How To Manage OpenVPN Server With ovpn-admin Web UI

At times running commands in the CLI can be tiring for some Linux Users. The introduction of this GUI tool Ovpn-admin Web UI was to solve this arduous activity. It was originally created in Flant, just for internal needs but later updated and modernized then released to the public in March 2021. Its simple and pretty Web UI is written with a Go language backend and a Vue.js frontend. From the Ovpn-admin web UI, users can manage certificates, OpenVPN users, and routes in Linux systems.

The features of ovpn-admin are:

• Ability to revoke/restore users certificates
• Adding OpenVPN users and generating certificates for them.
• Generating ready-to-use config files
• Providing metrics for Prometheus, including certificates expiration date, number of (connected/total) users, information about connected users
• Set the CCD (client-config-dir) for each user
• Set/change the password for additional authorization in OpenVPN.
• Run in the master/slave mode (sync certificates and CCDs with another server);

Following this guide to the end, you should be able to manage OpenVPN Server with ovpn-admin Web UI.

Install ovpn-admin on Linux.

There are a couple of methods you can use to install Ovpn-admin on your system, among them are:

• Using Docker.
• Building from source.
• Using Prebuilt binary

Option 1- Install ovpn-admin Using Docker.

This is the most suitable and easy method to install the ovpn-admin tool since the dependencies issue is already solved.

Ensure that Docker is installed on your system. Use the dedicated guide below to install Docker on Linux.

• How To Install Docker CE on Linux Systems

Start and enable Docker as below:

sudo systemctl start docker
sudo systemctl enable docker

Install Docker-compose on Linux as below.

curl -s https://api.github.com/repos/docker/compose/releases/latest | grep browser_download_url  | grep docker-compose-linux-x86_64 | cut -d '"' -f 4 | wget -qi -

Make the docker-compose file executable.

chmod +x docker-compose-linux-x86_64

Move the file to your PATH.

sudo mv docker-compose-linux-x86_64 /usr/local/bin/docker-compose

That is it! Docker-compose has been installed. Verify this by checking the installed version as below.

$ docker-compose version
Docker Compose version v2.2.2

Add your system user to the Docker group.

sudo usermod -aG docker $USER
newgrp docker

Now proceed with ovpn-admin installation. Git clone Ovpn-admin.

git clone https://github.com/flant/ovpn-admin.git

Navigate into the directory.

cd ovpn-admin

In the directory, there is a ready-to-use docker-compose.yaml. Although you can change and add values to it. Otherwise, start the container.

./start.sh

Sample Output:

Sending build context to Docker daemon  847.9kB
Step 1/4 : FROM alpine:3.14
3.14: Pulling from library/alpine
97518928ae5f: Pull complete 
Digest: sha256:635f0aa53d99017b38d1a0aa5b2082f7812b03e3cdb299103fe77b5c8a07f1d2
Status: Downloaded newer image for alpine:3.14
 ---> 0a97eee8041e
Step 2/4 : RUN apk add --update bash openvpn easy-rsa  &&     ln -s /usr/share/easy-rsa/easyrsa /usr/local/bin &&     wget https://github.com/pashcovich/openvpn-user/releases/download/v1.0.3/openvpn-user-linux-amd64.tar.gz -O - | tar xz -C /usr/local/bin &&     rm -rf /tmp/* /var/tmp/* /var/cache/apk/* /var/cache/distfiles/*
 ---> Running in 2e1fe5ae3003
fetch https://dl-cdn.alpinelinux.org/alpine/v3.14/main/x86_64/APKINDEX.tar.gz
fetch https://dl-cdn.alpinelinux.org/alpine/v3.14/community/x86_64/APKINDEX.tar.gz
(1/19) Installing ncurses-terminfo-base (6.2_p20210612-r0)
(2/19) Installing ncurses-libs (6.2_p20210612-r0)
(3/19) Installing readline (8.1.0-r0)
(4/19) Installing bash (5.1.4-r0)
.......
Successfully built ed5b02e302b3
Successfully tagged ovpn-admin:local

Use 'docker scan' to run Snyk tests against images to find vulnerabilities and learn how to fix them
[+] Running 3/3
 ⠿ Network openvpn-master_default         Created                          0.1s
 ⠿ Container openvpn-master-openvpn-1     Started                          1.0s
 ⠿ Container openvpn-master-ovpn-admin-1  Started                          1.4s

Verify if the containers are running:

$ docker ps
CONTAINER ID   IMAGE              COMMAND                  CREATED          STATUS         PORTS                                                                                  NAMES
280bc12530e3   ovpn-admin:local   "/app/ovpn-admin"        10 seconds ago   Up 8 seconds                                                                                          openvpn-master-ovpn-admin-1
483a99a3c150   openvpn:local      "/etc/openvpn/setup/…"   11 seconds ago   Up 9 seconds   0.0.0.0:8080->8080/tcp, :::8080->8080/tcp, 0.0.0.0:7777->1194/tcp, :::7777->1194/tcp   openvpn-master-openvpn-1

Option 2 – Install ovpn-admin by Buiding from Source.

For this method, you first need to install the dependencies below on your system.

• nodejs/npm
• golang
• packr2
• gcc

Install Nodejs on your system as below.

##On Debian/Ubuntu
curl -sL https://deb.nodesource.com/setup_16.x | sudo bash -
sudo apt -y install nodejs

##On RHEL/CentOS/Rocky Linux
sudo dnf module install nodejs:12

##On Arch Linux/Manjaro
sudo pacman -S nodejs npm

Install Go on Linux.

wget https://storage.googleapis.com/golang/getgo/installer_linux
sudo rm -rf /usr/local/go && tar -C /usr/local -xzf go1.17.5.linux-amd64.tar.gz

Make it executable

sudo chmod +x ./installer_linux

Now install Go as below.

./installer_linux 

Once complete, source the profile.

source ~/.bash_profile

Verify your installation.

$ go version
go version go1.17.5 linux/amd64

Install packr2 on Linux as below.

go install github.com/gobuffalo/packr/v2/[email protected]

Ensure that the OpenVPN server is installed. Use the dedicated guide below to navigate along:

• Install and Configure OpenVPN Server on RHEL 8 / CentOS 8

Enable the management console as below:

$ sudo vim /etc/openvpn/server/server.conf
management 127.0.0.1 8989

Restart the OpenVPN service.

sudo systemctl restart [email protected]

Now build Ovpn-admin from source as below.

git clone https://github.com/flant/ovpn-admin.git
cd ovpn-admin

Compile the files as below.

./bootstrap.sh
./build.sh

Now install Ovpn-admin.

./ovpn-admin --easyrsa.index-path="/etc/openvpn/server/easy-rsa/pki/index.txt"

Option 3 – Install ovpn-admin using Prebuilt binary

There are also prebuilt binaries you can use to install ovpn-admin. Download the binary for your system from the GitHub release page as below.

##For i386
wget https://github.com/flant/ovpn-admin/releases/download/1.7.5/ovpn-admin-linux-386.tar.gz

##For amd64
wget https://github.com/flant/ovpn-admin/releases/download/1.7.5/ovpn-admin-linux-amd64.tar.gz

##For arm
wget https://github.com/flant/ovpn-admin/releases/download/1.7.5/ovpn-admin-linux-arm.tar.gz

##For arm64
wget https://github.com/flant/ovpn-admin/releases/download/1.7.5/ovpn-admin-linux-arm64.tar.gz

Extract the file.

sudo tar -xvzf ovpn-admin-linux-*.tar.gz

Ensure that the OpenVPN server is installed and the management console already enabled.

Use the dedicated guide below to navigate along:

• Install and Configure OpenVPN Server on RHEL 8 / CentOS 8

$ sudo vim /etc/openvpn/server/server.conf
management 127.0.0.1 8989

Restart the OpenVPN service.

sudo systemctl restart [email protected]

Start ovpn-admin as below.

./ovpn-admin --easyrsa.index-path="/etc/openvpn/server/easy-rsa/pki/index.txt"

In the above code, replace /etc/openvpn/server/easy-rsa/pki/index.txt with the correct path to your easyrsa index

Sample Output:

...
unable to load certificate" as "Jan 2 15:04:05 2006 MST": cannot parse "Can't open ./easyrsa//pki/ca.crt for reading, No such file or directory\x0a139845688382784:error:02001002:system library:fopen:No such file or directory:../crypto/bio/bss_file.c:69:fopen('./easyrsa//pki/ca.crt','r')\x0a139845688382784:error:2006D080:BIO routines:BIO_new_file:no such file:../crypto/bio/bss_file.c:76:\x0aunable to load certificate" as "Jan"
2021/12/23 12:27:23 Bind: http://0.0.0.0:8080
.....

There are more ovpn-admin arguments found using the --help flag as:

$ ./ovpn-admin --help
Flags:
  --help                       show context-sensitive help (try also --help-long and --help-man)

  --listen.host="0.0.0.0"      host for ovpn-admin
  (or $OVPN_LISTEN_HOST)

  --listen.port="8080"         port for ovpn-admin
  (or $OVPN_LISTEN_PROT)

  --role="master"              server role, master or slave
  (or $OVPN_ROLE)

  --master.host="http://127.0.0.1"  
  (or $OVPN_MASTER_HOST)       URL for the master server

  --master.basic-auth.user=""  user for master server's Basic Auth
  (or $OVPN_MASTER_USER)
 
  --master.basic-auth.password=""  
  (or $OVPN_MASTER_PASSWORD)   password for master server's Basic Auth

  --master.sync-frequency=600  master host data sync frequency in seconds
  (or $OVPN_MASTER_SYNC_FREQUENCY)

  --master.sync-token=TOKEN    master host data sync security token
  (or $OVPN_MASTER_TOKEN)

  --ovpn.network="172.16.100.0/24"  
  (or $OVPN_NETWORK)           NETWORK/MASK_PREFIX for OpenVPN server

  --ovpn.server=HOST:PORT:PROTOCOL ...  
  (or $OVPN_SERVER)            HOST:PORT:PROTOCOL for OpenVPN server
                               can have multiple values

  --ovpn.server.behindLB       enable if your OpenVPN server is behind Kubernetes
  (or $OVPN_LB)                Service having the LoadBalancer type

  --ovpn.service="openvpn-external"  
  (or $OVPN_LB_SERVICE)        the name of Kubernetes Service having the LoadBalancer
                               type if your OpenVPN server is behind it

  --mgmt=main=127.0.0.1:8989 ...  
  (or $OVPN_MGMT)              ALIAS=HOST:PORT for OpenVPN server mgmt interface;
                               can have multiple values

  --metrics.path="/metrics"    URL path for exposing collected metrics
  (or $OVPN_METRICS_PATH)

  --easyrsa.path="./easyrsa/"  path to easyrsa dir
  (or $EASYRSA_PATH)

  --easyrsa.index-path="./easyrsa/pki/index.txt"  
  (or $OVPN_INDEX_PATH)        path to easyrsa index file

  --ccd                        enable client-config-dir
  (or $OVPN_CCD)

  --ccd.path="./ccd"           path to client-config-dir
  (or $OVPN_CCD_PATH)

  --templates.clientconfig-path=""  
  (or $OVPN_TEMPLATES_CC_PATH) path to custom client.conf.tpl

  --templates.ccd-path=""      path to custom ccd.tpl
  (or $OVPN_TEMPLATES_CCD_PATH)

  --auth.password              enable additional password authorization
  (or $OVPN_AUTH)

  --auth.db="./easyrsa/pki/users.db"
  (or $OVPN_AUTH_DB_PATH)      database path for password authorization

  --debug                      enable debug mode
  (or $OVPN_DEBUG)

  --verbose                    enable verbose mode
  (or $OVPN_VERBOSE)
 
  --version                    show application version

Use the ovpn-admin Web UI.

Once installed, access the Ovpn-admin web UI using the URL http://IP_Adrress:8080.

You should be able to see the below page:

On this page, the list of added users to your OpenVPN server will be displayed. You can add a new user by clicking on Add user and proceeding to provide the name as below.

A new user will be created and the config file will be available for download.

You can also revoke and un-revoke a user as shown.

Closing Thoughts.

We can all agree that is a simple way to manage your OpenVPN server. The ovpn-admin web UI is so simple and easy to use. I hope you found this guide significant.

See more:

• How To Setup WireGuard VPN on Amazon Linux 2
• How To Configure WireGuard VPN on Rocky Linux 8
• Install and Configure Pritunl VPN server on CentOS 8
• Install and Configure Pritunl VPN server on Ubuntu 20.04