app.py

#!/usr/bin/env python3
"""
OpenVPN Configuration Manager for Hugging Face Spaces
Fixed version that works around container limitations
"""

import os
import json
import subprocess
import tempfile
import shutil
from pathlib import Path
import gradio as gr
import zipfile
import io
from datetime import datetime

class OpenVPNManager:
    def __init__(self):
        self.config_dir = Path("/tmp/openvpn_configs")
        self.config_dir.mkdir(exist_ok=True)
        
    def create_sample_config(self, config_type="server"):
        """Create a sample OpenVPN configuration"""
        if config_type == "server":
            return self._create_server_config()
        else:
            return self._create_client_config()
    
    def _create_server_config(self):
        """Create a sample server configuration"""
        server_config = """# OpenVPN Server Configuration
# Fixed for containerized environments

port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
mute 20
"""
        return server_config
    
    def _create_client_config(self):
        """Create a sample client configuration"""
        client_config = """# OpenVPN Client Configuration
# Fixed for containerized environments

client
dev tun
proto udp
remote your-server.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
ns-cert-type server
comp-lzo
verb 3
mute 20
"""
        return client_config
    
    def create_certificate_scripts(self):
        """Create easy-rsa scripts for certificate generation"""
        easy_rsa_script = """#!/bin/bash
# Easy-RSA Certificate Generation Script
# Fixed for Hugging Face Spaces

echo "=== OpenVPN Certificate Generator ==="
echo "This script generates certificates for OpenVPN setup"
echo

# Install easy-rsa if not present
if ! command -v easyrsa &> /dev/null; then
    echo "Installing Easy-RSA..."
    apt-get update && apt-get install -y easy-rsa
fi

# Create PKI directory structure
echo "Setting up PKI structure..."
mkdir -p /tmp/openvpn_pki/{ca,server,client}
cd /tmp/openvpn_pki

# Initialize PKI
echo "Initializing PKI..."
easyrsa init-pki

# Generate CA
echo "Generating CA certificate..."
echo "VPN-Server-CA" | easyrsa gen-req ca nopass
echo "VPN-Server-CA" | easyrsa gen-ca nopass

# Generate server certificate
echo "Generating server certificate..."
echo "server" | easyrsa gen-req server nopass
echo "yes" | easyrsa sign-req server server

# Generate Diffie-Hellman parameters
echo "Generating DH parameters (this may take a while)..."
easyrsa gen-dh

# Generate client certificate
echo "Generating client certificate..."
echo "client1" | easyrsa gen-req client1 nopass
echo "yes" | easyrsa sign-req client client1

# Copy certificates to organized structure
cp pki/ca.crt ca/
cp pki/issued/server.crt server/
cp pki/private/server.key server/
cp pki/issued/client1.crt client/
cp pki/private/client1.key client/
cp pki/dh.pem server/

echo "Certificate generation complete!"
echo "Certificates are available in /tmp/openvpn_pki/"
"""
        return easy_rsa_script
    
    def generate_firewall_rules(self, network="10.8.0.0"):
        """Generate iptables rules for OpenVPN"""
        firewall_script = f"""#!/bin/bash
# OpenVPN Firewall Rules
# Run these commands on your server

echo "Setting up firewall rules for OpenVPN..."

# Allow VPN traffic
iptables -A INPUT -p udp --dport 1194 -j ACCEPT
iptables -A FORWARD -s {network}/24 -j ACCEPT
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

# Enable IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

# NAT for VPN clients
iptables -t nat -A POSTROUTING -s {network}/24 -o eth0 -j MASQUERADE

# Save rules (Ubuntu/Debian)
iptables-save > /etc/iptables/rules.v4

echo "Firewall rules configured successfully!"
"""
        return firewall_script
    
    def create_deployment_guide(self):
        """Create deployment instructions"""
        guide = """
# OpenVPN Deployment Guide

## Important Note for Containerized Environments

This application provides OpenVPN configuration management for environments
that may not support direct TUN device access (like Docker containers).

## Deployment Options

### Option 1: Local Deployment
For actual VPN functionality, deploy on a proper server with:
- Linux kernel with TUN support
- Root or sudo access
- Proper network configuration

### Option 2: Configuration Management
Use this application to:
- Generate OpenVPN configurations
- Create certificate requests
- Provide setup scripts
- Generate firewall rules

## Quick Start

1. **Generate Server Configuration**
   - Use the interface to create server config
   - Download the configuration files

2. **Generate Client Configuration**
   - Create client configs for users
   - Include proper server address

3. **Certificate Generation**
   - Run the provided certificate script
   - Follow the generated instructions

4. **Deployment**
   - Upload configs to your server
   - Run the setup scripts
   - Configure firewall rules

## Security Considerations

- Never expose generated certificates
- Use strong passwords for CA
- Regularly rotate certificates
- Monitor VPN access logs
- Use fail2ban for intrusion prevention

## Troubleshooting

If you encounter TUN device errors:
- Check kernel module: `lsmod | grep tun`
- Verify permissions: `ls -la /dev/net/tun`
- Ensure CAP_NET_ADMIN capability
- Consider using TUN device emulation
"""
        return guide

# Initialize the manager
vpn_manager = OpenVPNManager()

def generate_server_config():
    """Generate server configuration"""
    config = vpn_manager.create_sample_config("server")
    return config

def generate_client_config():
    """Generate client configuration"""
    config = vpn_manager.create_sample_config("client")
    return config

def generate_certificates():
    """Generate certificate scripts"""
    script = vpn_manager.create_certificate_scripts()
    return script

def generate_firewall():
    """Generate firewall rules"""
    rules = vpn_manager.generate_firewall_rules()
    return rules

def create_all_files():
    """Create a complete package with all files"""
    files = {
        "server.conf": generate_server_config(),
        "client.conf": generate_client_config(),
        "generate_certs.sh": generate_certificates(),
        "firewall_rules.sh": generate_firewall(),
        "DEPLOYMENT_GUIDE.md": vpn_manager.create_deployment_guide()
    }
    
    # Create a zip file in memory
    zip_buffer = io.BytesIO()
    with zipfile.ZipFile(zip_buffer, 'w', zipfile.ZIP_DEFLATED) as zip_file:
        for filename, content in files.items():
            zip_file.writestr(filename, content)
    
    zip_buffer.seek(0)
    return zip_buffer.getvalue()

# Gradio Interface
def create_interface():
    with gr.Blocks(title="OpenVPN Configuration Manager", theme=gr.themes.Soft()) as interface:
        gr.Markdown("# 🔒 OpenVPN Configuration Manager")
        gr.Markdown("### Fixed version for Hugging Face Spaces - Container-compatible")
        
        with gr.Tab("📄 Generate Configurations"):
            with gr.Row():
                server_btn = gr.Button("Generate Server Config", variant="primary")
                client_btn = gr.Button("Generate Client Config", variant="secondary")
            
            server_config = gr.Textbox(label="Server Configuration", lines=15, max_lines=20)
            client_config = gr.Textbox(label="Client Configuration", lines=15, max_lines=20)
            
            server_btn.click(fn=generate_server_config, outputs=server_config)
            client_btn.click(fn=generate_client_config, outputs=client_config)
        
        with gr.Tab("🛡️ Security Setup"):
            with gr.Row():
                cert_btn = gr.Button("Generate Certificate Scripts", variant="primary")
                firewall_btn = gr.Button("Generate Firewall Rules", variant="secondary")
            
            cert_script = gr.Textbox(label="Certificate Generation Script", lines=20, max_lines=25)
            firewall_rules = gr.Textbox(label="Firewall Rules", lines=15, max_lines=20)
            
            cert_btn.click(fn=generate_certificates, outputs=cert_script)
            firewall_btn.click(fn=generate_firewall, outputs=firewall_rules)
        
        with gr.Tab("📦 Download Package"):
            gr.Markdown("Download all configuration files and scripts as a zip package")
            download_btn = gr.Button("Create Complete Package", variant="primary")
            download_file = gr.File(label="Download All Files")
            
            download_btn.click(
                fn=create_all_files,
                outputs=download_file
            )
        
        with gr.Tab("ℹ️ Instructions"):
            gr.Markdown(vpn_manager.create_deployment_guide())
    
    return interface

# Main function
if __name__ == "__main__":
    interface = create_interface()
    interface.launch(
        server_name="0.0.0.0",
        server_port=7860,
        share=False,
        show_error=True
    )