ospab/ospab.network
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
50c8adfdfa46498254e7a01718933d582a172269
ospab.network/dist/linux-x64/README.md
ospab a7ec878518 feat(enrollment): implement token-based enrollment flow 
Changes:
1.  Updated SHA256SUMS with new ostp-server binary
2.  Made oncp-master optional in deploy.sh (two deployment modes)
3.  Added enrollment_token support to ostp-server
4.  Updated config examples with token field

Deployment Modes:
- Mode 1 (Standalone): Connect to existing master with enrollment token
- Mode 2 (Full Stack): Deploy both master + server on one host

ostp-server Enrollment Flow:
1. Admin generates token on master: \oncp-master node token --expiry 60\
2. Node submits enrollment with token in config (psk: 'AUTO')
3. Master validates token (silent drop if invalid - security)
4. Admin approves node: \oncp-master node approve <node-id>\
5. Node receives PSK + IP from 10.X.0.0/16 pool
6. Update config with PSK, restart server

deploy.sh Features:
- Interactive mode selection
- Conditional oncp-master installation
- Automated token generation (full stack mode)
- Enrollment submission (standalone mode)

Config Examples:
- server.json.example: Full stack with local master
- server-enrollment.json.example: Standalone with token

Security:
- Token validation before enrollment acceptance
- Silent drop on invalid token (prevents enumeration)
- One-time use tokens with expiration
- IPAM automatic IP allocation from pool

Documentation:
- Updated README with deployment modes
- Added enrollment workflow explanation
- Security features documented
- CLI examples for both modes
2026-01-02 03:36:20 +03:00

8.8 KiB
Raw Blame History

OSTP Server - Linux x64 Distribution

Universal Linux binaries (statically linked with musl) for OSTP VPN server and client deployment.

📦 Contents

Server Binaries:

  • ostp-server (9.2 MB) - VPN server with AEAD encryption, TLS mimicry, UDP-over-TCP
  • oncp-master (4.8 MB) - Control plane API server for node/user management

Client Binary:

  • ostp-client-linux (2.0 MB) - CLI VPN client for Linux (TUN interface)

Supporting Files:

  • SHA256SUMS - Integrity verification checksums
  • deploy.sh - Automated deployment script
  • server.json.example - ostp-server configuration template
  • server-enrollment.json.example - ostp-server with enrollment token
  • ostp-server.service - systemd service unit for ostp-server
  • oncp-master.service - systemd service unit for oncp-master

🚀 Quick Start

Deployment Modes

The OSTP server can be deployed in two modes:

  1. Full Stack Mode - Deploy ostp-server + oncp-master on one host (master node)
  2. Standalone Mode - Connect ostp-server to existing master node using enrollment token

Server Installation (Recommended Method)

1. Verify Integrity

sha256sum -c SHA256SUMS

2. Deploy with Script

chmod +x deploy.sh
sudo ./deploy.sh

The script will prompt you to choose deployment mode:

  • Mode 1 (Standalone): Connect to existing master node with enrollment token
  • Mode 2 (Full Stack): Install both master and server on this host

Full Stack Mode will:

  • Install both ostp-server and oncp-master
  • Generate PSK and enrollment tokens
  • Set up 10.X.0.0/16 network
  • Create systemd services
  • Configure firewall rules

Standalone Mode will:

  • Install ostp-server only
  • Submit enrollment request to master
  • Wait for admin approval
  • Auto-configure after approval

Client Installation

1. Install Client Binary

chmod +x ostp-client-linux
sudo cp ostp-client-linux /usr/local/bin/

2. Setup Profile

ostp-client-linux setup

Interactive wizard will prompt for:

  • Server address (e.g., vpn.example.com:443)
  • Pre-shared key (64 hex characters)
  • Country code for SNI mimicry (US, RU, DE, etc.)
  • Profile name (e.g., "US-West")

3. Connect to VPN

# Using saved profile
sudo ostp-client-linux connect --profile default

# Or with explicit parameters
sudo ostp-client-linux connect --server 1.2.3.4:443 --psk YOUR_PSK --country US

4. Check Status

ostp-client-linux status

5. Disconnect

sudo ostp-client-linux disconnect

3. Manual Installation

Full Stack Mode (Master + Server)

# Make binaries executable
chmod +x ostp-server oncp-master

# Copy to system path
sudo cp ostp-server oncp-master /usr/local/bin/

# Generate PSK for ostp-server
PSK=$(openssl rand -hex 32)
echo "Generated PSK: $PSK"

# Start oncp-master (control plane)
sudo ./oncp-master serve --listen 0.0.0.0:8080 --network-octet 42

# Generate enrollment token (expires in 60 minutes)
./oncp-master node token --expiry 60

# Start ostp-server (VPN server)
sudo ./ostp-server -c /etc/ostp/server.json

Standalone Mode (Connect to Existing Master)

# Copy server binary
chmod +x ostp-server
sudo cp ostp-server /usr/local/bin/

# Create enrollment config (see server-enrollment.json.example)
cat > /etc/ostp/server.json <<EOF
{
  "listen": "0.0.0.0:443",
  "psk": "AUTO",
  "master_node_url": "http://master.example.com:8080",
  "enrollment_token": "PASTE_TOKEN_HERE",
  "node_name": "node-01",
  "country_code": "US",
  "region": "eu-west",
  "hardware_id": "server-xyz",
  "max_connections": 1000
}
EOF

# Submit enrollment request
sudo ostp-server -c /etc/ostp/server.json
# Server will submit enrollment and exit

# Ask admin to approve node:
# oncp-master node pending
# oncp-master node approve <node-id>

# After approval, update config with provided PSK and restart

🔧 Configuration

ostp-server Configuration (Full Stack Mode)

Create /etc/ostp/server.json:

{
  "listen": "0.0.0.0:443",
  "psk": "YOUR_64_CHAR_HEX_PSK",
  "master_node_url": "http://localhost:8080",
  "country_code": "US",
  "max_connections": 1000
}

ostp-server Configuration (Standalone Mode with Enrollment)

Create /etc/ostp/server.json (see server-enrollment.json.example):

{
  "listen": "0.0.0.0:443",
  "psk": "AUTO",
  "master_node_url": "http://master.example.com:8080",
  "enrollment_token": "TOKEN_FROM_MASTER",
  "node_name": "node-01",
  "country_code": "US",
  "region": "eu-central",
  "hardware_id": "server-123",
  "max_connections": 1000
}
``` (Time-Limited One-Time Passwords)

Nodes **must** provide a valid enrollment token to join the network:

```bash
# Generate token on master node (60 minute expiry)
./oncp-master node token --expiry 60

# Token is shown once, must be used immediately
# Example: A1B2C3D4E5

# Invalid or expired tokens are silently dropped (no error response)
# This prevents token enumeration attacks

Token Security:

  • Cryptographically secure random generation
  • Stored in memory only (wiped after use or expiration)
  • One-time use (consumed on first valid request)
  • Time-based expiration (default 3 minutes)
  • Silent drop on validation failure (no fingerprinting)rop if invalid - no error message)
  1. Admin approves: oncp-master node approve <node-id>
  2. Node receives PSK and assigned IP from 10.X.0.0/16 pool
  3. Update config with PSK, change psk: "AUTO" to actual PSK
  4. Restart server

oncp-master Configuration

Environment variables:

  • ONCP_DATABASE - SQLite database path (default: oncp.db)
  • ONCP_NETWORK_OCTET - Second octet for 10.X.0.0/16 subnet (default: 42)
  • ONCP_LOG_LEVEL - Logging level: error, warn, info, debug, trace

🌐 Network Architecture

Master Node Subnet: 10.X.0.0/16 (where X = network-octet)

  • Master Node IP: 10.X.0.1
  • Client IPs: 10.X.0.2 - 10.X.255.254
  • Capacity: ~65,000 clients per Master Node

🔐 Security Features

OTP Enrollment Tokens

Nodes must provide time-limited one-time tokens during enrollment:

# Generate token (3 minute expiry)
./oncp-master node token --expiry 3

# Node uses token in enrollment request
./ostp-server --token ABC123XYZ0 --master https://master-url

Silent Validation

Invalid tokens result in silent connection close (HTTP 444) - prevents enumeration.

📊 Management Commands

Node Management

# List pending enrollments
./oncp-master node pending

# Approve node (allocates IP + generates PSK)
./oncp-master node approve <node-id>

# Reject enrollment
./oncp-master node reject <node-id>

# List all nodes
./oncp-master node list

User Management

# Create user with 100GB quota, 30 days
./oncp-master user create --quota 100 --days 30

# List users
./oncp-master user list

# Show network statistics
./oncp-master stats

SNI Management

# Update SNI domains for specific country
./oncp-master sni update --country RU --add example.com

# Block domain globally
./oncp-master sni block --domain blocked.com

🖥️ System Requirements

  • OS: Any Linux distribution with glibc or musl (universal binary)
  • RAM: 512 MB minimum, 2 GB recommended
  • CPU: 1 core minimum, 2+ cores recommended
  • Network: Public IP with ports 443 (ostp-server), 8080 (oncp-master) open
  • Storage: 100 MB for binaries, 1 GB+ for logs/database

🛡️ Firewall Configuration

# Allow ostp-server (VPN)
sudo ufw allow 443/tcp

# Allow oncp-master API (restrict to internal network in production)
sudo ufw allow 8080/tcp

📝 Logs

  • ostp-server: /var/log/ostp-server.log or stdout
  • oncp-master: /var/log/oncp-master.log or stdout

View logs with systemd:

sudo journalctl -u ostp-server -f
sudo journalctl -u oncp-master -f

🔄 Updates

# Stop services
sudo systemctl stop ostp-server oncp-master

# Replace binaries
sudo cp ostp-server oncp-master /usr/local/bin/

# Restart services
sudo systemctl start ostp-server oncp-master

📚 Documentation

⚠️ Production Checklist

  • Change default PSK (64 hex characters)
  • Configure unique network octet (0-255, avoid 0 and 255)
  • Set up SSL/TLS for oncp-master API (use reverse proxy)
  • Restrict oncp-master port to internal network
  • Configure log rotation
  • Set up monitoring (Prometheus/Grafana)
  • Enable automatic backups of oncp.db
  • Configure firewall rules
  • Set resource limits in systemd services

🆘 Support

For issues and questions:

Version: 0.1.0
Build Date: January 2, 2026
License: Proprietary

Reference in New Issue View Git Blame Copy Permalink