Introducing ovpn-admin — a web interface to manage OpenVPN users

Operating a diverse infrastructure for many customers, we realised a need for a convenient tool to manage OpenVPN certificates and users a long time ago. In a nutshell, we wanted to have a simple web interface instead of going through servers/containers and running all these CLI commands. Since the existing solutions that meet our requirements (including Pritunl and OpenVPN AS) are commercial, we have created (and been using for a couple of years as for now) our own web interface.

Recently, we rewrote it from Python to Go and revamped its UI*, which prompted us to share this project with a wider community. So please welcome the ovpn-admin!

* I want to thank my colleague @vitaliy-sn for the original Python-based version and erste for n̶i̶c̶e̶ ̶w̶a̶l̶l̶p̶a̶p̶e̶r̶s̶ interface improvements.

Interface and features

Ovpn-admin is an Open Source project that implements a web interface for managing OpenVPN. Currently, it supports Linux only and can:

• add users (generate user certificates);
• revoke/reissue user certificates;
• generate a ready-to-use config file;
• provide Prometheus metrics: certificate expiration date, number of users (total/connected), information about connected users;
• (optionally) set the CCD (client-config-dir) for each user;
• (optionally) run in the master/slave mode (sync certificates and CCDs with another server);
• (optionally) set/change the password for additional authorization in OpenVPN.

Here is how the ovpn-admin interface looks like:

List of users and valid actions

Adding custom routes for the user

Example of a dashboard based on metrics retrieved from ovpn-admin

How to give it a try

You can install ovpn-admin in your system or run it in a Docker container. The detailed instruction is available in the project’s README.

The source code of the project is distributed under the Apache License 2.0. We look forward to new features, issues, and discussions on GitHub or in the comments below.

Future plans

What improvements do we expect the most? Here is our current to-do list:

• add the additional authorization via one-time passwords (OTP);
• add a Helm chart as an install option;
• add user groups;
• avoid external executing of the easyrsa tool to generate certificates;
• avoid using bash.

This article has been written by our software engineer Ilya Sosnovsky. Follow Twitter to get new excellent content from Flant!