No description

HTML 59.3%
Shell 22.4%
Python 18.3%

Find a file

Skip e9fee01563 add multi-server structure with pre-server verify links		2026-03-30 16:41:47 -07:00
dashboard	Update all configs to match production server (March 2026)	2026-03-29 08:32:28 -07:00
docs	Update all configs to match production server (March 2026)	2026-03-29 08:32:28 -07:00
iptables	Update all configs to match production server (March 2026)	2026-03-29 08:32:28 -07:00
monit	Update all configs to match production server (March 2026)	2026-03-29 08:32:28 -07:00
nginx	Update all configs to match production server (March 2026)	2026-03-29 08:32:28 -07:00
scripts	Update all configs to match production server (March 2026)	2026-03-29 08:32:28 -07:00
servers	add multi-server structure with pre-server verify links	2026-03-30 16:41:47 -07:00
systemd	Update all configs to match production server (March 2026)	2026-03-29 08:32:28 -07:00
unbound	Update all configs to match production server (March 2026)	2026-03-29 08:32:28 -07:00
LICENSE	Initial commit	2025-12-10 18:10:15 +13:00
README.md	add multi-server structure with pre-server verify links	2026-03-30 16:41:47 -07:00

README.md

SafeNet VPN

Private browsing VPN for SecureNet customers.

What Is SafeNet?

SafeNet is a network-level VPN service for Protectli Vaults running SecureNet. All devices on SafeNet-enabled networks route through hardened dedicated servers automatically. No applications are required on individual devices.

This repository contains the complete SafeNet server configuration. Keys and passwords are excluded. Everything else is published.

Verify our privacy claims. Inspect our code. That is the point.

What SafeNet Is For

Designed For	Not For
Private browsing	Streaming services (blocked)
ISP privacy protection	Torrenting and P2P (blocked)
Keeping your IP private	Real-time gaming (UDP restricted)
Whole-network VPN	High-bandwidth applications

SafeNet is a browsing-focused VPN by design. Bandwidth-intensive traffic is intentionally restricted to maintain performance, reduce abuse, and protect IP reputation.

Server Infrastructure

Server	Location	Hardware	Network
chi01	Chicago, IL	Dedicated, Intel Xeon E3, 32GB RAM	10 Gbps dedicated fiber, unmetered
la01	Los Angeles, CA	Dedicated, Intel Xeon E3, 32GB RAM	10 Gbps dedicated fiber, unmetered
va01	Ashburn, VA	Dedicated, Intel Xeon E3, 32GB RAM	10 Gbps dedicated fiber, unmetered

All servers run Ubuntu Server 24.04 LTS on bare-metal dedicated hardware. No shared hosting. No virtual machines.

Per-server details, verify pages, and status links are in the servers/ directory.

Server	Dashboard	Verify Pages	Server Snapshot
chi01	status.oss-vpn.net	oss-blocklist.net/verify	server-snapshot.txt
la01	status.la01.oss-vpn.net	la01 verify	server-snapshot.txt
va01	status.va01.oss-vpn.net	va01 verify	server-snapshot.txt

Security Architecture

SafeNet uses a privilege-separated architecture with defense in depth. No single compromise results in full system control.

Privilege Separation Model

                     nginx
              (reverse proxy, rate limiting)
                          |
                          v
          Flask Admin API (User: safenet)
             - Unprivileged user
             - No access to WireGuard configs
             - No ability to execute system commands
             - Sandboxed via systemd
                          |
                          | Unix socket (restricted)
                          v
        WireGuard Control Daemon (User: wgctl)
             - Dedicated unprivileged user
             - CAP_NET_ADMIN capability only
             - Strict input validation
             - Local socket access only

If the web application is compromised: The attacker gains an unprivileged user with no access to VPN keys, configuration files, or system commands.

If the daemon is compromised: The attacker gains CAP_NET_ADMIN only. They cannot read files or escalate to root.

Six-Layer Security Stack

Layer	Protection
1. iptables	Protocol blocking and traffic filtering
2. WireGuard	Encrypted tunnel with modern cryptography
3. nginx	Rate limiting and IP-based access control
4. Unbound DNS	~850,000 malicious domains blocked (updated daily)
5. ipset	~46,000 malicious IPs blocked at kernel level (updated daily)
6. Privilege Separation	Web and control layers fully isolated

Server Hardening

Measure	Implementation
SSH	Key-only authentication (ED25519), passwords disabled
SSH Ciphers	aes256-gcm, chacha20-poly1305 only
SSH Key Exchange	curve25519-sha256 only
TLS	1.2 and 1.3 only (1.0 and 1.1 disabled)
Brute force	fail2ban with automatic bans
Updates	Unattended security upgrades enabled
Firewall	iptables with ipset integration
IPv6	Disabled system-wide
systemd	ProtectSystem, PrivateTmp, NoNewPrivileges
File permissions	WireGuard private key readable by root only
nginx	Server version header hidden

Open Ports (Public Interface)

Port	Service	Protection
22/tcp	SSH	Key-only auth (ED25519), fail2ban, strong ciphers only
80/tcp	HTTP	Redirects to HTTPS, blocklist distribution
443/tcp	HTTPS	TLS 1.2/1.3 only, Let's Encrypt certificates
51820/udp	WireGuard	Encrypted tunnel

Port 53 (DNS) is bound to the tunnel interface only and is not reachable from the public internet.

Privacy Architecture

What We Know vs. What We Do Not Know

We Know	We Do Not Know
Assigned tunnel IP (10.200.0.x)	DNS queries
WireGuard public key	Websites visited
Connection status	Browsing history
Aggregate bandwidth usage	Per-connection timestamps
Last handshake time	Traffic contents

Zero-Logging Implementation

WireGuard does not log traffic by design. It logs only interface startup and shutdown events to the system journal.

DNS logging is explicitly disabled:

# /etc/unbound/unbound.conf.d/safenet.conf
server:
    verbosity: 0

System journal retention is capped at 24 hours:

# /etc/systemd/journald.conf.d/99-safenet.conf
[Journal]
SystemMaxUse=100M
MaxRetentionSec=1day

nginx access logs rotate every 24 hours and retain 3 days maximum.

There are no traffic logs, no DNS query logs, no connection timestamps, and no browsing history stored anywhere on any server. The only persistent data is WireGuard peer public keys, which are public by definition.

Warrant Canary

A signed statement confirming Open Source Security Inc. has not received any national security letters, FISA court orders, court orders for user data, gag orders, or requests to insert backdoors or weaken encryption. Updated weekly with the security audit cycle. The warrant canary covers all SafeNet servers.

If the canary is absent or has not been updated within 14 days, consider it inactive and act accordingly.

View the warrant canary

Browse-Only Enforcement

SafeNet restricts traffic to browsing-oriented use cases.

Allowed	Blocked
HTTP and HTTPS	BitTorrent and DHT
Email protocols	Streaming CDNs
SSH and SFTP	FTP
Standard TCP applications	Most UDP traffic

Enforcement Methods

iptables blocks all outbound UDP except DNS and WireGuard
Known BitTorrent and DHT ports are blocked
Streaming services return NXDOMAIN via DNS filtering
Malicious IP ranges are dropped at kernel level

Threat Intelligence

SafeNet operates its own blocklist aggregation infrastructure at oss-blocklist.net. Blocklists are maintained on the Chicago server and distributed to all SafeNet servers.

DNS Blocklist (~850,000 domains, updated daily)

Sources: Hagezi Pro++, OISD Big, Steven Black, 1Hosts Pro, AdGuard DNS

IP Blocklist (~46,000 IPs, updated daily)

Sources: Spamhaus DROP, DShield, Hagezi TIF

Update Schedule (Chicago time)

Time	Task
2:00 AM	Source DNS blocklist update
2:15 AM	Source IP blocklist update
2:25 AM	Apply DNS blocklist to Unbound
2:45 AM	Apply IP blocklist to ipset

All blocklist sources, aggregation scripts, and output files are public:

DNS blocklist: oss-blocklist.net/dns/dns-combined.txt
IP blocklist: oss-blocklist.net/ip/ip-combined.txt
DNS whitelist: oss-blocklist.net/dns/dns-whitelist.txt

Server Verification

Every SafeNet server publishes automated security scan results. No editing. No cherry-picking. The same output our team sees.

Published Reports (per server)

Report	Tool	Frequency
Security audit	Lynis	Weekly
Rootkit scan	rkhunter	Weekly
File integrity check	AIDE (SHA-256 + MD5)	Weekly
Filesystem snapshot	Full directory tree	Daily
Warrant canary	Automated statement	Weekly

Verify It Yourself

# Download and inspect the Lynis report
curl -s https://status.la01.oss-vpn.net/verify/lynis-report.txt | grep "hardening_index"

# Confirm no rootkits found
curl -s https://status.la01.oss-vpn.net/verify/rkhunter-report.txt | grep -i "rootkit"

# Check file integrity
curl -s https://status.la01.oss-vpn.net/verify/aide-report.txt | head -20

# See every file on the server
curl -s https://status.la01.oss-vpn.net/verify/server-snapshot.txt | head -100

# Check the warrant canary (shared across all servers)
curl -s https://oss-blocklist.net/verify/warrant-canary.txt

# Machine-readable status
curl -s https://status.la01.oss-vpn.net/verify/meta.json | python3 -m json.tool

Replace la01 with va01 for Ashburn. For Chicago, use oss-blocklist.net/verify/ instead.

No accounts required. No JavaScript required. Plain text reports accessible with curl.

Live Monitoring

Real-time server metrics are available to connected SafeNet users via the customer dashboard on each server.

Server	Dashboard
Chicago	status.oss-vpn.net
Los Angeles	status.la01.oss-vpn.net
Ashburn	status.va01.oss-vpn.net

Tunnel access required. Powered by Netdata.

How SafeNet Works

For SecureNet Customers (Vault-Level VPN)

All devices on the network are protected automatically through the OPNsense vault.

Your devices
     |
OPNsense Vault (WireGuard tunnel)
     |
SafeNet Server (Chicago / LA / Ashburn)
     |
Internet (exits as SafeNet IP)

No software to install. No apps to configure. Connect to your network and you are protected.

For Individual Devices

SafeNet also supports direct WireGuard connections from phones, laptops, and desktops when outside the home network.

Supported platforms: Android (WireGuard app), Windows (WireGuard app), Linux (wg-quick), iOS (WireGuard app), macOS (WireGuard app).

Pricing (SafeNet includes OSS Support)

Plan	Cost
Monthly	$9 per month
Annual	$89 per year (18% discount)

Pricing reflects infrastructure costs, threat intelligence maintenance, and professional configuration. SafeNet is available exclusively to Protectli Vaults running SecureNet.

Repository Structure

safenet/
├── README.md
├── LICENSE
├── dashboard/
│   ├── admin-dashboard.html
│   ├── status-dashboard.html
│   └── verify-page.html
├── docs/
│   ├── jail.local
│   ├── sshd_config
│   └── sysctl.conf
├── iptables/
│   └── rules.v4
├── monit/
│   ├── monitrc
│   ├── safenet-security
│   ├── safenet-services
│   └── safenet-system
├── nginx/
│   ├── nginx.conf
│   ├── ntfy.chi.oss-vpn.net
│   ├── oss-blocklist.net
│   └── status.oss-vpn.net
├── scripts/
│   ├── app.py
│   ├── daily-blocklist-report.sh
│   ├── generate-security-reports.sh
│   ├── update-dns-blocklist.sh
│   ├── update-ip-blocklist.sh
│   ├── update-safenet-dns.sh
│   ├── update-safenet-ips.sh
│   ├── wg-control.py
│   └── whitelist-manager.sh
├── systemd/
│   ├── journald.conf
│   ├── safenet-admin.service
│   └── wg-control.service
├── unbound/
│   ├── oss-blocklist.conf
│   ├── safenet.conf
│   └── streaming-blocks.conf
└── servers/
    ├── chi01/
    │   └── README.md
    ├── la01/
    │   └── README.md
    └── va01/
        └── README.md

Shared configurations are at the top level. All servers run identical configs. Per-server details, verify links, and any server-specific overrides live in the servers/ directory.

Links

Resource	URL
Company	opensourcesecurity.net
Blocklists	oss-blocklist.net
Warrant Canary	oss-blocklist.net/verify/warrant-canary.txt
Source Code	git.opensourcesecurity.net
SecureNet	git.opensourcesecurity.net/opensourcesecurity/securenet
GlassBox	git.opensourcesecurity.net/opensourcesecurity/glassbox

About Open Source Security

Open Source Security, Inc. delivers enterprise-grade network security to home users through professionally configured OPNsense firewalls on Protectli hardware.

Transparency is the foundation. Every configuration is published. Every claim is verifiable. The company name is Open Source Security for a reason.