nessi/NexaVPN
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
420dde247e91daf6f36351cb8573fd2b567595c2
NexaVPN/docs/gateway.md
nessi 830491cb0d chore: initial project scaffold with admin web, backend, desktop client, and deployment setup 
Add monorepo structure for NexaVPN WireGuard control plane including:
- .gitignore for node_modules, build artifacts, and environment files
- README with project overview, monorepo layout, and quick start guide
- Admin web UI with React, Vite, TypeScript, and nginx reverse proxy
- API client with type definitions for users, devices, policies, gateways, and audit logs
- Admin pages for dashboard, users, devices, policies, g
2026-03-15 16:32:34 +01:00

70 lines
1.9 KiB
Markdown
Raw Blame History

# Gateway Enforcement Strategy
## WireGuard And Firewall Roles
- WireGuard authenticates peers and provides encrypted transport.
- nftables enforces which protected destinations a peer may reach.
- NexaVPN control plane translates policy into gateway-side rules.
## Gateway Sync Bundle
Each gateway receives a generated sync bundle that contains:
- interface settings
- peer list
- peer allowed source address
- destination policy matrix
- DNS metadata
- revision metadata
Example bundle shape:
```json
{
"gateway_id": "uuid",
"revision": 12,
"interface": {
"address": "100.96.0.1/24",
"listen_port": 51820
},
"peers": [
{
"device_id": "uuid",
"public_key": "peer-key",
"assigned_ip": "100.96.0.10/32",
"allowed_destinations": [
"172.16.10.0/24"
]
}
]
}
```
## nftables Model
Recommended model:
1. Accept WireGuard interface input.
2. Map peer source VPN IP to allowed destination CIDRs.
3. Drop traffic from VPN clients to destinations outside their effective allow list.
4. Permit full tunnel peers through explicit default-route policy.
High-level chain logic:
- traffic enters from `wg0`
- source address identifies the device
- destination is matched against generated sets
- allowed traffic is accepted
- unmatched traffic is dropped and optionally logged
## Enforcement Details
- Each device receives a unique VPN IP, which makes firewall mapping deterministic.
- The generated firewall rules are derived from the effective policy union.
- Device revocation removes both the WireGuard peer and its nftables set members.
- Full-tunnel policy expands to `0.0.0.0/0` and `::/0` when enabled in later IPv6 support.
## Multi-Gateway Readiness
The backend stores policies independently from the gateway implementation. Each gateway receives only the peers assigned to it, which keeps multi-gateway expansion straightforward later.
Reference in New Issue View Git Blame Copy Permalink