Skip to content

Kandru/vpnplane

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

26 Commits
config
config
 
 
images
images
 
 
src/vpnplane
src/vpnplane
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
install.sh
install.sh
 
 
pyproject.toml
pyproject.toml
 
 
uninstall.sh
uninstall.sh
 
 

Repository files navigation

Important

Disclosure: this project was created with the help of AI. I use this for myself in production and it might help you as well. I needed an alternative to a big OpnSense box because all I want to do is to inter-connect Wireguard and IPSec tunnels.

vpnplane logo

vpnplane

vpnplane is a simple, file-based VPN manager for Ubuntu servers.

You define tunnels and routes in YAML, then run one command to apply everything.

It is intended to run on a small virtual server with Ubuntu 24.04 or newer hence it (currently) needs root-permissions to work. Migrating to Docker is on my road map. Do not run anything else on the VM to avoid potential network conflicts. It's okay to have ufw allowing SSH.

A Short Story

My home and lab setup grew over time: multiple FritzBox locations, a few OPNsense firewalls, and roadwarrior clients (smartphone, laptop, tablet) that need secure access while traveling.

I wanted one repeatable workflow instead of hand-editing firewall and tunnel configs on each box. vpnplane is that workflow: keep everything in config files, validate, apply, and re-apply safely whenever something changes.

What It Does

  • Manages WireGuard and IPSec tunnels
  • Manages explicit route/firewall rules between networks
  • Supports roadwarrior internet egress through the host with automatic NAT (IPv4 and IPv6)
  • Keeps setup idempotent (safe to run apply again)
  • Supports interactive commands for tunnels and routes

Requirements

  • Ubuntu 22.04 or 24.04
  • Python 3.11+
sudo apt install -y wireguard wireguard-tools iptables nftables iproute2 python3 python3-pip
# Optional for IPSec:
sudo apt install -y strongswan strongswan-swanctl

Installation

Quick install:

curl -fsSL https://raw.githubusercontent.com/Kandru/vpnplane/main/install.sh | sudo bash

Manual install:

git clone https://github.com/Kandru/vpnplane.git
cd vpnplane
sudo bash install.sh

Quick Start

  1. Initialize settings:
sudo vpnplane init
  1. Add tunnels:
sudo vpnplane tunnel add
  1. Add routes:
sudo vpnplane route add
  1. Validate config:
vpnplane check
  1. Apply config:
sudo vpnplane apply
  1. Check status:
sudo vpnplane status

Update Guide

sudo bash /opt/vpnplane/install.sh

After updating, validate and apply again:

vpnplane check
sudo vpnplane apply

Removal Guide

sudo bash /opt/vpnplane/uninstall.sh

This removes the installed vpnplane files from the target system.

A word to Fritz!Box Wireguard behaviour for site to site VPNs

I've encountered unexpected behavior with the Fritz!Box WireGuard implementation that differs from OPNsense. To establish a site to site VPN you need to set the WireGuard tunnel interface to the same IP address as the Fritz!Box's primary interface. For example, if your Fritz!Box uses 192.168.178.1/24, the WireGuard tunnel must use this address as well. Without this configuration, the Fritz!Box will apply Network Address Translation (NAT) behavior.

License

GPL-3.0 - see LICENSE

About

VPNPlane - a zero-trust solution to inter-connect Wireguard and other tunnels

Resources

Readme

License

GPL-3.0 license
Activity
Custom properties

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages