{"id":16163001,"url":"https://github.com/d3vilh/openvpn-aws","last_synced_at":"2025-08-22T05:32:41.539Z","repository":{"id":65420499,"uuid":"592020623","full_name":"d3vilh/openvpn-aws","owner":"d3vilh","description":"OpenVPN and OpenVPN-UI for any Cloud or x86 bare metal instance","archived":false,"fork":false,"pushed_at":"2024-06-01T13:46:40.000Z","size":1215,"stargazers_count":115,"open_issues_count":11,"forks_count":24,"subscribers_count":2,"default_branch":"master","last_synced_at":"2024-12-07T18:11:42.633Z","etag":null,"topics":["amazon-web-services","aws","aws-ec2","docker","openvpn","openvpn-admin","openvpn-aws","openvpn-ui","x86-64"],"latest_commit_sha":null,"homepage":"","language":"Jinja","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/d3vilh.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-01-22T17:24:38.000Z","updated_at":"2024-11-18T08:11:54.000Z","dependencies_parsed_at":"2023-12-25T11:30:34.172Z","dependency_job_id":"62df79bd-5d44-403c-a3d8-7c1977f0e9e2","html_url":"https://github.com/d3vilh/openvpn-aws","commit_stats":null,"previous_names":[],"tags_count":2,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/d3vilh%2Fopenvpn-aws","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/d3vilh%2Fopenvpn-aws/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/d3vilh%2Fopenvpn-aws/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/d3vilh%2Fopenvpn-aws/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/d3vilh","download_url":"https://codeload.github.com/d3vilh/openvpn-aws/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":230561014,"owners_count":18245324,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["amazon-web-services","aws","aws-ec2","docker","openvpn","openvpn-admin","openvpn-aws","openvpn-ui","x86-64"],"created_at":"2024-10-10T02:34:11.625Z","updated_at":"2024-12-20T09:07:39.234Z","avatar_url":"https://github.com/d3vilh.png","language":"Jinja","funding_links":[],"categories":[],"sub_categories":[],"readme":"# OpenVPN AWS\n\n**OpenVPN instance**. Which includes \n[**OpenVPN container**](https://github.com/d3vilh/openvpn-server) with simple [**WEB UI**](https://github.com/d3vilh/openvpn-ui) as lightweight web administration interface:\n\n\u003cimg src=\"https://raw.githubusercontent.com/d3vilh/openvpn-ui/main/docs/images/OpenVPN-UI-Home.png\" alt=\"Openvpn-ui home screen\"/\u003e\n\n# Requirements\n**Any Intel or AMD x86 based computer**, or x86 VM, or cloud instance with at least 1 CPU core and 512Mb RAM.\n\nFor Amazon AWS will be enough:\n- [**Amazon AWS EC2 T2 Micro Instance**](https://aws.amazon.com/ec2/instance-types/t2/) 1x CPU Core, 1Gb RAM\n- [**Amazon AWS Debian amd64 AMI**](https://wiki.debian.org/Cloud/AmazonEC2Image/Bullseye),Debian 11 Bullseye\n- **At least 4Gb GP2 Storage**\n- **Opened UDP/1194 and TCP/8080** ports (TCP/8080 necessary for [OpenVPN-UI](https://github.com/d3vilh/openvpn-ui) initial configuration only)\n\u003e Theoretically [OpenVPN AWS](https://github.com/d3vilh/openvpn-aws) will run on EC2 T2 Nano Instance (1x CPU Core, 512Mb RAM), it was never tested (however it runs very well on ARM based Raspberry Pi Zero1 with 512MB RAM).\n\n# Installation\n\n  1. Install [Ansible](https://docs.ansible.com/ansible) and [Git](https://git-scm.com):\n     ```shell \n     sudo apt-get install -y python3-pip git rsync ansible\n     ```\n  2. Clone this repository: \n     ```shell\n     git clone https://github.com/d3vilh/openvpn-aws\n     ```\n  3. Then enter the repository directory: \n     ```shell \n     cd openvpn-aws\n     ```\n  4. Install requirements: \n     ```shell\n     ansible-galaxy collection install -r requirements.yml --force\n     ```\n     \u003e If you see `ansible-galaxy: command not found`, you have to relogin and then try again.\n  5. Make copies of the configuration files and modify them for your enviroment:\n     ```shell\n     yes | cp -p example.config.yml config.yml\n     ```\n  6. Run the following command to add the `docker` group if it doesn't exist and add user to the `docker` group:\n     ```shell\n     sudo groupadd docker\n     sudo usermod -aG docker $USER\n     ```\n  **RELOGIN NOW** to apply group changes.\n  7. **Double check** that `ansible_user` is correct for `inventory.yml`. Need to run installtion on the remote server - follow the recomendations in config file.\n     \n     \u003e **Note**: To make all necesary changes: `nano inventory.yml`, save the file - `Ctrl+O` and `Ctrl+X` to exit.\n\n  8. Run installation playbook:\n     ```shell\n     sudo ansible-playbook main.yml\n     ```\n\u003e **If running locally on the EC2**: You may have error like `Error while fetching server API version` or `Permission denied`. You have to relogin and then run the playbook again.\n\n  9. Now, open your [EC2 console](https://console.aws.amazon.com/ec2/home) and go to `\"Network \u0026 Security\"` \u003e `\"Security Groups\"` to create two new Security groups for opening OpenVPN UDP/1194 and OpenVPN-UI TCP/8080 ports for your EC2 instance.\n\n  10. Configure Security Group for OpenVPN (to open UDP/1194 port for Public access):\n\n  \u003cimg src=\"https://github.com/d3vilh/openvpn-aws/blob/master/images/OpenVPN-EC2-OVPN-Only.png\" alt=\"Opening EC2 Public OVPN Port\" width=\"600\" border=\"1\" /\u003e\n\n  11. Configure Security Group for OpenVPN-UI (to open TCP/8080 port for Public access):\n\n  \u003cimg src=\"https://github.com/d3vilh/openvpn-aws/blob/master/images/OpenVPN-EC2-UI-Only.png\" alt=\"Opening EC2 Public OpenVPN-UI Port\" width=\"600\" border=\"1\" /\u003e\n\n  12. Assign both Security groups to your running EC2 instance.\n\n  13. **Generate first .OVPN profile** as described below, with **\"Trusted\"** subnet IP (`10.0.70.0/24`) via OpenVPN-UI web GUI and connect with it, to check your setup.\n\n  14. Now when you have OpenVPN-UI access over VPN you **MUST** remove OpenVPN-UI Security group profile from you EC2 instance settings. **Because of security reasons!!!**\n\n# Usage\n\n**OpenVPN WEB UI** can be accessed on own port (*e.g. http://localhost:8080 , change `localhost` to your EC2's Public or Private IPv4 address*), the default user and password is `aws-admin/gagaZush` preconfigured in `config.yml` which you supposed to [set in](https://github.com/d3vilh/openvpn-aws/blob/master/example.config.yml#L9) `ovpnui_user` \u0026 `ovpnui_password` vars, just before the installation.\n\n### Container volume\nThe container volume can be initialized by using the [d3vilh/openvpn-server](https://github.com/d3vilh/openvpn-server) image with included scripts to automatically generate everything you need on the first run:\n - Diffie-Hellman parameters\n - an EasyRSA CA key and certificate\n - a new private key\n - a self-certificate matching the private key for the OpenVPN server\n - a TLS auth key from HMAC security\n\nHowever you can generate all the above components on OpenVPN UI `Configuration \u003e Maintenance` page.\n\n### EasyRSA vars\nYou can update all EasyRSA parameters with OpenVPN UI on `Configuration \u003e EasyRSA vars` page. You also can set custom EasyRSA vars for every new Client Certificate during its creation.\n\nDefault EasyRSA configuration [can be set prior](https://github.com/d3vilh/openvpn-aws/blob/master/example.config.yml#L9) installation in `config.yml` file:\n\n```shell\n# EasyRSA configuration parameters.\neasyrsa_dn: \"org\"                               # Leave this as-is. \"org\" for traditional, \"cn_only\" for CN only.\neasyrsa_req_country: \"UA\"                       # The two-letter country code (e.g. US).\neasyrsa_req_province: \"KY\"                      # The two-letter state or province code (e.g. CA).\neasyrsa_req_city: \"Kyiv\"                        # The city of the organization.\neasyrsa_req_org: \"SweetHome\"                    # The name of the organization.\neasyrsa_req_email: \"sweet@home.net\"             # The email address of the organization.\neasyrsa_req_ou: \"MyOrganizationalUnit\"          # The name of the organizational unit.\neasyrsa_req_cn: \"server\"                        # The name of the common name.\neasyrsa_key_size: 2048                          # Leave this as-is. Size in bits for your keypairs. \neasyrsa_ca_expire: 3650                         # Number of days until the root CA expires.\neasyrsa_cert_expire: 825                        # Number of days until certificates expire.\neasyrsa_cert_renew: 30                          # Number of days before expiration to renew certificates.\neasyrsa_crl_days: 180                           # Number of days until the CRL expires.\n\n```\nIn the process of installation these vars will be copied to container volume `/etc/openvpn/pki/vars` and used during all EasyRSA operations.\n\n### Monitoring\nTo install OpenVPN Grafana Dashboard you have to set following configuration parameters in `config.yml` file:\n```shell\n# OpenVPN monitoring configuration.              # Requires `monitoring_enable`\nmonitoring_enable: true                          # Set true to enable OpenVPN Server monitoring\nmonitoring_grafana_admin_password: \"admin\"       # Is only used the first time when Grafana starts up\nmonitoring_days_keep_interval: 90d               # How long to keep data in Prometheus DB (decrease if you have less than 5Gb of free disk space)\n```\nIt will install Prometheus and Grafana containers and configure them to collect OpenVPN Server metrics.\n\n### Network configuration\n\nThis setup use `tun` mode by default, because it works on the widest range of devices. `tap` mode, for instance, does not work on Android, except if the device is rooted.\n\nThe default topology is `subnet`, because it works on the widest range of OS. `p2p`, for instance, does not work on Windows.\n\nThe server config by default [specifies](https://github.com/d3vilh/openvpn-server/tree/main/config/server.conf#L35) `push redirect-gateway def1 bypass-dhcp`, meaning that after establishing the VPN connection, all traffic will go through the VPN. This might cause problems if you use local DNS recursors which are not directly reachable, since you will try to reach them through the VPN and they might not answer to you. If that happens, use public DNS resolvers like those of OpenDNS (`208.67.222.222` and `208.67.220.220`) or Google (`8.8.4.4` and `8.8.8.8`).\n\nIf you wish to use your local DNS server (Pi-Hile?), you have to modify a [dns-configuration](https://github.com/d3vilh/openvpn-server/tree/main/config/server.conf#L21) with your local DNS IP address. \n\nThis also can be done easy via `\"Configuration\" \u003e \"OpenVPN Server\" \u003e \"Push DHCP\"` options on OpenVPN UI webpage.\n\n### OpenVPN client subnets. Guest and Home users\n\nBy default [d3vilh/openvpn-server](https://github.com/d3vilh/openvpn-server) OpenVPN server uses option `server 10.0.70.0/24` as **\"Trusted\"** subnet to grab dynamic IPs for all your Clients which, by default will have full access to your **\"Private/Home\"** subnet, as well as Internet over VPN.\nHowever you can be desired to share internet over VPN with specific, Guest Clients and restrict access to your **\"Private/Home\"** subnet. For this scenario [d3vilh/openvpn-server](https://github.com/d3vilh/openvpn-server) `server.conf` configuration file has special `route 10.0.71.0/24` option, aka **\"Guest users\"** subnet.\n\n\u003cp align=\"center\"\u003e\n\u003cimg src=\"https://github.com/d3vilh/raspberry-gateway/blob/master/images/OVPN_VLANs.png\" alt=\"OpenVPN Subnets\" width=\"700\" border=\"1\" /\u003e\n\u003c/p\u003e\n\nTo assign desired subnet policy to the specific client, you have to define static IP address for the client during its profile/Certificate creation.\nTo do that, just enter `\"Static IP (optional)\"` field in `\"Certificates\"` page and press `\"Create\"` button.\n\n\u003e Keep in mind, by default, all the clients have full access, so you don't need to specifically configure static IP for your own devices, your home devices always will land to **\"Trusted\"** subnet by default. \n\n### Firewall rules\n\nBy default `docker_entrypoint.sh` of [d3vilh/openvpn-server](https://github.com/d3vilh/openvpn-server) OpenVPN Server container will apply following Firewall rules:\n\n```shell\nIPT MASQ Chains:\nMASQUERADE  all  --  ip-10-0-70-0.ec2.internal/24  anywhere\nMASQUERADE  all  --  ip-10-0-71-0.ec2.internal/24  anywhere\nIPT FWD Chains:\n       0        0 DROP       1    --  *      *       10.0.71.0/24         0.0.0.0/0            icmptype 8\n       0        0 DROP       1    --  *      *       10.0.71.0/24         0.0.0.0/0            icmptype 0\n       0        0 DROP       0    --  *      *       10.0.71.0/24         192.168.88.0/24\n``` \n\nYou can apply optional Firewall rules in `~/openvpn-server/fw-rules.sh` file, which will be executed on the container start. \n\nHere is example of blocking all the traffic between 2 \"Trusted\" subnet clients:\n```shell\n~/openvpn-server $ cat fw-rules.sh\niptables -A FORWARD -s 10.0.70.88 -d 10.0.70.77 -j DROP\niptables -A FORWARD -d 10.0.70.77 -s 10.0.70.88 -j DROP\n```\n\nCheck detailed subnets description on [here](https://github.com/d3vilh/openvpn-ui/tree/main#openvpn-client-subnets-guest-and-home-users).\n\n\n### Generating .OVPN client profiles\n  \u003cdetails\u003e\n      \u003csummary\u003eHow to generate .OVPN client profile\u003c/summary\u003e\nYou can update external client IP and port address anytime under `\"Configuration \u003e OpenVPN Client\"` menue. \n\nFor this go to `\"Configuration \u003e OpenVPN Client\"`:\n\n\u003cimg src=\"https://github.com/d3vilh/openvpn-ui/blob/main/docs/images/OpenVPN-UI-ext_serv_ip1.png\" alt=\"Configuration \u003e Settings\" width=\"350\" border=\"1\" /\u003e\n\nAnd then update `\"Connection Address\"` and `\"Connection Port\"` fields with your external Internet IP and Port. \n\nTo generate new Client Certificate go to `\"Certificates\"`, then press `\"Create Certificate\"` button, enter new VPN client name, complete all the rest fields and press `\"Create\"` to generate new Client certificate:\n\n\u003cimg src=\"https://github.com/d3vilh/openvpn-ui/blob/main/docs/images/OpenVPN-UI-ext_serv_ip2.png\" alt=\"Server Address\" width=\"350\" border=\"1\" /\u003e  \u003cimg src=\"https://github.com/d3vilh/openvpn-ui/blob/main/docs/images/OpenVPN-UI-New_Client.png\" alt=\"Create Certificate\" width=\"350\" border=\"1\" /\u003e\n\nTo download .OVPN client configuration file, press on the `Client Name` you just created:\n\n\u003cimg src=\"https://github.com/d3vilh/openvpn-ui/blob/main/docs/images/OpenVPN-UI-New_Client_download.png\" alt=\"download OVPN\" width=\"350\" border=\"1\" /\u003e\n\nInstall [Official OpenVPN client](https://openvpn.net/vpn-client/) to your client device.\n\nDeliver .OVPN profile to the client device and import it as a FILE, then connect with new profile to enjoy your free VPN:\n\n\u003cimg src=\"https://github.com/d3vilh/openvpn-ui/blob/main/docs/images/OpenVPN-UI-Palm_import.png\" alt=\"PalmTX Import\" width=\"350\" border=\"1\" /\u003e \u003cimg src=\"https://github.com/d3vilh/openvpn-ui/blob/main/docs/images/OpenVPN-UI-Palm_connected.png\" alt=\"PalmTX Connected\" width=\"350\" border=\"1\" /\u003e\n\n  \u003c/details\u003e\n\n### Renew Certificates for client profiles\n  \u003cdetails\u003e\n      \u003csummary\u003eHow to renew old client profile\u003c/summary\u003e\nTo renew certificate, go to `\"Certificates\"` and press `\"Renew\"` button for the client you would like to renew certificate for:\n\n\u003cimg src=\"https://github.com/d3vilh/openvpn-ui/blob/main/docs/images/OpenVPN-UI-Cert-Renew.01.png\" alt=\"Renew OpenVPN Certificate\" width=\"600\" border=\"1\" /\u003e\n\nRight after this step new Certificate will be genrated and it will appear as new client profile with the same Client name. At this point both client profiles will have updated Certificate when you try to download it.\n\nOnce you will deliver new client profile with renewed Certificate to you client, press `\"Revoke\"` button for old profile to revoke old Certificate, old client profile will be deleted from the list.\n\nIf, for some reason you still would like to keep old certificate you have to `\"Revoke\"` new profile, old certificate will be rolled back and new profile will be deleted from the list.\n\nRenewal process will not affect active VPN connections, old client will be disconnected only after you revoke old certificate or certificate term of use will expire.\n  \u003c/details\u003e\n\n### Revoking .OVPN profiles\n  \u003cdetails\u003e\n      \u003csummary\u003eHow to revoke client certificate\u003c/summary\u003e\n\nIf you would like to prevent client to use yor VPN connection, you have to revoke client certificate and restart the OpenVPN daemon.\nYou can do it via OpenVPN UI `\"Certificates\"` menue, by pressing `\"Revoke\"`` amber button:\n\n\u003cimg src=\"https://github.com/d3vilh/openvpn-ui/blob/main/docs/images/OpenVPN-UI-Revoke.png\" alt=\"Revoke Certificate\" width=\"600\" border=\"1\" /\u003e\n\nCertificate revoke won't kill active VPN connections, you'll have to restart the service if you want the user to immediately disconnect. It can be done from the same `\"Certificates\"` page, by pressing Restart red button:\n\n\u003cimg src=\"https://github.com/d3vilh/openvpn-ui/blob/main/docs/images/OpenVPN-UI-Restart.png\" alt=\"OpenVPN Restart\" width=\"600\" border=\"1\" /\u003e\n\nYou can do the same from the `\"Maintenance\"` page.\n\nAfter Revoking and Restarting the service, the client will be disconnected and will not be able to connect again with the same certificate. To delete the certificate from the server, you have to press `\"Remove\"` button.\n  \u003c/details\u003e\n\n### Two Factor Authentication (2FA)\nStarting from vestion `0.9.3` OpenVPN-UI has Two Factor Authentication (2FA) feature.\nOpenVPN-UI uses [oath-toolkit](https://savannah.nongnu.org/projects/oath-toolkit/) for two factor authentication. Means you don't need any ThirdParty 2FA provider.\nWhen generating 2FA-enabled certificates OpenVPN-UI will provide QR code with 2FA secret, which you can scan with your 2FA app (Google Authenticator [iOS](https://apps.apple.com/us/app/google-authenticator/id388497605), [Android](https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2\u0026pcampaignid=web_share), Microsoft Authenticator [iOS](https://apps.apple.com/us/app/microsoft-authenticator/id983156458), [Android](https://play.google.com/store/apps/details?id=com.azure.authenticator\u0026pcampaignid=web_share), etc) to get 2FA token for connection with this certificate.\n\n2FA Certificates **`Renewal`**, **`Revoke`** and **`Delete`** process is the same as for regular certificates.\n\n#### To enable 2FA you have to:\n\n* Go to `\"Configuration \u003e OpenVPN Client\"` page and enable `\"Two Factor Authentication\"` option to switch Certificates interface to 2FA mode, so you can generate certificates with 2FA enabled and access 2FA QR code for already generated certificates.\n\n  \u003e **Note**: You can generate 2FA-ready certificates at this stage, then deliver 2FA Certificates to all your client devices and enable 2FA Server support later, when you'll be ready to use it. Before that Server will still accept non 2FA-ready certificates only.\n\n* Go to `\"Configuration \u003e OpenVPN Server\"` page and enable `\"Two Factor Authentication\"` option for OpenVPN Server backend. Once 2FA is enabled for Server, OpenVPN-Server **will allow 2FA connections only** (non 2FA-ready certificates won't connect).\n\n#### 2FA .OVPN profiles creation\n  \u003cdetails\u003e\n      \u003csummary\u003eHow to generate 2FA Certificate\u003c/summary\u003e\n\nProcedure for 2FA generation is the same as for regular certificate, but you have to use the uniq `2FA Name` in the email-kind format:\n\n\u003cimg src=\"https://github.com/d3vilh/openvpn-ui/blob/main/docs/images/OpenVPN-UI-2FA-Cert-Create.png\" alt=\"2FA Certificate create\" width=\"600\" border=\"1\" /\u003e\n\n\u003e **Note**: For Multifactor Authentication (MFA), you can add one more password by completing **`Passphrase`** option. \n\nBoth **`Passphrase`** and **`Client Static IP`** are optional parameters.\n\nWhen you complete all the fields, click on **`Create`** and your new 2FA Certificate will be ready.\n\nOnce this done, you can click on the new certificate in the `Certificates` page to see all the details including QR code for 2FA token:\n\n\u003cimg src=\"https://github.com/d3vilh/openvpn-ui/blob/main/docs/images/OpenVPN-UI-2FA-Cert-details.png\" alt=\"2FA Certificate details\" width=\"600\" border=\"1\" /\u003e\n\nYou can copy or email this information directly to happy 2FA certificate owner.\n  \u003c/details\u003e\n\n#### 2FA certificates usage\n  \u003cdetails\u003e\n      \u003csummary\u003eHow to add 2FA profile to client\u003c/summary\u003e\n\nTo use 2FA certificate you have to install 2FA app on your device (**Google Authenticator** [iOS](https://apps.apple.com/us/app/google-authenticator/id388497605), [Android](https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2\u0026pcampaignid=web_share), **Microsoft Authenticator** [iOS](https://apps.apple.com/us/app/microsoft-authenticator/id983156458), [Android](https://play.google.com/store/apps/details?id=com.azure.authenticator\u0026pcampaignid=web_share), etc) and scan QR code from the `Certificates` details page.\n\nAfter scanning QR-code, new Authenticator profile will be created in your 2FA app with the same name as your 2FA Certificate name:\n\n\u003cimg src=\"https://github.com/d3vilh/openvpn-ui/blob/main/docs/images/OpenVPN-UI-2FA-mobi-authenticator.png\" alt=\"2FA Authenticator\" width=\"350\" border=\"1\" /\u003e\n\nThen you have to download and deliver `.OVPN profile` to [OpenVPN Connect app](https://openvpn.net/client/) and open it as a file. Following window appear:\n\n\u003cimg src=\"https://github.com/d3vilh/openvpn-ui/blob/main/docs/images/OpenVPN-UI-2FA-mobi-profile-add.png\" alt=\"2FA OpenVPN Connect profile add\" width=\"350\" border=\"1\" /\u003e\n\nClick `Add` to add new profile to OpenVPN Connect. Then you will be asked to enter your Username. As username use `2FA Name` which you used during Certificate/profile generation (as precisely as you can. `2FA Name` is part of authentication process):\n\n\u003cimg src=\"https://github.com/d3vilh/openvpn-ui/blob/main/docs/images/OpenVPN-UI-2FA-mobi-username.png\" alt=\"2FA OpenVPN Connect profile username\" width=\"350\" border=\"1\" /\u003e\n\nWhen you'll be prompted to Enter the password, you have to enter your 2FA token from your 2FA app:\n\n\u003cimg src=\"https://github.com/d3vilh/openvpn-ui/blob/main/docs/images/OpenVPN-UI-2FA-mobi-password.png\" alt=\"2FA OpenVPN Connect profile 2FA password\" width=\"350\" border=\"1\" /\u003e\n\nConnection will be suceeded if you entered `2FA Name` and 2FA token correctly.\n\nFor MFA authentication you can use optional `Passphrase` when generating new Client certificate, to protect your 2FA token with additional password. In this case you have to enter your `Passphrase` as a `Private Key Password` and 2FA token as `Password`: \n\n\u003cimg src=\"https://github.com/d3vilh/openvpn-ui/blob/main/docs/images/OpenVPN-UI-2FA-mobi-password-cert.png\" alt=\"2FA OpenVPN Connect profile 2FA and Certificate passwords\" width=\"350\" border=\"1\" /\u003e\n\n  \u003c/details\u003e\n\n### User Management\n\nYou can create and delete users with different privileges - Administrators or regular users:\n* Administrators has full access\n* Regular users has access to Home page, Certificates and Logs pages only. This users can create, renew, revoke and delete all the certificates.\n\n\n\u003cdetails\u003e\n      \u003csummary\u003eHow to manage OpenVPN-UI Users\u003c/summary\u003e\n\nThis functionality available via `\"Users Profiles\"` page:\n\n\u003cimg src=\"https://github.com/d3vilh/openvpn-ui/blob/main/docs/images/OpenVPN-UI-ProfileAdmin.png\" alt=\"Username \u003e Profile\" width=\"350\" border=\"1\" /\u003e\n\n\nThen, if your user have enough privilegies you can Create new profile or manage profiles of other users:\n\n\u003cimg src=\"https://github.com/d3vilh/openvpn-ui/blob/main/docs/images/OpenVPN-UI-ProfileCreate.png\" alt=\"New OpenVPN UI Profile creation\" width=\"600\" border=\"1\" /\u003e\n\n\u003cimg src=\"https://github.com/d3vilh/openvpn-ui/blob/main/docs/images/OpenVPN-UI-ProfileManage.png\" alt=\"OpenVPN UI Profiles management\" width=\"600\" border=\"1\" /\u003e\n\n\u003c/details\u003e\n\n### OpenVPN Pstree structure\n\nAll the Server and Client configuration located in Docker volume and can be easely tuned. Here are tree of volume content:\n\n```shell\n|-- clients\n|   |-- your_client1.ovpn\n|-- config\n|   |-- client.conf\n|   |-- easy-rsa.vars //EasyRSA vars draft, see below real vars file.\n|   |-- server.conf\n|-- db\n|   |-- data.db       //OpenVPN UI DB\n|-- log\n|   |-- openvpn.log\n|-- pki\n|   |-- ca.crt\n|   |-- vars          // EasyRSA real vars, used by all applications\n|   |-- certs_by_serial\n|   |   |-- your_client1_serial.pem\n|   |-- crl.pem\n|   |-- dh.pem\n|   |-- index.txt\n|   |-- ipp.txt\n|   |-- issued\n|   |   |-- server.crt\n|   |   |-- your_client1.crt\n|   |-- openssl-easyrsa.cnf\n|   |-- private\n|   |   |-- ca.key\n|   |   |-- your_client1.key\n|   |   |-- server.key\n|   |-- renewed\n|   |   |-- certs_by_serial\n|   |   |-- private_by_serial\n|   |   |-- reqs_by_serial\n|   |-- reqs\n|   |   |-- server.req\n|   |   |-- your_client1.req\n|   |-- revoked\n|   |   |-- certs_by_serial\n|   |   |-- private_by_serial\n|   |   |-- reqs_by_serial\n|   |-- safessl-easyrsa.cnf\n|   |-- serial\n|   |-- ta.key\n|-- staticclients    //Directory where stored all the satic clients configuration\n```\n\n\n\n### Screenshots:\n\n\u003cimg src=\"https://github.com/d3vilh/openvpn-ui/blob/main/docs/images/OpenVPN-UI-Login.png\" alt=\"OpenVPN-UI Login screen\" width=\"1000\" border=\"1\" /\u003e\n\n\u003cimg src=\"https://github.com/d3vilh/openvpn-ui/blob/main/docs/images/OpenVPN-UI-Home.png\" alt=\"OpenVPN-UI Home screen\" width=\"1000\" border=\"1\" /\u003e\n\n\u003cimg src=\"https://github.com/d3vilh/openvpn-ui/blob/main/docs/images/OpenVPN-UI-Certs.png\" alt=\"OpenVPN-UI Certificates screen\" width=\"1000\" border=\"1\" /\u003e\n\n\u003cimg src=\"https://github.com/d3vilh/openvpn-ui/blob/main/docs/images/OpenVPN-UI-Create-Cert.png\" alt=\"OpenVPN-UI Create Certificate screen\" width=\"1000\" border=\"1\" /\u003e\n\n\u003cimg src=\"https://github.com/d3vilh/openvpn-ui/blob/main/docs/images/OpenVPN-UI-Certs-Details-Expire.png\" alt=\"OpenVPN-UI Expire Certificate details\" width=\"1000\" border=\"1\" /\u003e\n\n\u003cimg src=\"https://github.com/d3vilh/openvpn-ui/blob/main/docs/images/OpenVPN-UI-Certs-Details_OK.png\" alt=\"OpenVPN-UI OK Certificate details\" width=\"1000\" border=\"1\" /\u003e\n\n\u003cimg src=\"https://github.com/d3vilh/openvpn-ui/blob/main/docs/images/OpenVPN-UI-EasyRsaVars.png\" alt=\"OpenVPN-UI EasyRSA vars screen\" width=\"1000\" border=\"1\" /\u003e\n\n\u003cimg src=\"https://github.com/d3vilh/openvpn-ui/blob/main/docs/images/OpenVPN-UI-EasyRsaVars-View.png\" alt=\"OpenVPN-UI EasyRSA vars config view screen\" width=\"1000\" border=\"1\" /\u003e\n\n\u003cimg src=\"https://github.com/d3vilh/openvpn-ui/blob/main/docs/images/OpenVPN-UI-Maintenance.png\" alt=\"OpenVPN-UI Maintenance screen\" width=\"1000\" border=\"1\" /\u003e\n\n\u003cimg src=\"https://github.com/d3vilh/openvpn-ui/blob/main/docs/images/OpenVPN-UI-Server-config.png\" alt=\"OpenVPN-UI Server Configuration screen\" width=\"1000\" border=\"1\" /\u003e\n\n\u003cimg src=\"https://github.com/d3vilh/openvpn-ui/blob/main/docs/images/OpenVPN-UI-Server-config-edit.png\" alt=\"OpenVPN-UI Server Configuration edit screen\" width=\"1000\" border=\"1\" /\u003e\n\n\u003cimg src=\"https://github.com/d3vilh/openvpn-ui/blob/main/docs/images/OpenVPN-UI-ClientConf.png\" alt=\"OpenVPN-UI Client Configuration screen\" width=\"1000\" border=\"1\" /\u003e\n\n\u003cimg src=\"https://github.com/d3vilh/openvpn-ui/blob/main/docs/images/OpenVPN-UI-Config.png\" alt=\"OpenVPN-UI Configuration screen\" width=\"1000\" border=\"1\" /\u003e\n\n\u003cimg src=\"https://github.com/d3vilh/openvpn-ui/blob/main/docs/images/OpenVPN-UI-Profile.png\" alt=\"OpenVPN-UI User Profile\" width=\"1000\" border=\"1\" /\u003e\n\n\u003cimg src=\"https://github.com/d3vilh/openvpn-ui/blob/main/docs/images/OpenVPN-UI-ProfileCreate.png\" alt=\"New OpenVPN UI Profile creation\" width=\"1000\" border=\"1\" /\u003e\n\n\u003cimg src=\"https://github.com/d3vilh/openvpn-ui/blob/main/docs/images/OpenVPN-UI-ProfileManage.png\" alt=\"OpenVPN UI Profiles management\" width=\"1000\" border=\"1\" /\u003e\n\n\n\u003cimg src=\"https://github.com/d3vilh/openvpn-ui/blob/main/docs/images/OpenVPN-UI-Logs.png\" alt=\"OpenVPN-UI Logs screen\" width=\"1000\" border=\"1\" /\u003e\n\n\nBuild 22.01.2023 by [d3vilh](https://github.com/d3vilh) for small home project.\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fd3vilh%2Fopenvpn-aws","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fd3vilh%2Fopenvpn-aws","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fd3vilh%2Fopenvpn-aws/lists"}