nessi/NexaVPN
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
3e2169f217af6a64619da182c0dec998e18e7452
NexaVPN/docs/gateway.md
nessi 830491cb0d chore: initial project scaffold with admin web, backend, desktop client, and deployment setup 
Add monorepo structure for NexaVPN WireGuard control plane including:
- .gitignore for node_modules, build artifacts, and environment files
- README with project overview, monorepo layout, and quick start guide
- Admin web UI with React, Vite, TypeScript, and nginx reverse proxy
- API client with type definitions for users, devices, policies, gateways, and audit logs
- Admin pages for dashboard, users, devices, policies, g
2026-03-15 16:32:34 +01:00

1.9 KiB
Raw Blame History

Gateway Enforcement Strategy

WireGuard And Firewall Roles

  • WireGuard authenticates peers and provides encrypted transport.
  • nftables enforces which protected destinations a peer may reach.
  • NexaVPN control plane translates policy into gateway-side rules.

Gateway Sync Bundle

Each gateway receives a generated sync bundle that contains:

  • interface settings
  • peer list
  • peer allowed source address
  • destination policy matrix
  • DNS metadata
  • revision metadata

Example bundle shape:

{
  "gateway_id": "uuid",
  "revision": 12,
  "interface": {
    "address": "100.96.0.1/24",
    "listen_port": 51820
  },
  "peers": [
    {
      "device_id": "uuid",
      "public_key": "peer-key",
      "assigned_ip": "100.96.0.10/32",
      "allowed_destinations": [
        "172.16.10.0/24"
      ]
    }
  ]
}

nftables Model

Recommended model:

  1. Accept WireGuard interface input.
  2. Map peer source VPN IP to allowed destination CIDRs.
  3. Drop traffic from VPN clients to destinations outside their effective allow list.
  4. Permit full tunnel peers through explicit default-route policy.

High-level chain logic:

  • traffic enters from wg0
  • source address identifies the device
  • destination is matched against generated sets
  • allowed traffic is accepted
  • unmatched traffic is dropped and optionally logged

Enforcement Details

  • Each device receives a unique VPN IP, which makes firewall mapping deterministic.
  • The generated firewall rules are derived from the effective policy union.
  • Device revocation removes both the WireGuard peer and its nftables set members.
  • Full-tunnel policy expands to 0.0.0.0/0 and ::/0 when enabled in later IPv6 support.

Multi-Gateway Readiness

The backend stores policies independently from the gateway implementation. Each gateway receives only the peers assigned to it, which keeps multi-gateway expansion straightforward later.

Reference in New Issue View Git Blame Copy Permalink