- HTML 53.1%
- Python 24.7%
- Shell 22.2%
| dashboard | ||
| docs | ||
| iptables | ||
| monit | ||
| nginx | ||
| scripts | ||
| servers | ||
| system | ||
| systemd | ||
| unbound | ||
| .gitignore | ||
| LICENSE | ||
| README.md | ||
⚠️ Rebrand in progress: GlassBox VPN is becoming GlassBox VPN. This README and the repo contents still reference the GlassBox VPN name throughout. The product, infrastructure, and configurations are unchanged - only the brand name is moving. Updated docs will land here over the coming weeks. The new public site is at glassboxvpn.com.
Private browsing VPN for SecureNet customers.
[
](https://git.opensourcesecurity.net/opensourcesecurity/GlassBox VPN/src/branch/main/LICENSE)
What Is GlassBox VPN?
GlassBox VPN is a network-level VPN service for Protectli Vaults running SecureNet. All devices on GlassBox VPN-enabled networks route through hardened dedicated servers automatically. No applications are required on individual devices.
This repository contains the complete GlassBox VPN server configuration. Keys and passwords are excluded. Everything else is published.
Verify our privacy claims. Inspect our code. That is the point.
What GlassBox VPN Is For
| Designed For | Not For |
|---|---|
| Private browsing | Streaming services (blocked) |
| ISP privacy protection | Torrenting and P2P (blocked) |
| Keeping your IP private | Real-time gaming (UDP restricted) |
| Whole-network VPN | High-bandwidth applications |
GlassBox VPN is a browsing-focused VPN by design. Bandwidth-intensive traffic is intentionally restricted to maintain performance, reduce abuse, and protect IP reputation.
Server Infrastructure
| Server | Location | Hardware | Network |
|---|---|---|---|
| chi01 | Chicago, IL | Dedicated, Intel Xeon E3, 32GB RAM | 10 Gbps dedicated fiber, unmetered |
| la01 | Los Angeles, CA | Dedicated, Intel Xeon E3, 32GB RAM | 10 Gbps dedicated fiber, unmetered |
| va01 | Ashburn, VA | Dedicated, Intel Xeon E3, 32GB RAM | 10 Gbps dedicated fiber, unmetered |
| dal01 | Dallas, TX | Dedicated, dual-CPU Intel Xeon, 32GB RAM | 10 Gbps dedicated fiber, unmetered |
All servers run Ubuntu Server 24.04 LTS on bare-metal dedicated hardware. No shared hosting. No virtual machines.
Per-server details, verify pages, and status links are in the servers/ directory.
| Server | Dashboard | Verify Pages | Server Snapshot |
|---|---|---|---|
| chi01 | status.oss-vpn.net | oss-blocklist.net/verify | server-snapshot.txt |
| la01 | status.la01.oss-vpn.net | la01 verify | server-snapshot.txt |
| va01 | status.va01.oss-vpn.net | va01 verify | server-snapshot.txt |
| dal01 | status.dal01.oss-vpn.net | dal01 verify | server-snapshot.txt |
Security Architecture
GlassBox VPN uses a privilege-separated architecture with defense in depth. No single compromise results in full system control.
Privilege Separation Model
nginx
(reverse proxy, rate limiting)
|
v
Flask Admin API (User: GlassBox VPN)
- Unprivileged user
- No access to WireGuard configs
- No ability to execute system commands
- Sandboxed via systemd
|
| Unix socket (restricted)
v
WireGuard Control Daemon (User: wgctl)
- Dedicated unprivileged user
- CAP_NET_ADMIN capability only
- Strict input validation
- Local socket access only
If the web application is compromised: The attacker gains an unprivileged user with no access to VPN keys, configuration files, or system commands.
If the daemon is compromised: The attacker gains CAP_NET_ADMIN only. They cannot read files or escalate to root.
Six-Layer Security Stack
| Layer | Protection |
|---|---|
| 1. iptables | Protocol blocking and traffic filtering |
| 2. WireGuard | Encrypted tunnel with modern cryptography |
| 3. nginx | Rate limiting and IP-based access control |
| 4. Unbound DNS | ~850,000 malicious domains blocked (updated daily) |
| 5. ipset | ~46,000 malicious IPs blocked at kernel level (updated daily) |
| 6. Privilege Separation | Web and control layers fully isolated |
Server Hardening
| Measure | Implementation |
|---|---|
| SSH | Key-only authentication (ED25519), passwords disabled |
| SSH Ciphers | aes256-gcm, chacha20-poly1305 only |
| SSH Key Exchange | curve25519-sha256 only |
| TLS | 1.2 and 1.3 only (1.0 and 1.1 disabled) |
| Brute force | fail2ban with automatic bans |
| Updates | Unattended security upgrades enabled |
| Firewall | iptables with ipset integration |
| IPv6 | Disabled system-wide |
| systemd | ProtectSystem, PrivateTmp, NoNewPrivileges |
| File permissions | WireGuard private key readable by root only |
| nginx | Server version header hidden |
Open Ports (Public Interface)
| Port | Service | Protection |
|---|---|---|
| 22/tcp | SSH | Key-only auth (ED25519), fail2ban, strong ciphers only |
| 80/tcp | HTTP | Redirects to HTTPS, blocklist distribution |
| 443/tcp | HTTPS | TLS 1.2/1.3 only, Let's Encrypt certificates |
| 51820/udp | WireGuard | Encrypted tunnel |
Port 53 (DNS) is bound to the tunnel interface only and is not reachable from the public internet.
Privacy Architecture
What We Know vs. What We Do Not Know
| We Know | We Do Not Know |
|---|---|
| Assigned tunnel IP (10.200.0.x) | DNS queries |
| WireGuard public key | Websites visited |
| Connection status | Browsing history |
| Aggregate bandwidth usage | Per-connection timestamps |
| Last handshake time | Traffic contents |
Zero-Logging Implementation
WireGuard does not log traffic by design. It logs only interface startup and shutdown events to the system journal.
DNS logging is explicitly disabled:
# /etc/unbound/unbound.conf.d/glassboxvpn.conf
server:
verbosity: 0
System journal retention is capped at 24 hours:
# /etc/systemd/journald.conf.d/99-glassboxvpn.conf
[Journal]
SystemMaxUse=100M
MaxRetentionSec=1day
nginx access logs rotate every 24 hours and retain 3 days maximum.
There are no traffic logs, no DNS query logs, no connection timestamps, and no browsing history stored anywhere on any server. The only persistent data is WireGuard peer public keys, which are public by definition.
Warrant Canary
A signed statement confirming Open Source Security Inc. has not received any national security letters, FISA court orders, court orders for user data, gag orders, or requests to insert backdoors or weaken encryption. Updated weekly with the security audit cycle. The warrant canary covers all GlassBox VPN servers.
If the canary is absent or has not been updated within 14 days, consider it inactive and act accordingly.
Browse-Only Enforcement
GlassBox VPN restricts traffic to browsing-oriented use cases.
| Allowed | Blocked |
|---|---|
| HTTP and HTTPS | BitTorrent and DHT |
| Email protocols | Streaming CDNs |
| SSH and SFTP | FTP |
| Standard TCP applications | Most UDP traffic |
Enforcement Methods
- iptables blocks all outbound UDP except DNS and WireGuard
- Known BitTorrent and DHT ports are blocked
- Streaming services return NXDOMAIN via DNS filtering
- Malicious IP ranges are dropped at kernel level
Threat Intelligence
GlassBox VPN operates its own blocklist aggregation infrastructure at oss-blocklist.net. Blocklists are maintained on the Chicago server and distributed to all GlassBox VPN servers.
DNS Blocklist (~2M domains, updated daily)
Sources: Hagezi Pro++, OISD Big, Steven Black, 1Hosts Pro, AdGuard DNS
IP Blocklist (~50K IPs, updated daily)
Sources: Spamhaus DROP, DShield, Hagezi TIF, OSS Custom
Update Schedule (Chicago time)
| Time | Task |
|---|---|
| 2:00 AM | Source DNS blocklist update |
| 2:15 AM | Source IP blocklist update |
| 2:25 AM | Apply DNS blocklist to Unbound |
| 2:45 AM | Apply IP blocklist to ipset |
All blocklist sources, aggregation scripts, and output files are public:
- DNS blocklist: oss-blocklist.net/dns/dns-combined.txt
- IP blocklist: oss-blocklist.net/ip/ip-combined.txt
- DNS whitelist: oss-blocklist.net/dns/dns-whitelist.txt
Server Verification
Every GlassBox VPN server publishes automated security scan results. No editing. No cherry-picking. The same output our team sees.
Published Reports (per server)
| Report | Tool | Frequency |
|---|---|---|
| Security audit | Lynis | Weekly |
| Rootkit scan | rkhunter | Weekly |
| File integrity check | AIDE (SHA-256 + MD5) | Weekly |
| Filesystem snapshot | Full directory tree | Daily |
| Warrant canary | Automated statement | Weekly |
Verify It Yourself
# Download and inspect the Lynis report
curl -s https://status.la01.oss-vpn.net/verify/lynis-report.txt | grep "hardening_index"
# Confirm no rootkits found
curl -s https://status.la01.oss-vpn.net/verify/rkhunter-report.txt | grep -i "rootkit"
# Check file integrity
curl -s https://status.la01.oss-vpn.net/verify/aide-report.txt | head -20
# See every file on the server
curl -s https://status.la01.oss-vpn.net/verify/server-snapshot.txt | head -100
# Check the warrant canary (shared across all servers)
curl -s https://oss-blocklist.net/verify/warrant-canary.txt
# Machine-readable status
curl -s https://status.la01.oss-vpn.net/verify/meta.json | python3 -m json.tool
Replace la01 with va01 for Ashburn or dal01 for Dallas. For Chicago, use oss-blocklist.net/verify/ instead.
No accounts required. No JavaScript required. Plain text reports accessible with curl.
Live Monitoring
Real-time server metrics are available to connected GlassBox VPN users via the customer dashboard on each server.
| Server | Dashboard |
|---|---|
| Chicago | status.oss-vpn.net |
| Los Angeles | status.la01.oss-vpn.net |
| Ashburn | status.va01.oss-vpn.net |
| Dallas | status.dal01.oss-vpn.net |
Tunnel access required. Powered by Netdata.
How GlassBox VPN Works
For SecureNet Customers (Vault-Level VPN)
All devices on the network are protected automatically through the OPNsense vault.
Your devices
|
OPNsense Vault (WireGuard tunnel)
|
GlassBox VPN Server (Chicago / LA / Ashburn)
|
Internet (exits as GlassBox VPN IP)
No software to install. No apps to configure. Connect to your network and you are protected.
For Individual Devices
GlassBox VPN also supports direct WireGuard connections from phones, laptops, and desktops when outside the home network.
Supported platforms: Android (WireGuard app), Windows (WireGuard app), Linux (wg-quick), iOS (WireGuard app), macOS (WireGuard app).
Pricing (GlassBox VPN includes OSS Support)
| Plan | Cost |
|---|---|
| Annual | $90 per year (18% discount) |
Pricing reflects infrastructure costs, threat intelligence maintenance, and professional configuration. GlassBox VPN is available exclusively to Protectli Vaults running SecureNet.
Repository Structure
glassboxvpn/
├── README.md
├── LICENSE
├── dashboard/
│ ├── admin-dashboard.html
│ ├── status-dashboard.html
│ └── verify-page.html
├── docs/
│ ├── jail.local
│ ├── sshd_config
│ └── sysctl.conf
├── iptables/
│ └── rules.v4
├── monit/
│ ├── monitrc
│ ├── glassboxvpn-security
│ ├── glassboxvpn-services
│ └── glassboxvpn-system
├── nginx/
│ ├── nginx.conf
│ ├── ntfy.chi.oss-vpn.net
│ ├── oss-blocklist.net
│ └── status.oss-vpn.net
├── scripts/
│ ├── app.py
│ ├── daily-blocklist-report.sh
│ ├── generate-security-reports.sh
│ ├── update-dns-blocklist.sh
│ ├── update-ip-blocklist.sh
│ ├── update-glassboxvpn-dns.sh
│ ├── update-glassboxvpn-ips.sh
│ ├── wg-control.py
│ └── whitelist-manager.sh
├── systemd/
│ ├── journald.conf
│ ├── glassboxvpn-admin.service
│ └── wg-control.service
├── unbound/
│ ├── oss-blocklist.conf
│ ├── glassboxvpn.conf
│ └── streaming-blocks.conf
└── servers/
├── chi01/
│ └── README.md
├── la01/
│ └── README.md
├── va01/
│ └── README.md
└── dal01/
└── README.md
Shared configurations are at the top level. All servers run identical configs. Per-server details, verify links, and any server-specific overrides live in the servers/ directory.
Links
| Resource | URL |
|---|---|
| Company | opensourcesecurity.net |
| Blocklists | oss-blocklist.net |
| Warrant Canary | oss-blocklist.net/verify/warrant-canary.txt |
| Source Code | git.opensourcesecurity.net |
| SecureNet | git.opensourcesecurity.net/opensourcesecurity/securenet |
| GlassBox | git.opensourcesecurity.net/opensourcesecurity/glassbox |
About Open Source Security
Open Source Security, Inc. delivers enterprise-grade network security to home users through professionally configured OPNsense firewalls on Protectli hardware.
Transparency is the foundation. Every configuration is published. Every claim is verifiable. The company name is Open Source Security for a reason.