- HTML 53.1%
- Python 24.7%
- Shell 22.2%
skip
711ed34711
Repo refresh after weeks of production work that hadn't been pushed:
Structure
- New servers/dal01/ with README (Dallas brought online May 7)
- Top-level README updated: infrastructure table, dashboard table, monitoring
table, tree diagram, and verify-pages reference all now include Dallas
- New system/ directory for GlassBox-claim system configs (sshd_config,
sysctl.conf, fail2ban jail.local)
Production sync from Chicago (canonical reference)
- scripts/generate-server-tree.sh: new GlassBox-scoped snapshot generator,
replaces the older verify-snapshot logic, deployed to all four servers
- scripts/wg1-control.py + systemd/wg1-control.service: SafeNet membership
tier daemon (was missing from repo despite being in production since April)
- iptables/rules.v6: was missing entirely
- unbound/unbound.conf: was missing (only the .d/ files were tracked)
- scripts/app.py, scripts/wg-control.py, dashboard/*.html, unbound/safenet.conf:
refreshed to current production versions
Cleanup
- Removed unbound/oss-blocklist.conf (97 MB generated blocklist data, never
belonged in version control; now gitignored)
- Removed servers/{chi,la,va}01/app.py (per-server duplicates of scripts/app.py;
servers should override only when they actually differ from canonical)
- Per-server READMEs corrected: wg0=OSS Members, wg1=SafeNet (was reversed)
- New .gitignore covers blocklist data, venv, pyc, backup files, env files, logs
GlassBox snapshot script
The new scripts/generate-server-tree.sh is hostname-aware and deployed
identically to all four servers. Each server publishes its own snapshot
at its verify URL. Scope is narrow by design: only files that prove the
GlassBox claims (no DNS logging, no access logging, hardened firewall/SSH/
kernel, transparent blocklist aggregation). Operational code lives in
this repo for full disclosure but doesn't appear in the daily snapshots.
For live verification, GlassBox (the read-only verify shell) is in
development and will deploy to SafeNet servers after the bounty milestone.
|
||
|---|---|---|
| dashboard | ||
| docs | ||
| iptables | ||
| monit | ||
| nginx | ||
| scripts | ||
| servers | ||
| system | ||
| systemd | ||
| unbound | ||
| .gitignore | ||
| LICENSE | ||
| README.md | ||
SafeNet VPN
Private browsing VPN for SecureNet customers.
What Is SafeNet?
SafeNet is a network-level VPN service for Protectli Vaults running SecureNet. All devices on SafeNet-enabled networks route through hardened dedicated servers automatically. No applications are required on individual devices.
This repository contains the complete SafeNet server configuration. Keys and passwords are excluded. Everything else is published.
Verify our privacy claims. Inspect our code. That is the point.
What SafeNet Is For
| Designed For | Not For |
|---|---|
| Private browsing | Streaming services (blocked) |
| ISP privacy protection | Torrenting and P2P (blocked) |
| Keeping your IP private | Real-time gaming (UDP restricted) |
| Whole-network VPN | High-bandwidth applications |
SafeNet is a browsing-focused VPN by design. Bandwidth-intensive traffic is intentionally restricted to maintain performance, reduce abuse, and protect IP reputation.
Server Infrastructure
| Server | Location | Hardware | Network |
|---|---|---|---|
| chi01 | Chicago, IL | Dedicated, Intel Xeon E3, 32GB RAM | 10 Gbps dedicated fiber, unmetered |
| la01 | Los Angeles, CA | Dedicated, Intel Xeon E3, 32GB RAM | 10 Gbps dedicated fiber, unmetered |
| va01 | Ashburn, VA | Dedicated, Intel Xeon E3, 32GB RAM | 10 Gbps dedicated fiber, unmetered |
| dal01 | Dallas, TX | Dedicated, dual-CPU Intel Xeon, 32GB RAM | 10 Gbps dedicated fiber, unmetered |
All servers run Ubuntu Server 24.04 LTS on bare-metal dedicated hardware. No shared hosting. No virtual machines.
Per-server details, verify pages, and status links are in the servers/ directory.
| Server | Dashboard | Verify Pages | Server Snapshot |
|---|---|---|---|
| chi01 | status.oss-vpn.net | oss-blocklist.net/verify | server-snapshot.txt |
| la01 | status.la01.oss-vpn.net | la01 verify | server-snapshot.txt |
| va01 | status.va01.oss-vpn.net | va01 verify | server-snapshot.txt |
| dal01 | status.dal01.oss-vpn.net | dal01 verify | server-snapshot.txt |
Security Architecture
SafeNet uses a privilege-separated architecture with defense in depth. No single compromise results in full system control.
Privilege Separation Model
nginx
(reverse proxy, rate limiting)
|
v
Flask Admin API (User: safenet)
- Unprivileged user
- No access to WireGuard configs
- No ability to execute system commands
- Sandboxed via systemd
|
| Unix socket (restricted)
v
WireGuard Control Daemon (User: wgctl)
- Dedicated unprivileged user
- CAP_NET_ADMIN capability only
- Strict input validation
- Local socket access only
If the web application is compromised: The attacker gains an unprivileged user with no access to VPN keys, configuration files, or system commands.
If the daemon is compromised: The attacker gains CAP_NET_ADMIN only. They cannot read files or escalate to root.
Six-Layer Security Stack
| Layer | Protection |
|---|---|
| 1. iptables | Protocol blocking and traffic filtering |
| 2. WireGuard | Encrypted tunnel with modern cryptography |
| 3. nginx | Rate limiting and IP-based access control |
| 4. Unbound DNS | ~850,000 malicious domains blocked (updated daily) |
| 5. ipset | ~46,000 malicious IPs blocked at kernel level (updated daily) |
| 6. Privilege Separation | Web and control layers fully isolated |
Server Hardening
| Measure | Implementation |
|---|---|
| SSH | Key-only authentication (ED25519), passwords disabled |
| SSH Ciphers | aes256-gcm, chacha20-poly1305 only |
| SSH Key Exchange | curve25519-sha256 only |
| TLS | 1.2 and 1.3 only (1.0 and 1.1 disabled) |
| Brute force | fail2ban with automatic bans |
| Updates | Unattended security upgrades enabled |
| Firewall | iptables with ipset integration |
| IPv6 | Disabled system-wide |
| systemd | ProtectSystem, PrivateTmp, NoNewPrivileges |
| File permissions | WireGuard private key readable by root only |
| nginx | Server version header hidden |
Open Ports (Public Interface)
| Port | Service | Protection |
|---|---|---|
| 22/tcp | SSH | Key-only auth (ED25519), fail2ban, strong ciphers only |
| 80/tcp | HTTP | Redirects to HTTPS, blocklist distribution |
| 443/tcp | HTTPS | TLS 1.2/1.3 only, Let's Encrypt certificates |
| 51820/udp | WireGuard | Encrypted tunnel |
Port 53 (DNS) is bound to the tunnel interface only and is not reachable from the public internet.
Privacy Architecture
What We Know vs. What We Do Not Know
| We Know | We Do Not Know |
|---|---|
| Assigned tunnel IP (10.200.0.x) | DNS queries |
| WireGuard public key | Websites visited |
| Connection status | Browsing history |
| Aggregate bandwidth usage | Per-connection timestamps |
| Last handshake time | Traffic contents |
Zero-Logging Implementation
WireGuard does not log traffic by design. It logs only interface startup and shutdown events to the system journal.
DNS logging is explicitly disabled:
# /etc/unbound/unbound.conf.d/safenet.conf
server:
verbosity: 0
System journal retention is capped at 24 hours:
# /etc/systemd/journald.conf.d/99-safenet.conf
[Journal]
SystemMaxUse=100M
MaxRetentionSec=1day
nginx access logs rotate every 24 hours and retain 3 days maximum.
There are no traffic logs, no DNS query logs, no connection timestamps, and no browsing history stored anywhere on any server. The only persistent data is WireGuard peer public keys, which are public by definition.
Warrant Canary
A signed statement confirming Open Source Security Inc. has not received any national security letters, FISA court orders, court orders for user data, gag orders, or requests to insert backdoors or weaken encryption. Updated weekly with the security audit cycle. The warrant canary covers all SafeNet servers.
If the canary is absent or has not been updated within 14 days, consider it inactive and act accordingly.
Browse-Only Enforcement
SafeNet restricts traffic to browsing-oriented use cases.
| Allowed | Blocked |
|---|---|
| HTTP and HTTPS | BitTorrent and DHT |
| Email protocols | Streaming CDNs |
| SSH and SFTP | FTP |
| Standard TCP applications | Most UDP traffic |
Enforcement Methods
- iptables blocks all outbound UDP except DNS and WireGuard
- Known BitTorrent and DHT ports are blocked
- Streaming services return NXDOMAIN via DNS filtering
- Malicious IP ranges are dropped at kernel level
Threat Intelligence
SafeNet operates its own blocklist aggregation infrastructure at oss-blocklist.net. Blocklists are maintained on the Chicago server and distributed to all SafeNet servers.
DNS Blocklist (~850,000 domains, updated daily)
Sources: Hagezi Pro++, OISD Big, Steven Black, 1Hosts Pro, AdGuard DNS
IP Blocklist (~46,000 IPs, updated daily)
Sources: Spamhaus DROP, DShield, Hagezi TIF
Update Schedule (Chicago time)
| Time | Task |
|---|---|
| 2:00 AM | Source DNS blocklist update |
| 2:15 AM | Source IP blocklist update |
| 2:25 AM | Apply DNS blocklist to Unbound |
| 2:45 AM | Apply IP blocklist to ipset |
All blocklist sources, aggregation scripts, and output files are public:
- DNS blocklist: oss-blocklist.net/dns/dns-combined.txt
- IP blocklist: oss-blocklist.net/ip/ip-combined.txt
- DNS whitelist: oss-blocklist.net/dns/dns-whitelist.txt
Server Verification
Every SafeNet server publishes automated security scan results. No editing. No cherry-picking. The same output our team sees.
Published Reports (per server)
| Report | Tool | Frequency |
|---|---|---|
| Security audit | Lynis | Weekly |
| Rootkit scan | rkhunter | Weekly |
| File integrity check | AIDE (SHA-256 + MD5) | Weekly |
| Filesystem snapshot | Full directory tree | Daily |
| Warrant canary | Automated statement | Weekly |
Verify It Yourself
# Download and inspect the Lynis report
curl -s https://status.la01.oss-vpn.net/verify/lynis-report.txt | grep "hardening_index"
# Confirm no rootkits found
curl -s https://status.la01.oss-vpn.net/verify/rkhunter-report.txt | grep -i "rootkit"
# Check file integrity
curl -s https://status.la01.oss-vpn.net/verify/aide-report.txt | head -20
# See every file on the server
curl -s https://status.la01.oss-vpn.net/verify/server-snapshot.txt | head -100
# Check the warrant canary (shared across all servers)
curl -s https://oss-blocklist.net/verify/warrant-canary.txt
# Machine-readable status
curl -s https://status.la01.oss-vpn.net/verify/meta.json | python3 -m json.tool
Replace la01 with va01 for Ashburn or dal01 for Dallas. For Chicago, use oss-blocklist.net/verify/ instead.
No accounts required. No JavaScript required. Plain text reports accessible with curl.
Live Monitoring
Real-time server metrics are available to connected SafeNet users via the customer dashboard on each server.
| Server | Dashboard |
|---|---|
| Chicago | status.oss-vpn.net |
| Los Angeles | status.la01.oss-vpn.net |
| Ashburn | status.va01.oss-vpn.net |
| Dallas | status.dal01.oss-vpn.net |
Tunnel access required. Powered by Netdata.
How SafeNet Works
For SecureNet Customers (Vault-Level VPN)
All devices on the network are protected automatically through the OPNsense vault.
Your devices
|
OPNsense Vault (WireGuard tunnel)
|
SafeNet Server (Chicago / LA / Ashburn)
|
Internet (exits as SafeNet IP)
No software to install. No apps to configure. Connect to your network and you are protected.
For Individual Devices
SafeNet also supports direct WireGuard connections from phones, laptops, and desktops when outside the home network.
Supported platforms: Android (WireGuard app), Windows (WireGuard app), Linux (wg-quick), iOS (WireGuard app), macOS (WireGuard app).
Pricing (SafeNet includes OSS Support)
| Plan | Cost |
|---|---|
| Monthly | $9 per month |
| Annual | $89 per year (18% discount) |
Pricing reflects infrastructure costs, threat intelligence maintenance, and professional configuration. SafeNet is available exclusively to Protectli Vaults running SecureNet.
Repository Structure
safenet/
├── README.md
├── LICENSE
├── dashboard/
│ ├── admin-dashboard.html
│ ├── status-dashboard.html
│ └── verify-page.html
├── docs/
│ ├── jail.local
│ ├── sshd_config
│ └── sysctl.conf
├── iptables/
│ └── rules.v4
├── monit/
│ ├── monitrc
│ ├── safenet-security
│ ├── safenet-services
│ └── safenet-system
├── nginx/
│ ├── nginx.conf
│ ├── ntfy.chi.oss-vpn.net
│ ├── oss-blocklist.net
│ └── status.oss-vpn.net
├── scripts/
│ ├── app.py
│ ├── daily-blocklist-report.sh
│ ├── generate-security-reports.sh
│ ├── update-dns-blocklist.sh
│ ├── update-ip-blocklist.sh
│ ├── update-safenet-dns.sh
│ ├── update-safenet-ips.sh
│ ├── wg-control.py
│ └── whitelist-manager.sh
├── systemd/
│ ├── journald.conf
│ ├── safenet-admin.service
│ └── wg-control.service
├── unbound/
│ ├── oss-blocklist.conf
│ ├── safenet.conf
│ └── streaming-blocks.conf
└── servers/
├── chi01/
│ └── README.md
├── la01/
│ └── README.md
├── va01/
│ └── README.md
└── dal01/
└── README.md
Shared configurations are at the top level. All servers run identical configs. Per-server details, verify links, and any server-specific overrides live in the servers/ directory.
Links
| Resource | URL |
|---|---|
| Company | opensourcesecurity.net |
| Blocklists | oss-blocklist.net |
| Warrant Canary | oss-blocklist.net/verify/warrant-canary.txt |
| Source Code | git.opensourcesecurity.net |
| SecureNet | git.opensourcesecurity.net/opensourcesecurity/securenet |
| GlassBox | git.opensourcesecurity.net/opensourcesecurity/glassbox |
About Open Source Security
Open Source Security, Inc. delivers enterprise-grade network security to home users through professionally configured OPNsense firewalls on Protectli hardware.
Transparency is the foundation. Every configuration is published. Every claim is verifiable. The company name is Open Source Security for a reason.