nessi/NexaVPN
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

chore: initial project scaffold with admin web, backend, desktop client, and deployment setup

Browse Source 
Add monorepo structure for NexaVPN WireGuard control plane including:
- .gitignore for node_modules, build artifacts, and environment files
- README with project overview, monorepo layout, and quick start guide
- Admin web UI with React, Vite, TypeScript, and nginx reverse proxy
- API client with type definitions for users, devices, policies, gateways, and audit logs
- Admin pages for dashboard, users, devices, policies, g
This commit is contained in:
Sascha Nesterovic
2026-03-15 16:32:34 +01:00
commit 830491cb0d
91 changed files with 5279 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

69
docs/gateway.md Normal file
View File

@@ -0,0 +1,69 @@
# Gateway Enforcement Strategy
## WireGuard And Firewall Roles
- WireGuard authenticates peers and provides encrypted transport.
- nftables enforces which protected destinations a peer may reach.
- NexaVPN control plane translates policy into gateway-side rules.
## Gateway Sync Bundle
Each gateway receives a generated sync bundle that contains:
- interface settings
- peer list
- peer allowed source address
- destination policy matrix
- DNS metadata
- revision metadata
Example bundle shape:
```json
{
"gateway_id": "uuid",
"revision": 12,
"interface": {
"address": "100.96.0.1/24",
"listen_port": 51820
},
"peers": [
{
"device_id": "uuid",
"public_key": "peer-key",
"assigned_ip": "100.96.0.10/32",
"allowed_destinations": [
"172.16.10.0/24"
]
}
]
}
```
## nftables Model
Recommended model:
1. Accept WireGuard interface input.
2. Map peer source VPN IP to allowed destination CIDRs.
3. Drop traffic from VPN clients to destinations outside their effective allow list.
4. Permit full tunnel peers through explicit default-route policy.
High-level chain logic:
- traffic enters from `wg0`
- source address identifies the device
- destination is matched against generated sets
- allowed traffic is accepted
- unmatched traffic is dropped and optionally logged
## Enforcement Details
- Each device receives a unique VPN IP, which makes firewall mapping deterministic.
- The generated firewall rules are derived from the effective policy union.
- Device revocation removes both the WireGuard peer and its nftables set members.
- Full-tunnel policy expands to `0.0.0.0/0` and `::/0` when enabled in later IPv6 support.
## Multi-Gateway Readiness
The backend stores policies independently from the gateway implementation. Each gateway receives only the peers assigned to it, which keeps multi-gateway expansion straightforward later.