VPN Service Provider Addon+Server WHMCS Module :: Seeking Ideas/Feedback

[vpntech]

Hello, I am preparing to release a WHMCS Addon and Server module which automates realtime configuration and management of secure CentOS7 OpenVPN servers, and I am looking for input on my ideas and additional features which would be required to operate a VPN Service Provider using WHMCS.  The module makes it very easy for a VPN Service provider to manage a network of VPN Servers and WHMCS Clients to utilize the VPN service. 

Here are some screenshots outlining some of the features I have implemented:

Addon Module

Manage VPN Servers:

VPN Server Background Processor Task Reporting:

Configure VPN Server -> OpenVPN Configuration

Configure VPN Server -> Software Version Selection:

Configure VPN Server -> SSL Configuration with Automatic Acquisition from Let's Encrypt:

Addon Module Configuration -> VPN Server Normalization Intervals:

Addon Module Configuration -> VPN Server Networking Defaults:

Realtime reporting of Automated VPN Server reconfiguration with extensive Ansible Playbooks:

 

Server Module

Administrative Client Service Configuration:

Client UI Configuration:

Client UI VPN Usage Reporting:

Client UI VPN Client Software Downloads:

[m107]

Hi, is it ready? Your website is not up to date.

[vpntech]

Thank you for the post. It is not ready yet. I am working with some parties I met on this community to integrate required business logic. I'll update you once we are ready to rock.

 

[m107]

Great. Can you use other VPN methods such as Anyconnect?

[vpntech]

Currently only OpenVPN is configured on the VPN servers. The next software to be integrated will be openswan or libreswan which provides native ipsec/ike2. I will research Anyconnect, thank you for the suggestion. 

[Superjedi]

Would it be possible to Create a wireguard version ?

 

[vpntech]

Thank you for the feedback. Since the last post on this community, the following additional VPN connection methods are now supported:

• IKE2 with per client client certificates with many adjustable options such as MOBIKE
• IPSec/XAuth with preshared key and per client user/pass authentication
• Cisco Anyconnect with per client user/pass authentication with many adjustable options related to reauth, mtu discovery, idle timeout, buffering, roaming
• Wireguard with per client key authentication

Each of these connection methods can be adjusted globally, at the vpn server level, at the whmcs package level, and at the whmcs service level. This allows the service provider to implement the business logic any way they wish. Each vpn connection method supports adjustable split tunnel and dns path modes. All of the vpn server configurations are transparent to the whmcs administrator and each vpn service is tightly monitored at the socket and authenticated level with integrated local and remote nagios servers.

The work is ongoing.

[Superjedi]

When will the wireguard version be ready for beta production to download and operate ?

[vpntech]

Hi. Adding the additional VPN Server connection options has added complexity to the user management, bandwidth accounting, bandwidth limiting, Client UI, package and server defaults. I do not have a date for you right now. 

 

[Superjedi]

Great. Would it be ready within 3 months ? Or more like around 1 more year? I would be more than happy to be an early beta tester.

[vpntech]

Hello, our project plan has a beta release in 4-5 months. I will reach out to you for the beta, thank you very much for the offer. 

[Superjedi]

I am currently using shadowsocksr and v2ray in my service as there are whmcs plugins  for multiuser management similar to your project. U should check out those open sourced plugins as they work quite well. Their design and structure may help u shorten building time.

[m107]

On 12/5/2018 at 11:28 PM, vpntech said:

Hello, our project plan has a beta release in 4-5 months. I will reach out to you for the beta, thank you very much for the offer. 

Did you consider anyway for filtering or reports? For example what if a server received abuse, is there any way to find the user(s) connected at that time? How to block that ip/website/protocol? Or blocking torrents for example, anyway?

[Moti]

It would be much appreciated if you please let me know how we can download this module.

[tariqkhatri]

When is this going to be available ?

[wilky2005]

Will this module support radius authentication to work with open vpn?

[vpntech]

Hello,

 

>Radius Support?

Currently Radius is not supported but I have considered this. Can you tell me more about how it would help you? Are you looking to integrate with an external radius server, interested in each vpn node running its own radius server, or setting up a central radius server which the vpn nodes authenticate against? The way the module works is WHMCS services is the source of truth database for user authentication, and that criteria is published to the vpn nodes on a configurable schedule and based on server/service change events. Each vpn node has its own user database for user/password and certificate based authentication via a private certificate authority. 

> Filtering? Blocking torrents for example, anyway?

A feature like this is likely outside the module scope. I think the best way to handle this would be to support the admin configuring a global and per-server iptables firewall script. You can then implement any type of filtering on your vpn server nat/outgoing interface. Does this sound like it might accomplish what you are looking for? Really it is not trivial to block torrents, the protocol was designed to evade exactly this. Probably there are some advanced iptables modules you can load and filter traffic on your nat interface, or some type of deep packet inspection device could be used. 

> Reports? For example what if a server received abuse, is there any way to find the user(s) connected at that time? How to block that ip/website/protocol?

To support this, the vpn nodes would have to log every tcp session. It would be quite a large database, but it certainly is possible. The vpn nodes are provisioned with tools that allow the admin to view per-client traffic in realtime. The tool which would be perfect for what you are asking is pmacct and logging the data to a sql session table.  Would you want this enabled for all users by default? How long would you want the data to hang around for?

The module is still under development. Send me any more ideas, I have gathered nearly all of the features below based on feedback from VPN Service Providers who are testing an early release. Recent progress is as follows:

• Ability to associate WHMCS Server Groups with module

• Ability to associate module WHMCS Server Groups with Product/Service Profile: 

• Ability to associate Client Services with module WHMCS Server Groups:

• Default Private Key SSH Key for authenticating to / provisioning new vpn servers:

• When adding new VPN Server to WHMCS associated with the module, realtime feedback on provisioning process immediately after the server profile is added using xterm.js:

• VPN Node Synchronization / Provisioning background processor rewritten in Python with auto dependency installer using pip:

•  Added User/Pass-Authenticated Squid Proxy Service:

• Added SOCKS5 Proxy Service

• Added optional JSON API for integrating WHMCS VPN connection information with 3rd party or custom vpn clients. Supports fetching vpn connection protocols for a given user and fetching configs/information necessary to connect to a given vpn protocol using whmcs service authentication info. 
• Developing OSX BitBar plugin for examples on how to integrate custom VPN client with JSON API

• Added Diagnostics menu for running many utilities and viewing log files and service status in realtime using xterm.js and socket.io+websocket:

 

• Developing Certificate based GIT module update mechanism

[Superjedi]

Is the module ready for beta testing soon ? 

[NobodyReally]

I am also interested in testing this ASAP. Will only be using the WireGuard portion of it.

[Superjedi]

Most vpn providers provide vpn based on geographical locations e.g. UK, USA , Japan , France etc so users don't select each node within each country themselves e.g. there may be 20 nodes in USA , 5 nodes in Japan.  Users only select the location and they don't actually see all 25 nodes.  How will whmcs addon allocate  the users among the nodes in each country ? 

I ask this question because my current whmcs add-on gives  a list of  nodes to be chosen by the user e.g. he has to select node 10 in USA or node 2 in Japan and if node 10 in USA is overloaded and slow , he will have to try node 7 in USA or node 11 in USA manually until he finds  one which is less congested. So if there are 100 nodes in USA and 99 of them are very congested , the user might have to try 99 nodes before he can find one that is not congested.

How will this situation be handled with wireguard ? Is there any automatic node allocation or it will be a manual selection process ? For example if there are 100  nodes in USA , 50 in UK , and 200 in germany, user has to go through a list of 350 nodes manually in order to log into a node?

[vpntech]

Thank you for the feedback. Wireguard is very stable and I feel it will be a leader in the future VPN market.  

New Features:

• Added Concept of Organizational Route Lists to support routing client traffic over the tunnel when in split tunnel mode or on the lan when in default route mode.
• Update mechanism to keep this network list data current
• Per service token management for authenticating against the VPN client API without using WHMCS credentials
• Wireguard Session emulation and data transfer tracking to calculate quantity of concurrent wireguard VPN client connections

 

Feature currently being worked on:

• Support for managing custom client area WHMCS templates with the ability to implement service provider logic via whmcs smarty technique. 
• Associating custom client area templates with individual clients or service plans
• Web based Remote VPN Client Testing tool so that the admin can diagnose VPN connectivity issues and gather VPN client diagnostics

 

[vpntech]

Latest progress based on feedback:

 

• Ability to associate each product with a list of available VPN Services which are enabled on new products:

 

• Ability to associate each client service with a list of available VPN Services. Only the selected VPN Services are provisioned using the relevant client service.

[Superjedi]

Does this addon keep track of each VPN node bandwidth usage % and the number of users per node in real time ? It is important to have the logic to  assign the 'least busy' node automatically to a customer for connection.

[Superjedi]

I have found one vpn company which has done a good job in using whmcs well. Check out ibvpn.com.

however their client logon mechanism is very slow because they have to query the entire list of vpn nodes around 170 of them before they allocate the best one based on least bandwidth% or user number. It doesn't look like a  very scalable design.

[vpntech]

Thanks for the feedback. Yes this is an interesting idea.. So you are saying that when the vpn config is being generated, the vpn endpoint contained in the config file is based on the usage of all the nodes.  Does this mean that the client would be unable to connect to a specific vpn server (the least usage algorithm selects it for them). The way I have it working currently is each client service can query the list of vpn nodes they have access to and query the config file to connect to one of them.   Send me your thoughts.