Name Last Update
autovpn Loading commit data...
.gitlab-ci.yml Loading commit data...
README.rst Loading commit data... Loading commit data...
tox.ini Loading commit data...


A simple self-service OpenVPN infrastructure (with X.509 PKI).


The 'autovpn' Python package is bundled with 'autoca'. Once you've got the autoca/autovpn sources, just run:

$ sudo python install

from the top-level directory.


How to run the AutoVPN web application will depend on the deployment method that you choose (mod_wsgi, FastCGI, standalone HTTP server...).

In all cases though, you'll need to create a configuration file and point the application at it (for example using the VPN_APP_CONFIG environment variable). This file should define the following variables (using Python syntax):

DNS name for the VPN server (use more than one A record for crude load balancing)
The public URL for the AutoVPN web application
How many days should the generated certificates be valid for (default: 7)

A dictionary containing X.509 attributes to use as defaults for the subject of the generated certificates. For example:


The app will only set the 'CN' attribute.

There are two different options to connect to the CA, you can either connect to a remote autoca web application:

URL of the remote autoca web application
(optional) the shared secret to use for authentication

Otherwise, you can instantiate a CA that is local to the AutoVPN application itself (for simpler deployments):

Base directory for the CA storage -- keep it private!
How many bits to use for the CA RSA key (default 4096)
Dictionary with the X.509 CA subject attributes

In this latter case, the autoca web application will be available under the /ca/ URL prefix.

The VPN web application supports authentication. To enable it, define the following variables:

Set this to True to enable authentication
Set this to a function that should accept two arguments (username and password) and return a True/False result.

Authentication is not related in any way to the contents of the generated client certificate, it just controls access to the generation form itself.