New branch

configs/iptables-save.conf

@@ -0,0 +1,54 @@
+# VPN Gateway IPTables Rules Template
+# This is a template - actual rules are generated by killswitch.sh
+
+*filter
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT DROP [0:0]
+
+# Loopback
+-A INPUT -i lo -j ACCEPT
+-A OUTPUT -o lo -j ACCEPT
+
+# Established connections
+-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+-A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+-A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+
+# LAN (will be replaced with actual interface/network)
+-A INPUT -i eth0 -s 192.168.1.0/24 -j ACCEPT
+-A OUTPUT -o eth0 -d 192.168.1.0/24 -j ACCEPT
+
+# DNS for root only (for initial VPN connection)
+-A OUTPUT -p udp --dport 53 -m owner --uid-owner 0 -j ACCEPT
+-A OUTPUT -p tcp --dport 53 -m owner --uid-owner 0 -j ACCEPT
+
+# VPN Forward
+-A FORWARD -i eth0 -s 192.168.1.0/24 -j ACCEPT
+
+# Log dropped packets (optional)
+# -A INPUT -j LOG --log-prefix "DROP-IN: " --log-level 4
+# -A OUTPUT -j LOG --log-prefix "DROP-OUT: " --log-level 4
+# -A FORWARD -j LOG --log-prefix "DROP-FWD: " --log-level 4
+
+COMMIT
+
+*nat
+:PREROUTING ACCEPT [0:0]
+:INPUT ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+
+# NAT will be added dynamically when VPN connects
+# -A POSTROUTING -o wg0 -j MASQUERADE
+
+COMMIT
+
+*mangle
+:PREROUTING ACCEPT [0:0]
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+
+COMMIT

configs/logrotate.conf

@@ -0,0 +1,30 @@
+# VPN Gateway Log Rotation
+# Place in: /etc/logrotate.d/vpn-gateway
+
+/var/log/vpn-*.log {
+    daily
+    rotate 7
+    compress
+    delaycompress
+    missingok
+    notifempty
+    create 640 root root
+    sharedscripts
+    postrotate
+        systemctl reload vpn-webui 2>/dev/null || true
+    endscript
+}
+
+/var/log/nginx/vpn-gateway*.log {
+    daily
+    rotate 14
+    compress
+    delaycompress
+    missingok
+    notifempty
+    create 640 www-data adm
+    sharedscripts
+    postrotate
+        systemctl reload nginx 2>/dev/null || true
+    endscript
+}

configs/nginx.conf

@@ -0,0 +1,135 @@
+# VPN Gateway Nginx Configuration
+# Place in: /etc/nginx/sites-available/vpn-gateway
+
+# Rate limiting zones
+limit_req_zone $binary_remote_addr zone=vpn_general:10m rate=10r/s;
+limit_req_zone $binary_remote_addr zone=vpn_api:10m rate=5r/s;
+limit_conn_zone $binary_remote_addr zone=vpn_conn:10m;
+
+# Upstream backend
+upstream vpn_backend {
+    server 127.0.0.1:5000 fail_timeout=10s;
+    keepalive 32;
+}
+
+server {
+    listen 80;
+    listen [::]:80;
+    server_name _;
+    
+    # Access and error logs
+    access_log /var/log/nginx/vpn-gateway.access.log;
+    error_log /var/log/nginx/vpn-gateway.error.log;
+    
+    # Security headers
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-XSS-Protection "1; mode=block" always;
+    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+    add_header Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:; font-src 'self' data:;" always;
+    
+    # Connection limits
+    limit_conn vpn_conn 10;
+    
+    # Client body size (for config uploads)
+    client_max_body_size 1M;
+    client_body_buffer_size 128k;
+    
+    # Timeouts
+    client_body_timeout 10s;
+    client_header_timeout 10s;
+    send_timeout 10s;
+    
+    # Root location - WebUI
+    location / {
+        limit_req zone=vpn_general burst=20 nodelay;
+        
+        proxy_pass http://vpn_backend;
+        proxy_http_version 1.1;
+        
+        # Headers
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        
+        # WebSocket support
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+        
+        # Timeouts for proxy
+        proxy_connect_timeout 60s;
+        proxy_send_timeout 60s;
+        proxy_read_timeout 60s;
+        
+        # Buffering
+        proxy_buffering off;
+        proxy_request_buffering off;
+    }
+    
+    # API endpoints - stricter rate limiting
+    location /api/ {
+        limit_req zone=vpn_api burst=10 nodelay;
+        limit_conn vpn_conn 5;
+        
+        proxy_pass http://vpn_backend;
+        proxy_http_version 1.1;
+        
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        
+        # API specific timeouts
+        proxy_connect_timeout 30s;
+        proxy_send_timeout 30s;
+        proxy_read_timeout 30s;
+    }
+    
+    # Static files (if any)
+    location /static/ {
+        alias /opt/vpn-gateway/static/;
+        expires 1h;
+        add_header Cache-Control "public, immutable";
+    }
+    
+    # Health check endpoint
+    location /health {
+        access_log off;
+        add_header Content-Type text/plain;
+        return 200 "healthy\n";
+    }
+    
+    # Block sensitive paths
+    location ~ /\. {
+        deny all;
+        access_log off;
+        log_not_found off;
+    }
+    
+    # Block access to backup files
+    location ~ ~$ {
+        deny all;
+    }
+}
+
+# HTTPS configuration (optional - uncomment if using SSL)
+# server {
+#     listen 443 ssl http2;
+#     listen [::]:443 ssl http2;
+#     server_name vpn.yourdomain.com;
+#     
+#     ssl_certificate /etc/letsencrypt/live/vpn.yourdomain.com/fullchain.pem;
+#     ssl_certificate_key /etc/letsencrypt/live/vpn.yourdomain.com/privkey.pem;
+#     
+#     # SSL configuration
+#     ssl_protocols TLSv1.2 TLSv1.3;
+#     ssl_ciphers HIGH:!aNULL:!MD5;
+#     ssl_prefer_server_ciphers on;
+#     ssl_session_cache shared:SSL:10m;
+#     ssl_session_timeout 10m;
+#     
+#     # HSTS
+#     add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
+#     
+#     # Rest of configuration same as above...
+# }

configs/systemd/vpn-auto-update.service

@@ -0,0 +1,12 @@
+[Unit]
+Description=VPN Gateway Auto-Update Check
+Documentation=https://github.com/yourusername/vpn-gateway
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=oneshot
+User=root
+ExecStart=/usr/local/bin/vpn-update.sh --check-only
+StandardOutput=journal
+StandardError=journal

configs/systemd/vpn-auto-update.timer

@@ -0,0 +1,13 @@
+[Unit]
+Description=VPN Gateway Auto-Update Timer
+Documentation=https://github.com/yourusername/vpn-gateway
+
+[Timer]
+# Run daily at 3 AM
+OnCalendar=daily
+OnCalendar=*-*-* 03:00:00
+RandomizedDelaySec=1h
+Persistent=true
+
+[Install]
+WantedBy=timers.target

configs/systemd/vpn-killswitch.service

@@ -0,0 +1,38 @@
+[Unit]
+Description=VPN Killswitch - Permanent Network Protection
+Documentation=https://github.com/yourusername/vpn-gateway
+DefaultDependencies=no
+Before=network-pre.target
+Wants=network-pre.target
+
+# This service MUST start before networking
+After=local-fs.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+
+# Execute killswitch enable
+ExecStart=/usr/local/bin/vpn-killswitch.sh enable
+
+# On reload, restart the killswitch
+ExecReload=/usr/local/bin/vpn-killswitch.sh restart
+
+# On stop, we still keep killswitch active for security
+ExecStop=/bin/echo "Killswitch remains active for security"
+
+# Logging
+StandardOutput=journal
+StandardError=journal
+
+# Security
+User=root
+Group=root
+
+# We want this to always succeed
+SuccessExitStatus=0 1
+
+[Install]
+# Critical: Start at earliest possible stage
+WantedBy=sysinit.target
+RequiredBy=network.target

configs/systemd/vpn-security-monitor.service

@@ -0,0 +1,40 @@
+[Unit]
+Description=VPN Security Monitor - Continuous Protection Monitoring
+Documentation=https://github.com/yourusername/vpn-gateway
+After=vpn-killswitch.service network-online.target
+Requires=vpn-killswitch.service
+Wants=network-online.target
+
+[Service]
+Type=simple
+User=root
+Group=root
+
+# Execute monitoring script
+ExecStart=/usr/local/bin/vpn-security-monitor.sh
+
+# Restart policy
+Restart=always
+RestartSec=30
+StartLimitInterval=300
+StartLimitBurst=5
+
+# Logging
+StandardOutput=journal
+StandardError=journal
+
+# Resource limits
+CPUQuota=10%
+MemoryLimit=100M
+
+# Security
+NoNewPrivileges=true
+PrivateTmp=true
+
+# Kill settings
+KillMode=process
+KillSignal=SIGTERM
+TimeoutStopSec=10
+
+[Install]
+WantedBy=multi-user.target

configs/systemd/vpn-webui.service

@@ -0,0 +1,60 @@
+[Unit]
+Description=VPN Gateway WebUI Service
+Documentation=https://github.com/yourusername/vpn-gateway
+After=network-online.target vpn-killswitch.service
+Wants=network-online.target
+Requires=vpn-killswitch.service
+
+[Service]
+Type=simple
+User=root
+Group=root
+WorkingDirectory=/opt/vpn-gateway
+
+# Environment
+Environment="PATH=/opt/vpn-gateway/venv/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+Environment="PYTHONPATH=/opt/vpn-gateway"
+Environment="FLASK_APP=app.py"
+Environment="FLASK_ENV=production"
+
+# Pre-start delay to ensure network is ready
+ExecStartPre=/bin/bash -c 'sleep 5'
+
+# Start command with gunicorn
+ExecStart=/opt/vpn-gateway/venv/bin/gunicorn \
+    --bind 0.0.0.0:5000 \
+    --workers 2 \
+    --threads 4 \
+    --worker-class sync \
+    --worker-connections 1000 \
+    --max-requests 1000 \
+    --max-requests-jitter 50 \
+    --timeout 120 \
+    --keepalive 5 \
+    --access-logfile /var/log/vpn-gateway-access.log \
+    --error-logfile /var/log/vpn-gateway-error.log \
+    --log-level info \
+    --capture-output \
+    app:app
+
+# Restart policy
+Restart=always
+RestartSec=10
+StartLimitInterval=60
+StartLimitBurst=3
+
+# Security settings
+NoNewPrivileges=true
+PrivateTmp=true
+
+# Resource limits
+LimitNOFILE=65536
+LimitNPROC=4096
+
+# Kill settings
+KillMode=mixed
+KillSignal=SIGTERM
+TimeoutStopSec=30
+
+[Install]
+WantedBy=multi-user.target