e.g., `admin` / `password`) on first run if no users exist. The user MUST change this immediately.
> [!WARNING]
> **Breaking Change**: Access to the current dashboard will be blocked until the user logs in.
## Proposed Changes
### Backend (Python/Flask)
#### [MODIFY] [requirements.txt](file:///Users/tstark/Documents/ovpmon_simple_gitea/APP_CORE/requirements.txt)
- Add `pyjwt`, `pyotp`, `qrcode`, `bcrypt`, `flask-bcrypt` (or `werkzeug.security`).
#### [MODIFY] [db.py](file:///Users/tstark/Documents/ovpmon_simple_gitea/APP_CORE/db.py)
- Update `init_database` to create:
- `users` table: `id`, `username`, `password_hash`, `totp_secret`, `is_2fa_enabled`.
- `login_attempts` table (for brute-force protection): `ip_address`, `attempts`, `last_attempt`.
#### [MODIFY] [openvpn_api_v3.py](file:///Users/tstark/Documents/ovpmon_simple_gitea/APP_CORE/openvpn_api_v3.py)
- **New Imports**: `jwt`, `pyotp`, `functools.wraps`.
- **Helper Functions**:
- `check_rate_limit(ip)`: Verify login attempts.
- `token_required(f)`: Decorator to check `Authorization` header.
- **New Routes**:
- `POST /api/auth/login`: Validate user/pass. Returns JWT (or 2FA required status).
- `POST /api/auth/verify-2fa`: Validate TOTP. Returns access JWT.
- `POST /api/auth/setup-2fa`: Generate secret & QR code.
- `POST /api/auth/enable-2fa`: Confirm and save secret.
- **Protect Routes**: Apply `@token_required` to all existing API routes (except auth).
### Frontend (Vue.js)
#### [NEW] [Login.vue](file:///Users/tstark/Documents/ovpmon_simple_gitea/APP_UI/src/views/Login.vue)
- Login form (Username/Password).
- 2FA Input (conditional, appears if server responses "2FA required").
#### [NEW] [Setup2FA.vue](file:///Users/tstark/Documents/ovpmon_simple_gitea/APP_UI/src/views/Setup2FA.vue)
- Screen to show QR code and verify OTP to enable 2FA for the first time.
#### [MODIFY] [router/index.js](file:///Users/tstark/Documents/ovpmon_simple_gitea/APP_UI/src/router/index.js)
- Add `/login` route.
- Add global `beforeEach` guard:
- Check if route `requiresAuth`.
- Check if token exists in `localStorage`.
- Redirect to `/login` if unauthorized.
#### [MODIFY] [App.vue](file:///Users/tstark/Documents/ovpmon_simple_gitea/APP_UI/src/App.vue)
- Add `Logout` button to the sidebar.
- Conditionally render Sidebar only if logged in (optional, or just redirect).
#### [MODIFY] [main.js](file:///Users/tstark/Documents/ovpmon_simple_gitea/APP_UI/src/main.js)
- Setup `axios` interceptors:
- **Request**: Add `Authorization: Bearer <token>`.
- **Response**: On `401 Unauthorized`, clear token and redirect to `/login`.
## Verification Plan
### Automated Tests
Since this project does not have a comprehensive test suite, we will verify manually and with targeted scripts.
### Manual Verification
1. **Initial Setup**:
- Start backend and frontend.
- Visit root URL -> Should redirect to `/login`.
2. **Login Flow**:
- Attempt login with wrong password -> Should show error.
- Attempt brute force (5x wrong) -> Should block for X minutes.
- Login with `admin` / `password` -> Should succeed.
3. **2FA Setup**:
- Go to 2FA Setup page (or trigger via API).
- Scan QR code with Google Auth.
- enter code -> Success.
- Logout and Login again -> Should ask for 2FA code.
4. **API Security**:
- Try `curl http://localhost:5000/api/v1/stats` without header -> Should return 401.
- Try with header -> Should return 200.

93
DOCS/General/Service_Management.md Normal file
View File

@@ -0,0 +1,93 @@
# Service Setup Guide
This guide describes how to set up the OpenVPN Monitor components as system services.
## Components
1. **ovpmon-api**: The main Flask API (`APP/openvpn_api_v3.py`).
2. **ovpmon-gatherer**: The background data gatherer (`APP/openvpn_gatherer_v3.py`).
3. **ovpmon-profiler**: The new FastAPI profiler module (`NEW_MODULES/main.py`).
## Common Prerequisites
- **Install Directory**: `/opt/ovpmon` (Recommended)
- **Virtual Environment**: `/opt/ovpmon/venv`
---
## 1. Alpine Linux (OpenRC)
### Installation
1. **Copy Service Scripts**:
Copy the scripts from `Deployment/APP/openrc/` to `/etc/init.d/`.
```sh
cp DOCS/General/openrc/ovpmon-api /etc/init.d/
cp DOCS/General/openrc/ovpmon-gatherer /etc/init.d/
cp DOCS/General/openrc/ovpmon-profiler /etc/init.d/
```
2. **Set Permissions**:
```sh
chmod +x /etc/init.d/ovpmon-*
```
3. **Enable Services**:
```sh
rc-update add ovpmon-api default
rc-update add ovpmon-gatherer default
rc-update add ovpmon-profiler default
```
4. **Start Services**:
```sh
rc-service ovpmon-api start
rc-service ovpmon-gatherer start
rc-service ovpmon-profiler start
```
### Configuration
To override defaults (e.g., if you installed to a different directory), create files in `/etc/conf.d/`:
**File:** `/etc/conf.d/ovpmon-api` (example)
```sh
directory="/var/www/my-monitoring"
command_args="/var/www/my-monitoring/APP_CORE/openvpn_api_v3.py"
```
---
## 2. Debian / Ubuntu (Systemd)
### Installation Steps
1. **Copy Service Files**:
Copy the provided service files from `DOCS/General/systemd/` to `/etc/systemd/system/`.
```bash
cp DOCS/General/systemd/ovpmon-api.service /etc/systemd/system/
cp DOCS/General/systemd/ovpmon-gatherer.service /etc/systemd/system/
cp DOCS/General/systemd/ovpmon-profiler.service /etc/systemd/system/
```
2. **Reload Daemon**:
```bash
systemctl daemon-reload
```
3. **Enable Services** (Start on boot):
```bash
systemctl enable ovpmon-api ovpmon-gatherer ovpmon-profiler
```
4. **Start Services**:
```bash
systemctl start ovpmon-api ovpmon-gatherer ovpmon-profiler
```
5. **Check Status**:
```bash
systemctl status ovpmon-api
```

49
DOCS/General/openrc/INSTALL.md Normal file
View File

@@ -0,0 +1,49 @@
# OpenRC Service Installation Guide
This guide explains how to install and enable the `ovpmon-api` and `ovpmon-gatherer` services on an Alpine Linux (or other OpenRC-based) system.
## Prerequisites
- **Paths**: The scripts assume the application is installed at `/opt/ovpmon`.
- **Virtualenv**: A python virtual environment should exist at `/opt/ovpmon/venv`.
If your paths differ, you can edit the scripts directly or create configuration files in `/etc/conf.d/`.
## Installation Steps
1. **Copy the scripts to `/etc/init.d/`**:
```sh
cp ovpmon-api /etc/init.d/
cp ovpmon-gatherer /etc/init.d/
```
2. **Make them executable**:
```sh
chmod 755 /etc/init.d/ovpmon-api
chmod 755 /etc/init.d/ovpmon-gatherer
```
3. **Add to default runlevel** (to start on boot):
```sh
rc-update add ovpmon-api default
rc-update add ovpmon-gatherer default
```
4. **Start the services**:
```sh
rc-service ovpmon-api start
rc-service ovpmon-gatherer start
```
## Configuration (Optional)
You can override default variables without editing the script by creating files in `/etc/conf.d/`.
**Example `/etc/conf.d/ovpmon-api`**:
```sh
# Override installation directory
directory="/var/www/ovpmon/APP"
# Override command arguments
command_args="/var/www/ovpmon/APP/openvpn_api_v3.py --debug"
```

16
DOCS/General/openrc/ovpmon-api Normal file
View File

@@ -0,0 +1,16 @@
#!/sbin/openrc-run
name="ovpmon-api"
description="OpenVPN Monitor API Service"
supervisor="supervise-daemon"
: ${directory:="/opt/ovpmon/APP"}
: ${command_user:="root"}
command="/opt/ovpmon/venv/bin/python"
command_args="/opt/ovpmon/APP/openvpn_api_v3.py"
depend() {
need net
after firewall
}

16
DOCS/General/openrc/ovpmon-gatherer Normal file
View File

@@ -0,0 +1,16 @@
#!/sbin/openrc-run
name="ovpmon-gatherer"
description="OpenVPN Monitor Gatherer Service"
supervisor="supervise-daemon"
: ${directory:="/opt/ovpmon/APP"}
: ${command_user:="root"}
command="/opt/ovpmon/venv/bin/python"
command_args="/opt/ovpmon/APP/openvpn_gatherer_v3.py"
depend() {
need net
after firewall
}

16
DOCS/General/openrc/ovpmon-profiler Normal file
View File

@@ -0,0 +1,16 @@
#!/sbin/openrc-run
name="ovpmon-profiler"
description="OpenVPN Monitor Profiler Service (FastAPI)"
supervisor="supervise-daemon"
: ${directory:="/opt/ovpmon/NEW_MODULES"}
: ${command_user:="root"}
command="/opt/ovpmon/venv/bin/python"
command_args="/opt/ovpmon/NEW_MODULES/main.py"
depend() {
need net
after firewall
}

14
DOCS/General/systemd/ovpmon-api.service Normal file
View File

@@ -0,0 +1,14 @@
[Unit]
Description=OpenVPN Monitor API
After=network.target
[Service]
Type=simple
User=root
WorkingDirectory=/opt/ovpmon/APP_CORE
ExecStart=/opt/ovpmon/venv/bin/python /opt/ovpmon/APP_CORE/openvpn_api_v3.py
Restart=always
RestartSec=5
[Install]
WantedBy=multi-user.target

14
DOCS/General/systemd/ovpmon-gatherer.service Normal file
View File

@@ -0,0 +1,14 @@
[Unit]
Description=OpenVPN Monitor Gatherer
After=network.target
[Service]
Type=simple
User=root
WorkingDirectory=/opt/ovpmon/APP_CORE
ExecStart=/opt/ovpmon/venv/bin/python /opt/ovpmon/APP_CORE/openvpn_gatherer_v3.py
Restart=always
RestartSec=10
[Install]
WantedBy=multi-user.target

15
DOCS/General/systemd/ovpmon-profiler.service Normal file
View File

@@ -0,0 +1,15 @@
[Unit]
Description=OpenVPN Profiler API
After=network.target
[Service]
Type=simple
User=root
WorkingDirectory=/opt/ovpmon/APP_PROFILER
# Running directly via python as main.py has uvicorn.run
ExecStart=/opt/ovpmon/venv/bin/python /opt/ovpmon/APP_PROFILER/main.py
Restart=always
RestartSec=5
[Install]
WantedBy=multi-user.target