Modernize and secure the VPN gateway with WAN-aware control, containers, and docs#1
Open
ApiCentraal wants to merge 38 commits into
Open
Modernize and secure the VPN gateway with WAN-aware control, containers, and docs#1ApiCentraal wants to merge 38 commits into
ApiCentraal wants to merge 38 commits into
Conversation
added 30 commits
April 24, 2026 16:44
Create and validate per-session CSRF tokens for all state-changing requests.
Centralize login checks, lockout handling, and session lifecycle helpers.
Wrap every VPN command behind one service with argument validation and exit-code enforcement.
Configure the hardened session cookie and load the shared service classes once per request.
Replace the old hardcoded login flow with the new Auth layer and current username lookup.
Use the shared bootstrap and Auth::isLoggedIn to choose between dashboard and login views.
Add POST-only access, CSRF validation, and lockout-aware login responses.
Require a valid token before clearing the session and redirecting to the login page.
Swap direct shell execution for VpnService status reads and graceful error handling.
Return dashboard data through VpnService and keep failures isolated from the UI.
Replace raw tail shell calls with Auth protection and the shared log tail helper.
Expose a CSRF-protected POST endpoint for applying the selected VPN profile.
Return the current VPN service snapshot as JSON for polling clients.
Expose the log tail as JSON with a configurable line limit.
Provide a monitoring check for the VPN binary, logs, and PHP runtime.
Render the branded header, signed-in identity chip, and CSRF-protected logout form.
Show the service state, routing mode, current profile, and IP forwarding state.
Render the selectable VPN profiles and the apply, stop, and route-local actions.
Provide the live log viewer and refresh controls used by the dashboard.
Drive status polling, log polling, and AJAX form submission from the browser.
Apply the new dark visual system and component styling for the full interface.
Compose the component-based dashboard and inject the initial API state for the client script.
Add the new login presentation and wire in the CSRF-aware form flow.
Document credential handling, sudoers requirements, TLS expectations, and hardening defaults.
Provide a repeatable end-to-end shell test for login, health, status, and logs.
Signed-off-by: Eddy-ApiCentraal <help@apicentraal.nl>
Surface WAN uplink state, public IP visibility, and LAN-only fallback behavior in the dashboard. Also update the VPN service parsing and command helper so the status view can distinguish VPN, WAN-down, and LAN-only situations cleanly.
Add the latest login and dashboard screenshots to the README so the current design is visible directly in the repository. Keep the documentation focused on the current interface while leaving the implementation changes in the previous technical commit.
Add containerization assets for the PHP VPN gateway and the inbound OpenVPN server. Include the containerization plan, Docker ignore rules, and lightweight entrypoints so the services can be built and deployed independently.
Signed-off-by: Eddy-ApiCentraal <help@apicentraal.nl>
Owner
|
Oh my this is fantastic. and you prolly know that will take some time. while keeping my original system in tact. But thanks for committing. Only we make opensource software great. |
Author
|
Hey Bram, Thanks. And absolutety. Take your time and please keep me updated when you find any issues. Have a nice one! |
Owner
added 4 commits
April 26, 2026 02:01
Add a local Docker Compose stack, setup and verification scripts, and secret-safe ignore rules.\n\nUpdate README with developer/operator instructions and sanitize credential guidance.
…urity improvements Signed-off-by: Eddy-ApiCentraal <help@apicentraal.nl>
Author
|
Yes, I got it working on one system with Docker containers. I added a local single-host setup where both roles run as containers on the same machine: OpenVPN server container: What is included:
How it works:
Security/runtime notes: Local secrets/runtime files are ignored from git via .gitignore and .dockerignore. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This change set modernizes the project while keeping the original two-machine VPN design intact.
VpnServiceand expose JSON endpoints for action, status, logs, and health.