MITMVpn

Consent-only OpenVPN passive telemetry lab with a localized dashboard and one-script VPS deployment.

🇷🇺 Русский · 🇺🇸 English · 🇻🇳 Tiếng Việt · 🇨🇳 中文

---

MITMVpn is a roadwarrior-style lab environment for classroom demonstrations. It deploys OpenVPN, DNS capture, passive network metadata collection, and a live Apache dashboard that shows VPN client sessions, domains, app fingerprints, risks, TLS/QUIC metadata, and category-based browsing summaries.

It is built for controlled demonstrations with explicit consent. It does not decrypt HTTPS traffic.

How this shit works?

"Create a VPN. Hand the config to a victim. The moment victim connect, the dashboard starts lighting up: sessions, real ingress IP, DNS, sites, app fingerprints, Tor/proxy hints, browser/TLS signatures, timelines, and exports."

Как Это Работает?

"Создаете VPN, передаете конфиг жертве, она подключается — и на экране оживает её цифровой след: когда он в сети, откуда зашел, какие домены открывает, какие приложения шумят в фоне, есть ли Tor/proxy/VPN, какой браузерный TLS-fingerprint похож на Chrome/Edge и как меняется активность по timeline."

Project Snapshot

Area	What You Get
Deployment	One-script VPS installer for Debian/Ubuntu.
VPN	OpenVPN roadwarrior server with three generated lab clients.
Dashboard	Live Apache/PHP dashboard with auto-refresh, tables, timeline, exports, and category popups.
Telemetry	DNS visibility, Suricata EVE metadata, p0f OS hints, JA3/JA3S, QUIC/TLS fingerprints.
App Hints	Browser, messenger, cloud, media, developer tools, Tor/proxy/VPN, remote-admin and other categories.
Localization	Dashboard and project page in 🇷🇺 Russian, 🇺🇸 English, 🇻🇳 Vietnamese, 🇨🇳 Chinese.
Safety	Consent-only lab, no HTTPS payload decryption, generated secrets ignored by Git.

Quick Start

Clone the private repository on a clean Debian/Ubuntu VPS and run the roadwarrior installer:

git clone https://github.com/vektort13/MITMVpn.git
cd MITMVpn
sudo ./roadwarrior.sh

If your VPS has multiple addresses or the public IP is detected incorrectly:

sudo PUBLIC_IP=203.0.113.10 TIMEZONE=Europe/London ./roadwarrior.sh

After installation:

Item	Location
Dashboard	http://SERVER_IP/
Public student view	http://SERVER_IP/student/
Dashboard credentials	/root/openvpn-dashboard-credentials.txt
OpenVPN client profiles	/root/client-configs/files/*.ovpn

Download generated client profiles:

scp -r root@SERVER_IP:/root/client-configs/files ./client-configs

Deploy From Workstation

If the project is local and the VPS is reachable by SSH:

./deploy.sh root@SERVER_IP /path/to/private_key

Or with environment variables:

SSH_TARGET=root@SERVER_IP SSH_KEY=/path/to/private_key ./deploy.sh

Localized Dashboard

The live dashboard includes a language selector and remembers the chosen language in the browser.

Language	UI Coverage
🇷🇺 Русский	Main dashboard, controls, status messages, tables, modals, category labels.
🇺🇸 English	Main dashboard, controls, status messages, tables, modals, category labels.
🇻🇳 Tiếng Việt	Main dashboard, controls, status messages, tables, modals, category labels.
🇨🇳 中文	Main dashboard, controls, status messages, tables, modals, category labels.

Runtime data such as raw domains, application names, JA3 hints, and detector evidence is shown as collected.

Public Student View

The installer publishes a separate read-only page for the classroom:

http://SERVER_IP/student/

Students can watch the live dashboard from their own devices and change only the interface language. Admin actions stay behind the authenticated dashboard:

• no log clearing;
• no DNS redirect controls;
• no exports or reports;
• no access to logs.php mutation endpoints.

Architecture

flowchart LR
  C1[Lab Client 1] -->|OpenVPN| VPN[OpenVPN Server]
  C2[Lab Client 2] -->|OpenVPN| VPN
  C3[Lab Client 3] -->|OpenVPN| VPN

  VPN --> DNS[dnsmasq DNS logs]
  VPN --> SUR[Suricata EVE metadata]
  VPN --> P0F[p0f OS fingerprints]
  VPN --> SESS[OpenVPN session logs]

  DNS --> DET[Passive classifier]
  SUR --> DET
  P0F --> DET
  SESS --> API[PHP API]
  DET --> API

  API --> DASH[Localized Apache Dashboard]
  DASH --> EXP[JSON / HTML exports]
  DASH --> REDIR[DNS Redirect Lab]

Loading

What The Dashboard Shows

View	Details
Client dossier	Real ingress IP, geo hints, active/offline status, session duration, traffic counters.
Sites and domains	Domain list, favicons, dwell time estimate, event source, DNS redirect controls.
Interests/categories	Clickable category chips that open a modal with all sites from that category.
Detected software	Passive app hints with confidence score and signal explanation.
Risks	Tor, proxy, VPN, remote-admin and other high-signal categories.
TLS/QUIC fingerprints	JA3/JA3S hashes, classifier hints, lab uniqueness, hit counts.
Timeline	Chronological activity stream for presentation and analysis.

Components

File	Purpose
roadwarrior.sh	One-script VPS installer and orchestrator.
provision_openvpn_lab.sh	OpenVPN, dnsmasq, NAT/firewall, Apache basic auth, client config generation.
setup_passive_detection.sh	Suricata, p0f, passive classifier, controlled client port scan timer.
deploy_dashboard.sh	Installs the localized dashboard into Apache web root.
dashboard_live.php	Live localized SPA dashboard.
dashboard_api.php	JSON data feed consumed by the dashboard.
dashboard_logs.php	Export, report, log clearing, DNS redirect API.
dashboard_favicon.php	Favicon proxy/cache for domain rows.
passive_app_detection.py	Passive metadata parser and application classifier.
client_portscan.py	Controlled lab scan of connected VPN client addresses.
dns_redirect_manager.py	DNS-only redirect manager used by the dashboard.

Safety Model

This project is for controlled education and internal lab demonstrations only.

• Use it only with explicit authorization from every participant.
• HTTPS payloads are not decrypted.
• DNS redirect is DNS-only and intentionally demonstrates browser certificate and HSTS limitations.
• Generated .ovpn files, SSH keys, certificates, and dashboard credentials are excluded from Git by default.

Requirements

Requirement	Notes
OS	Debian 11/12 or Ubuntu 22.04/24.04 VPS.
Access	Root access or sudo.
Network	Public IPv4 address.
Firewall	Open inbound 80/tcp and 1194/udp.

Useful Commands

systemctl status openvpn-server@server dnsmasq apache2
systemctl status suricata-openvpn p0f-openvpn openvpn-passive-detect
journalctl -u openvpn-passive-detect -f
tail -f /var/log/openvpn/dnsmasq.log

Repository Hygiene

The repository intentionally ignores generated lab secrets and runtime artifacts:

.ssh/
client-configs/
*.ovpn
*credentials*.txt
__pycache__/
*.log

Keep generated lab secrets on the server or in a private vault, not in Git.

---

🇷🇺 Русский

MITMVpn поднимает на чистом VPS учебную OpenVPN-инфраструктуру и веб-дашборд для демонстрации того, какие метаданные видит оператор VPN.

Возможности:

• активные и завершенные VPN-сессии;
• реальный входной IP клиента до VPN;
• DNS-запросы и домены, увиденные через VPN;
• фавиконки сайтов и примерное время активности по доменам;
• пассивные признаки приложений: браузеры, мессенджеры, облака, Tor/proxy/VPN, remote-admin и другие категории;
• p0f OS fingerprinting и JA3/JA3S TLS/QUIC fingerprints;
• таблицы, timeline, live-console, HTML/JSON export;
• DNS redirect lab-переключатели для демонстрации ограничений DNS-only redirect;
• локализация дашборда: 🇷🇺 RU, 🇺🇸 EN, 🇻🇳 VI, 🇨🇳 ZH.

Быстрый запуск:

git clone https://github.com/vektort13/MITMVpn.git
cd MITMVpn
sudo ./roadwarrior.sh

После установки:

• Dashboard: http://SERVER_IP/
• Страница для студентов: http://SERVER_IP/student/
• Логин/пароль: /root/openvpn-dashboard-credentials.txt
• OpenVPN-конфиги: /root/client-configs/files/*.ovpn

🇺🇸 English

MITMVpn provisions a teaching OpenVPN lab on a clean VPS and exposes a live dashboard for consent-based demonstrations of VPN operator visibility.

Highlights:

• active and historical VPN sessions;
• real ingress IP before the VPN tunnel;
• DNS requests and domains observed through the tunnel;
• site favicons and approximate domain dwell time;
• passive application hints for browsers, messengers, cloud apps, Tor/proxy/VPN, remote admin tools, and other categories;
• p0f OS fingerprints and JA3/JA3S TLS/QUIC fingerprints;
• tables, timeline, live console, HTML/JSON exports;
• DNS redirect lab toggles for showing DNS-only redirect limitations;
• dashboard localization: 🇷🇺 RU, 🇺🇸 EN, 🇻🇳 VI, 🇨🇳 ZH.

Quick start:

git clone https://github.com/vektort13/MITMVpn.git
cd MITMVpn
sudo ./roadwarrior.sh

After installation:

• Dashboard: http://SERVER_IP/
• Public student view: http://SERVER_IP/student/
• Credentials: /root/openvpn-dashboard-credentials.txt
• OpenVPN profiles: /root/client-configs/files/*.ovpn

🇻🇳 Tiếng Việt

MITMVpn triển khai một lab OpenVPN trên VPS sạch và cung cấp dashboard live cho bài demo có sự đồng ý của người tham gia.

Tính năng chính:

• phiên VPN đang hoạt động và lịch sử phiên;
• IP thật trước khi đi vào VPN;
• truy vấn DNS và tên miền đi qua VPN;
• favicon website và thời lượng hoạt động ước lượng theo tên miền;
• gợi ý ứng dụng từ metadata thụ động: trình duyệt, nhắn tin, cloud, Tor/proxy/VPN, remote-admin và các nhóm khác;
• fingerprint hệ điều hành bằng p0f và fingerprint TLS/QUIC JA3/JA3S;
• bảng dữ liệu, timeline, live console, export HTML/JSON;
• DNS redirect lab để minh họa giới hạn của redirect chỉ bằng DNS;
• ngôn ngữ dashboard: 🇷🇺 RU, 🇺🇸 EN, 🇻🇳 VI, 🇨🇳 ZH.

Cài đặt nhanh:

git clone https://github.com/vektort13/MITMVpn.git
cd MITMVpn
sudo ./roadwarrior.sh

Sau khi cài đặt:

• Dashboard: http://SERVER_IP/
• Trang xem cho sinh viên: http://SERVER_IP/student/
• Tài khoản/mật khẩu: /root/openvpn-dashboard-credentials.txt
• Cấu hình OpenVPN: /root/client-configs/files/*.ovpn

🇨🇳 中文

MITMVpn 会在干净的 VPS 上部署一个教学用 OpenVPN 实验环境，并提供实时仪表盘，用于经过同意的课堂演示。

主要功能：

• 当前和历史 VPN 会话；
• VPN 前的真实入口 IP；
• 通过 VPN 看到的 DNS 请求和域名；
• 网站 favicon 和按域名估算的停留时间；
• 基于被动元数据的应用识别提示：浏览器、即时通讯、云服务、Tor/proxy/VPN、远程管理等；
• p0f 操作系统指纹和 JA3/JA3S TLS/QUIC 指纹；
• 表格、时间线、实时控制台、HTML/JSON 导出；
• DNS redirect lab，用于展示 DNS-only 重定向的限制；
• 仪表盘语言：🇷🇺 RU、🇺🇸 EN、🇻🇳 VI、🇨🇳 ZH。

快速安装：

git clone https://github.com/vektort13/MITMVpn.git
cd MITMVpn
sudo ./roadwarrior.sh

安装完成后：

• Dashboard: http://SERVER_IP/
• 学生只读页面：http://SERVER_IP/student/
• 登录信息：/root/openvpn-dashboard-credentials.txt
• OpenVPN 配置：/root/client-configs/files/*.ovpn