nessi/NexaVPN
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: add comprehensive architecture diagram to README with component flow visualization

Browse Source 
Add ASCII architecture diagram showing NexaVPN system components and data flow. Document reverse-proxy ingress, public-web frontend, backend control plane, postgres database, gateway WireGuard interface, vpn-dns service, and access-proxy enforcement layer.

Include desktop client flow diagram showing login, profile sync, WireGuard connection, split-tunnel routing, and service-domain access through DNS override
This commit is contained in:
Sascha Nesterovic
2026-03-20 09:05:01 +01:00
parent 784971f111
commit 60bca85e27
1 changed files with 100 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

100
README.md
View File

@@ -17,6 +17,106 @@ It combines:
- `desktop-client/` Tauri desktop client
- `deploy/` Docker Compose, reverse proxy, and gateway assets
## Architecture Overview
```text
NexaVPN Architecture
┌──────────────────────────────┐
│ Internet / WAN │
└──────────────┬───────────────┘
│ HTTPS + WireGuard
┌───────────────────────┴────────────────────────┐
│ │
│ Public entry on NexaVPN host │
│ │
│ ┌──────────────────────────────────────────┐ │
│ │ reverse-proxy (nginx / public ingress) │ │
│ │ - admin-vpn.nesterovic.cc │ │
│ │ - vpn.nesterovic.cc │ │
│ └───────────────┬──────────────────────────┘ │
│ │ │
│ HTTP/HTTPS│ │
│ │ │
│ ┌───────────────▼──────────────┐ │
│ │ public-web │ │
│ │ static frontend + /api │ │
│ └───────────────┬──────────────┘ │
│ │ │
│ ▼ │
│ ┌──────────────────────────────────────────┐ │
│ │ backend (Go control plane) │ │
│ │ - auth / users / devices / policies │ │
│ │ - gateway sync bundle │ │
│ │ - service catalog + dns override API │ │
│ └───────────────┬──────────────────────────┘ │
│ │ │
│ ▼ │
│ ┌──────────────────────────────────────────┐ │
│ │ postgres │ │
│ │ - users / groups / policies / devices │ │
│ │ - wireguard peers / ip allocations │ │
│ │ - service definitions / runtime stats │ │
│ └──────────────────────────────────────────┘ │
│ │
│ ┌──────────────────────────────────────────┐ │
│ │ gateway │ │
│ │ - wg0 │ │
│ │ - syncs peer state from backend │ │
│ │ - renders nftables policy │ │
│ │ - enforces split tunnel / service ACLs │ │
│ └───────────────┬──────────────────────────┘ │
│ │ │
│ │ VPN client traffic │
│ ▼ │
│ ┌──────────────────────────────────────────┐ │
│ │ vpn-dns │ │
│ │ - upstream: internal DNS servers │ │
│ │ - overrides service domains │ │
│ │ to NexaVPN access-proxy IP │ │
│ └───────────────┬──────────────────────────┘ │
│ │ │
│ ▼ │
│ ┌──────────────────────────────────────────┐ │
│ │ access-proxy │ │
│ │ - checks source VPN IP │ │
│ │ - checks Host / TLS SNI │ │
│ │ - forwards only allowed services │ │
│ └───────────────┬──────────────────────────┘ │
└──────────────────┼─────────────────────────────┘
┌──────────────────────────────┐
│ Internal LAN / service tier │
│ - Zoraxy / reverse proxies │
│ - Jellyfin / PVE / apps │
│ - DNS servers │
└──────────────────────────────┘
Desktop flow
NexaVPN desktop client
├─ login / sync profile ─────────────► backend
├─ gets WireGuard profile + DNS ─────► backend
├─ connects WireGuard tunnel ────────► gateway:51900/udp
├─ normal split-tunnel CIDR traffic ─► internal LAN targets
└─ service-domain traffic
nesflix.cc
├─ DNS query ─────────────────► vpn-dns
├─ override answer ───────────► access-proxy IP
├─ HTTPS with Host/SNI ───────► access-proxy
└─ forwarded if policy allows ► Zoraxy / upstream service
```
## Phase Status
This repository contains the initial production-minded MVP scaffold: