AccessCore is an OpenVPN access control plane for teams.
It gives you a single place to request access, approve users, issue and revoke client certificates, manage CCD-based routing, deliver VPN profiles, and audit what changed.
AccessCore sits between your identity system, your administrators, and your OpenVPN servers.
It is built for teams that still run OpenVPN and want something better than:
- manual certificate scripts
- spreadsheets for access review
- ad hoc CCD updates on servers
- scattered onboarding docs
- weak audit visibility
- internal IT and platform teams managing OpenVPN access
- environments with approval workflows, MFA, and audit requirements
- teams that need group-based routing and CCD sync
- organizations that want Google, OIDC, or LDAP-backed sign-in in front of OpenVPN operations
- WireGuard environments
- mesh VPN products like Tailscale or ZeroTier
- teams looking for a generic ZTNA platform today
- one-off personal VPN setups
-
Request and approve access. Users request VPN access, reviewers approve it, and the user gets a clean
My VPNpath to download the right profile. -
Manage certificate lifecycle. Admins can generate, revoke, and regenerate client certificates without dropping into server-only tooling.
-
Control routing and CCD delivery. Groups, CIDR policies, CCD sync, and drift checks stay visible in the same portal.
-
Audit access and operations. MFA, access changes, provisioning, downloads, and server operations are logged and reviewable.
| Area | Included |
|---|---|
| Access workflows | Access requests, approval queue, viewer/admin roles, pending approval states |
| Identity | Credentials, Google OAuth, generic OIDC SSO, optional LDAP |
| Security | TOTP MFA, server-side session revocation, audit trails |
| VPN lifecycle | User creation, certificate generation, revocation, regeneration, deletion |
| Policy | Groups, CIDR-based routing, CCD generation, push, drift detection |
| Operations | Dashboard, analytics, flags, sync history, live server actions |
| Transport | SSH, AWS SSM, AccessCore agent |
- It is focused on OpenVPN instead of trying to be a generic networking platform.
- It combines end-user access flows and operator tooling in one product.
- It treats certificate lifecycle, CCD state, and approval workflows as first-class product concepts.
- It is designed to work with existing identity systems instead of replacing them.
AccessCore is in active development.
Today, it is best described as:
- production-minded
- OpenVPN-only
- suitable for self-hosted evaluation and internal use
- still maturing as a public open-source product
flowchart LR
Browser --> NextJS["Next.js App"]
NextJS --> PostgreSQL
NextJS -->|"SSH / SSM / Agent"| VPN["OpenVPN Servers"]
NextJS -->|"Admin SDK"| Google["Google Workspace"]
See Docs Index for detailed diagrams and deployment guides.
npm install
cp .env.example .env
npm run docker:up
export SEED_ADMIN_EMAIL="admin@local.test"
export SEED_ADMIN_PASSWORD="change-this-demo-password"
npm run db:migrate
npm run db:seed
npm run devOpen http://localhost:3000 and sign in with the seeded admin account.
| Workflow | Preview |
|---|---|
| Login |  |
| Dashboard | |
| Groups |  |
| Group Management |  |
| User Creation |  |
| Settings |  |
| Document | Purpose |
|---|---|
| Getting Started | Local setup, configuration, deployment basics |
| Docs Index | Diagrams, guides, screenshots, security docs |
| Roadmap | Product direction, positioning, naming, OSS maturity plan |
| Security Policy | How to report vulnerabilities |
src/
├── app/
│ ├── (dashboard)/ # Protected app pages
│ ├── api/ # API routes
│ ├── login/ # Login and sign-in
│ ├── mfa/ # MFA setup and verification
│ └── request-access/ # Self-service access request flow
├── components/ # Layout and UI components
└── lib/ # Auth, RBAC, transport, cert, CCD, sync services
The repository already includes:
- MIT license
- contribution guide
- security policy
- CI for lint, typecheck, test, and build
MIT. See LICENSE.