Jump to content

VPN Service Provider Addon+Server WHMCS Module :: Seeking Ideas/Feedback


vpntech

Recommended Posts

Hello, I am preparing to release a WHMCS Addon and Server module which automates realtime configuration and management of secure CentOS7 OpenVPN servers, and I am looking for input on my ideas and additional features which would be required to operate a VPN Service Provider using WHMCS.  The module makes it very easy for a VPN Service provider to manage a network of VPN Servers and WHMCS Clients to utilize the VPN service. 

Here are some screenshots outlining some of the features I have implemented:

Addon Module

Manage VPN Servers:

addon_module__list_vpnServers.thumb.png.7aa79cc60c190756101c6a6be8880265.png

VPN Server Background Processor Task Reporting:

addon_module__background_processor_tasks.thumb.png.760cb6f416a8f69b63dd157b0a432595.png

Configure VPN Server -> OpenVPN Configuration

addon_module__vpnServer_configuration_openvpn.thumb.png.af649b5cad29b8bd23e987a11bb59e34.png

Configure VPN Server -> Software Version Selection:

addon_module__vpnServer_configuration_software_versions.png.ea4d000a78cb3470fa4ee758fdf82a30.png

Configure VPN Server -> SSL Configuration with Automatic Acquisition from Let's Encrypt:

addon_module__vpnServer_configuration_ssl.png.ec0b386382bfe68e9979d5bb79edab09.png

Addon Module Configuration -> VPN Server Normalization Intervals:

addon_module__configuration_normalization.thumb.png.d5de24d3f14d4eaea4047e29d9e56dc3.png

Addon Module Configuration -> VPN Server Networking Defaults:

addon_module__configuration_default_networking.thumb.png.512daa95ec87183a50c5c5f84494aef2.png

Realtime reporting of Automated VPN Server reconfiguration with extensive Ansible Playbooks:

addon_module__realtime_ansible_automation.thumb.png.d8a7bd1f55bbae53276d62a462e424ac.png

 

Server Module

Administrative Client Service Configuration:

server_module__client_configuration.thumb.png.fca34aaee6521498ac12a15afa04a1f2.png

Client UI Configuration:

server_module__client_options.thumb.png.eb5c38ce842eec27c1e21ae0c82ef7ac.png

Client UI VPN Usage Reporting:

server_module__client_usage_reporting.png.af1751ad44a43f90d0a50593d5fa813a.png

Client UI VPN Client Software Downloads:

server_module__client_vpn_client_downloads.png.dbb61552791c8ed54d7d0e60637e6472.png

Link to comment
Share on other sites

  • 4 weeks later...
  • 3 weeks later...
  • 4 weeks later...

Thank you for the feedback. Since the last post on this community, the following additional VPN connection methods are now supported:

  • IKE2 with per client client certificates with many adjustable options such as MOBIKE
  • IPSec/XAuth with preshared key and per client user/pass authentication
  • Cisco Anyconnect with per client user/pass authentication with many adjustable options related to reauth, mtu discovery, idle timeout, buffering, roaming
  • Wireguard with per client key authentication

Each of these connection methods can be adjusted globally, at the vpn server level, at the whmcs package level, and at the whmcs service level. This allows the service provider to implement the business logic any way they wish. Each vpn connection method supports adjustable split tunnel and dns path modes. All of the vpn server configurations are transparent to the whmcs administrator and each vpn service is tightly monitored at the socket and authenticated level with integrated local and remote nagios servers.

The work is ongoing.

Link to comment
Share on other sites

On 12/5/2018 at 11:28 PM, vpntech said:

Hello, our project plan has a beta release in 4-5 months. I will reach out to you for the beta, thank you very much for the offer. 

Did you consider anyway for filtering or reports? For example what if a server received abuse, is there any way to find the user(s) connected at that time? How to block that ip/website/protocol? Or blocking torrents for example, anyway?

Link to comment
Share on other sites

  • 1 month later...

Hello,

 

>Radius Support?

Currently Radius is not supported but I have considered this. Can you tell me more about how it would help you? Are you looking to integrate with an external radius server, interested in each vpn node running its own radius server, or setting up a central radius server which the vpn nodes authenticate against? The way the module works is WHMCS services is the source of truth database for user authentication, and that criteria is published to the vpn nodes on a configurable schedule and based on server/service change events. Each vpn node has its own user database for user/password and certificate based authentication via a private certificate authority. 

> Filtering? Blocking torrents for example, anyway?

A feature like this is likely outside the module scope. I think the best way to handle this would be to support the admin configuring a global and per-server iptables firewall script. You can then implement any type of filtering on your vpn server nat/outgoing interface. Does this sound like it might accomplish what you are looking for? Really it is not trivial to block torrents, the protocol was designed to evade exactly this. Probably there are some advanced iptables modules you can load and filter traffic on your nat interface, or some type of deep packet inspection device could be used. 

> Reports? For example what if a server received abuse, is there any way to find the user(s) connected at that time? How to block that ip/website/protocol?


To support this, the vpn nodes would have to log every tcp session. It would be quite a large database, but it certainly is possible. The vpn nodes are provisioned with tools that allow the admin to view per-client traffic in realtime. The tool which would be perfect for what you are asking is pmacct and logging the data to a sql session table.  Would you want this enabled for all users by default? How long would you want the data to hang around for?

The module is still under development. Send me any more ideas, I have gathered nearly all of the features below based on feedback from VPN Service Providers who are testing an early release. Recent progress is as follows:

  • Ability to associate WHMCS Server Groups with module

1242388492_ScreenShot2019-01-29at6_45_04AM.thumb.png.7aa7897b6b98c313f02752fc588f791b.png

1381309461_ScreenShot2019-01-29at6_46_03AM.png.98b18550828ebe3bd7be2526e6a23c1d.png

  • Ability to associate module WHMCS Server Groups with Product/Service Profile: 

1753945884_ScreenShot2019-01-29at6_48_30AM.thumb.png.0d5ec4057ed4bf37d7e0710143f5a17d.png

  • Ability to associate Client Services with module WHMCS Server Groups:

1703730831_ScreenShot2019-01-29at6_50_15AM.thumb.png.1fee1eaf32c7a19e5be9b47cd77027cf.png

  • Default Private Key SSH Key for authenticating to / provisioning new vpn servers:

782142966_ScreenShot2019-01-29at6_52_04AM.thumb.png.3e86e3ffe471c8ea08887d7ded376ae8.png

40873657_ScreenShot2019-01-29at6_53_37AM.thumb.png.5b9416f6578bdd7605221bc48969717c.png

  • When adding new VPN Server to WHMCS associated with the module, realtime feedback on provisioning process immediately after the server profile is added using xterm.js:

1320043702_ScreenShot2019-01-29at6_57_36AM.png.90bf55b52a4f80295d986702c40d41b2.png

455371557_ScreenShot2019-01-29at6_58_12AM.png.8720791fd3b2a8e25070eb77d99462d6.png

2032606807_ScreenShot2019-01-29at6_58_40AM.png.094e749b776997c14d85944297d9538e.png

489132036_ScreenShot2019-01-29at7_04_08AM.thumb.png.3a7429286d2bcc5cf46729f8a64aaae0.png

  • VPN Node Synchronization / Provisioning background processor rewritten in Python with auto dependency installer using pip:

1962459779_ScreenShot2019-01-29at7_05_15AM.thumb.png.a95e0ae9bcd1b7d4b6bb3e9907c24854.png

848633961_ScreenShot2019-01-29at7_06_19AM.png.62e27a467f74545e2e5530f1b6b1778a.png

920590709_ScreenShot2019-01-29at7_06_47AM.thumb.png.058b4ccd3d48d6d8477844eb3402d0b1.png

  •  Added User/Pass-Authenticated Squid Proxy Service:

579847349_ScreenShot2019-01-29at7_07_37AM.thumb.png.0c3012043c8d89530f04377aa09be3fe.png

1707558824_ScreenShot2019-01-29at7_08_24AM.thumb.png.71c076b36c20938adf76728ad74875d6.png

  • Added SOCKS5 Proxy Service

1526581860_ScreenShot2019-01-29at7_09_17AM.thumb.png.68a2b5077b1d35d4417f8eac0a486d4b.png

1939293303_ScreenShot2019-01-29at7_09_37AM.png.78b461c4b851b00b163928e247dc00e9.png

  • Added optional JSON API for integrating WHMCS VPN connection information with 3rd party or custom vpn clients. Supports fetching vpn connection protocols for a given user and fetching configs/information necessary to connect to a given vpn protocol using whmcs service authentication info. 
  • Developing OSX BitBar plugin for examples on how to integrate custom VPN client with JSON API

2120690278_ScreenShot2019-01-29at7_15_50AM.thumb.png.d2a098a4551ea5a14c929e6350115769.png

  • Added Diagnostics menu for running many utilities and viewing log files and service status in realtime using xterm.js and socket.io+websocket:

389085296_ScreenShot2019-01-29at7_17_23AM.thumb.png.6c55839ff4f5aaf1a1824d0bc66b9840.png

1458686569_ScreenShot2019-01-29at7_18_00AM.thumb.png.130d69061096010f0e8ccfea3989c836.png

389542171_ScreenShot2019-01-29at7_18_51AM.thumb.png.30fb6c8bf9b1d92f52936835ac45c96d.png

954486222_ScreenShot2019-01-29at7_19_32AM.thumb.png.4163172f1c37d6d7969732e56d25212d.png

 

  • Developing Certificate based GIT module update mechanism

1646154121_ScreenShot2019-01-29at7_21_27AM.thumb.png.134965e3db2d7b48af73b4a16e0a9e74.png

Screen Shot 2019-01-29 at 6.49.38 AM.png

Screen Shot 2019-01-29 at 7.06.47 AM.png

Screen Shot 2019-01-29 at 7.15.00 AM.png

Link to comment
Share on other sites

Most vpn providers provide vpn based on geographical locations e.g. UK, USA , Japan , France etc so users don't select each node within each country themselves e.g. there may be 20 nodes in USA , 5 nodes in Japan.  Users only select the location and they don't actually see all 25 nodes.  How will whmcs addon allocate  the users among the nodes in each country ? 

I ask this question because my current whmcs add-on gives  a list of  nodes to be chosen by the user e.g. he has to select node 10 in USA or node 2 in Japan and if node 10 in USA is overloaded and slow , he will have to try node 7 in USA or node 11 in USA manually until he finds  one which is less congested. So if there are 100 nodes in USA and 99 of them are very congested , the user might have to try 99 nodes before he can find one that is not congested.

How will this situation be handled with wireguard ? Is there any automatic node allocation or it will be a manual selection process ? For example if there are 100  nodes in USA , 50 in UK , and 200 in germany, user has to go through a list of 350 nodes manually in order to log into a node?

Link to comment
Share on other sites

Thank you for the feedback. Wireguard is very stable and I feel it will be a leader in the future VPN market.  

New Features:

  • Added Concept of Organizational Route Lists to support routing client traffic over the tunnel when in split tunnel mode or on the lan when in default route mode.
  • Update mechanism to keep this network list data current
  • Per service token management for authenticating against the VPN client API without using WHMCS credentials
  • Wireguard Session emulation and data transfer tracking to calculate quantity of concurrent wireguard VPN client connections

1394444875_ScreenShot2019-02-02at12_04_58PM.thumb.png.d543f9822a2f085ff8c48cc966075fab.png

 

Feature currently being worked on:

  • Support for managing custom client area WHMCS templates with the ability to implement service provider logic via whmcs smarty technique. 
  • Associating custom client area templates with individual clients or service plans
  • Web based Remote VPN Client Testing tool so that the admin can diagnose VPN connectivity issues and gather VPN client diagnostics

 

Link to comment
Share on other sites

Latest progress based on feedback:

 

  • Ability to associate each product with a list of available VPN Services which are enabled on new products:

1502043555_ScreenShot2019-02-06at2_50_50PM.thumb.png.ff13cf8e8976ca1c9653d761006ffcd4.png

 

  • Ability to associate each client service with a list of available VPN Services. Only the selected VPN Services are provisioned using the relevant client service.

1847689771_ScreenShot2019-02-06at2_53_24PM.thumb.png.4434382f71906038b0dd31e4ca876965.png

Link to comment
Share on other sites

I have found one vpn company which has done a good job in using whmcs well. Check out ibvpn.com.

however their client logon mechanism is very slow because they have to query the entire list of vpn nodes around 170 of them before they allocate the best one based on least bandwidth% or user number. It doesn't look like a  very scalable design.

Link to comment
Share on other sites

Thanks for the feedback. Yes this is an interesting idea.. So you are saying that when the vpn config is being generated, the vpn endpoint contained in the config file is based on the usage of all the nodes.  Does this mean that the client would be unable to connect to a specific vpn server (the least usage algorithm selects it for them). The way I have it working currently is each client service can query the list of vpn nodes they have access to and query the config file to connect to one of them.   Send me your thoughts.

 

 

 

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use & Guidelines and understand your posts will initially be pre-moderated