# NexaVPN

NexaVPN is a production-oriented, self-hosted WireGuard control plane for remote access.
It combines:

- A Go backend and PostgreSQL control plane
- A React admin console
- A Tauri desktop client for Windows and macOS
- WireGuard gateway and firewall policy enforcement
- Docker Compose deployment assets

## Monorepo Layout

- `docs/` architecture, schema, API, and deployment design
- `backend/` Go API, migrations, seeds, and domain services
- `admin-web/` React + Vite admin UI
- `desktop-client/` Tauri desktop client
- `deploy/` Docker Compose, reverse proxy, and gateway assets

## Phase Status

This repository contains the initial production-minded MVP scaffold:

- Phase 1: architecture, schema, API, enrollment, provisioning, gateway design
- Phase 2: backend scaffold, migrations, auth, CRUD, audit, profile generation
- Phase 3: admin UI scaffold and core pages
- Phase 4: desktop client scaffold, enrollment flow, profile provisioning abstraction
- Phase 5: deployment assets, bootstrap scripts, and hardening notes

## Quick Start

1. Copy `deploy/.env.example` to `deploy/.env`.
2. Review `docs/architecture.md` and `docs/deployment.md`.
3. Start the stack with Docker Compose from `deploy/`.
4. Open `http://localhost`.
5. On the admin login screen, choose the bootstrap flow if this is a fresh install.
6. Create the initial admin, then sign in.

## Important MVP Notes

- WireGuard remains the tunnel transport. NexaVPN is the control plane around it.
- Client private keys are generated on-device and are not stored server-side.
- Gateway-side enforcement uses nftables generated from issued policy state.
- The Tauri client is structured around embedded tunnel management. Native system WireGuard import can be added as an optional integration later.
- The current desktop client now performs real backend login and enrollment calls, but secure OS key storage and native tunnel activation are still the next hardening step.

## Local Test Flow

```bash
cd deploy
cp .env.example .env
docker compose up --build
```

Then:

1. Visit `http://localhost`
2. Bootstrap the first admin account
3. Create a user or use the desktop client against `http://localhost`
4. Sign in from the NexaVPN desktop app with that user