#!/usr/bin/env python3 """ OpenVPN Configuration Manager for Hugging Face Spaces Fixed version that works around container limitations """ import os import json import subprocess import tempfile import shutil from pathlib import Path import gradio as gr import zipfile import io from datetime import datetime class OpenVPNManager: def __init__(self): self.config_dir = Path("/tmp/openvpn_configs") self.config_dir.mkdir(exist_ok=True) def create_sample_config(self, config_type="server"): """Create a sample OpenVPN configuration""" if config_type == "server": return self._create_server_config() else: return self._create_client_config() def _create_server_config(self): """Create a sample server configuration""" server_config = """# OpenVPN Server Configuration # Fixed for containerized environments port 1194 proto udp dev tun ca ca.crt cert server.crt key server.key dh dh.pem server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt keepalive 10 120 comp-lzo persist-key persist-tun status openvpn-status.log verb 3 mute 20 """ return server_config def _create_client_config(self): """Create a sample client configuration""" client_config = """# OpenVPN Client Configuration # Fixed for containerized environments client dev tun proto udp remote your-server.com 1194 resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert client.crt key client.key ns-cert-type server comp-lzo verb 3 mute 20 """ return client_config def create_certificate_scripts(self): """Create easy-rsa scripts for certificate generation""" easy_rsa_script = """#!/bin/bash # Easy-RSA Certificate Generation Script # Fixed for Hugging Face Spaces echo "=== OpenVPN Certificate Generator ===" echo "This script generates certificates for OpenVPN setup" echo # Install easy-rsa if not present if ! command -v easyrsa &> /dev/null; then echo "Installing Easy-RSA..." apt-get update && apt-get install -y easy-rsa fi # Create PKI directory structure echo "Setting up PKI structure..." mkdir -p /tmp/openvpn_pki/{ca,server,client} cd /tmp/openvpn_pki # Initialize PKI echo "Initializing PKI..." easyrsa init-pki # Generate CA echo "Generating CA certificate..." echo "VPN-Server-CA" | easyrsa gen-req ca nopass echo "VPN-Server-CA" | easyrsa gen-ca nopass # Generate server certificate echo "Generating server certificate..." echo "server" | easyrsa gen-req server nopass echo "yes" | easyrsa sign-req server server # Generate Diffie-Hellman parameters echo "Generating DH parameters (this may take a while)..." easyrsa gen-dh # Generate client certificate echo "Generating client certificate..." echo "client1" | easyrsa gen-req client1 nopass echo "yes" | easyrsa sign-req client client1 # Copy certificates to organized structure cp pki/ca.crt ca/ cp pki/issued/server.crt server/ cp pki/private/server.key server/ cp pki/issued/client1.crt client/ cp pki/private/client1.key client/ cp pki/dh.pem server/ echo "Certificate generation complete!" echo "Certificates are available in /tmp/openvpn_pki/" """ return easy_rsa_script def generate_firewall_rules(self, network="10.8.0.0"): """Generate iptables rules for OpenVPN""" firewall_script = f"""#!/bin/bash # OpenVPN Firewall Rules # Run these commands on your server echo "Setting up firewall rules for OpenVPN..." # Allow VPN traffic iptables -A INPUT -p udp --dport 1194 -j ACCEPT iptables -A FORWARD -s {network}/24 -j ACCEPT iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT # Enable IP forwarding echo 1 > /proc/sys/net/ipv4/ip_forward # NAT for VPN clients iptables -t nat -A POSTROUTING -s {network}/24 -o eth0 -j MASQUERADE # Save rules (Ubuntu/Debian) iptables-save > /etc/iptables/rules.v4 echo "Firewall rules configured successfully!" """ return firewall_script def create_deployment_guide(self): """Create deployment instructions""" guide = """ # OpenVPN Deployment Guide ## Important Note for Containerized Environments This application provides OpenVPN configuration management for environments that may not support direct TUN device access (like Docker containers). ## Deployment Options ### Option 1: Local Deployment For actual VPN functionality, deploy on a proper server with: - Linux kernel with TUN support - Root or sudo access - Proper network configuration ### Option 2: Configuration Management Use this application to: - Generate OpenVPN configurations - Create certificate requests - Provide setup scripts - Generate firewall rules ## Quick Start 1. **Generate Server Configuration** - Use the interface to create server config - Download the configuration files 2. **Generate Client Configuration** - Create client configs for users - Include proper server address 3. **Certificate Generation** - Run the provided certificate script - Follow the generated instructions 4. **Deployment** - Upload configs to your server - Run the setup scripts - Configure firewall rules ## Security Considerations - Never expose generated certificates - Use strong passwords for CA - Regularly rotate certificates - Monitor VPN access logs - Use fail2ban for intrusion prevention ## Troubleshooting If you encounter TUN device errors: - Check kernel module: `lsmod | grep tun` - Verify permissions: `ls -la /dev/net/tun` - Ensure CAP_NET_ADMIN capability - Consider using TUN device emulation """ return guide # Initialize the manager vpn_manager = OpenVPNManager() def generate_server_config(): """Generate server configuration""" config = vpn_manager.create_sample_config("server") return config def generate_client_config(): """Generate client configuration""" config = vpn_manager.create_sample_config("client") return config def generate_certificates(): """Generate certificate scripts""" script = vpn_manager.create_certificate_scripts() return script def generate_firewall(): """Generate firewall rules""" rules = vpn_manager.generate_firewall_rules() return rules def create_all_files(): """Create a complete package with all files""" files = { "server.conf": generate_server_config(), "client.conf": generate_client_config(), "generate_certs.sh": generate_certificates(), "firewall_rules.sh": generate_firewall(), "DEPLOYMENT_GUIDE.md": vpn_manager.create_deployment_guide() } # Create a zip file in memory zip_buffer = io.BytesIO() with zipfile.ZipFile(zip_buffer, 'w', zipfile.ZIP_DEFLATED) as zip_file: for filename, content in files.items(): zip_file.writestr(filename, content) zip_buffer.seek(0) return zip_buffer.getvalue() # Gradio Interface def create_interface(): with gr.Blocks(title="OpenVPN Configuration Manager", theme=gr.themes.Soft()) as interface: gr.Markdown("# 🔒 OpenVPN Configuration Manager") gr.Markdown("### Fixed version for Hugging Face Spaces - Container-compatible") with gr.Tab("📄 Generate Configurations"): with gr.Row(): server_btn = gr.Button("Generate Server Config", variant="primary") client_btn = gr.Button("Generate Client Config", variant="secondary") server_config = gr.Textbox(label="Server Configuration", lines=15, max_lines=20) client_config = gr.Textbox(label="Client Configuration", lines=15, max_lines=20) server_btn.click(fn=generate_server_config, outputs=server_config) client_btn.click(fn=generate_client_config, outputs=client_config) with gr.Tab("🛡ī¸ Security Setup"): with gr.Row(): cert_btn = gr.Button("Generate Certificate Scripts", variant="primary") firewall_btn = gr.Button("Generate Firewall Rules", variant="secondary") cert_script = gr.Textbox(label="Certificate Generation Script", lines=20, max_lines=25) firewall_rules = gr.Textbox(label="Firewall Rules", lines=15, max_lines=20) cert_btn.click(fn=generate_certificates, outputs=cert_script) firewall_btn.click(fn=generate_firewall, outputs=firewall_rules) with gr.Tab("đŸ“Ļ Download Package"): gr.Markdown("Download all configuration files and scripts as a zip package") download_btn = gr.Button("Create Complete Package", variant="primary") download_file = gr.File(label="Download All Files") download_btn.click( fn=create_all_files, outputs=download_file ) with gr.Tab("ℹī¸ Instructions"): gr.Markdown(vpn_manager.create_deployment_guide()) return interface # Main function if __name__ == "__main__": interface = create_interface() interface.launch( server_name="0.0.0.0", server_port=7860, share=False, show_error=True )