an OpenVPN management web application for mere mortals.
Mangle VPN is an OpenVPN management application that allows administrators an easy way to offer self-service VPN access to users. It is heavily inspired by the OpenVPN Access Server.
The backend application is written in Python 3.6 and uses the Django web framework backed by an SQLite database, and requires OpenVPN 2.4+.
The frontend is uses Vue.js and the Semantic UI CSS framework.
The application should be installed on a fresh machine that is dedicated to running nothing but the web application and OpenVPN server.
Clone the repository and run the install script:
$ sudo git clone https://github.com/jeffmvr/mangle-vpn.git /opt/mangle-vpn $ cd /opt/mangle-vpn $ sudo ./install.sh
Once the installation script has finished, please navigate to the web application in your browser to perform the initial setup.
In addition to authentication using the local application database, you can configure one of the OAuth2 providers from the list below to perform user authentication.
This requires that you obtain an OAuth2 client ID and client secret from your OAuth2 provider and add the following OAuth2 callback URL to your providers list of approved callbacks:
Supported OAuth2 Providers:
By default, a self-signed SSL certificate is created for the web application. While this is OK for testing purposes, you will want to use a valid SSL certificate signed by a trusted certificate authority.
The Settings page in the administration section provides you with the ability to copy/paste your own SSL certificates.
The application manages all of the firewall rules via iptables for both the web application and OpenVPN server (based on your application settings), and sets the following default policies and rules:
-P INPUT DROP -P OUTPUT ACCEPT -P FORWARD ACCEPT -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT -A INPUT -p tcp --dport 22 -j ACCEPT
All application data, including the database, logs, and application keys are
stored in the
The web application and OpenVPN server can be controlled using standard systemd services:
$ sudo systemctl [start|stop|restart|status] mangle-web.service $ sudo systemctl [start|stop|restart|status] mangle-vpn.service
In addition, there is also a tasks service that is running which handles various background tasks, such as sending e-mails and generating the OpenVPN CRL and is started/stopped alongside the mangle-web service:
$ sudo systemctl [start|stop|restart|status] mangle-tasks.service
The application works on the concept of devices, which are individual OpenVPN user devices (desktop, laptop, tablet, phone, etc) they will use to connect to the OpenVPN server.
Devices can be added and deleted by each user but are limited to a maximum device count set forth by their group settings.
Users are separated into logical group units, with each group having their own settings. Visit the Groups page in the Admin section to modify these settings and view detailed information.
Each group has their own firewall settings which controls the IP addresses and subnets a client is allowed to access. You may whitelist by IP address, CIDR address, and protocol.
By default, every group has a DENY ALL rule set!
You can update the application to the latest version from the administration UI in the web application or via the command-line:
$ sudo make update
This will restart the web application but does not restart the OpenVPN server.
While much effort has been put forth to ensure the application is as secure as possible, best practices should always be followed in order to harden the local machine.
The following items are in no particular order and represent features that are to be added in the future.