Desired state on the operator machine
Servers, users, quotas, and deploy metadata live under ~/.ovpn. Deploy renders that state into the remote runtime.
A source-available Go CLI for operating self-hosted Xray VLESS + REALITY servers. State stays local, deploys go over SSH/SCP, and the runtime runs as Docker Compose on Linux hosts.
~/.ovpn stores servers, users, quotas, and deploy metadata.
/opt/ovpn.
ovpn is built around files, SSH access, and reproducible deploys. The public repository contains the tool and templates; real inventory, hostnames, tokens, keys, and local state stay outside it.
Servers, users, quotas, and deploy metadata live under ~/.ovpn. Deploy renders that state into the remote runtime.
The operator uses one CLI. Release builds embed Linux runtime assets for ovpn-agent and the Telegram bot.
Xray, the agent, monitoring, optional proxy, and backups are kept under /opt/ovpn for predictable maintenance.
User add/remove/enable/disable, expiry, and quota commands can apply to all enabled VPN hosts by default.
The minimal Xray profile blocks BitTorrent and public tracker domains. Ansible can add host-level Tor exit filtering.
doctor, status, logs, backup, restore, cleanup, monitoring, and release smoke checks are first-class workflows.
Operations start from the operator machine. VPN hosts receive rendered Compose bundles. Clients connect directly to one or more VPN hosts, or through an optional HA entrypoint.
local control / remote runtime
~/.ovpn stores desired state and metadata. Private operational data stays local.
/opt/ovpn contains Docker Compose, Xray on 443/tcp, ovpn-agent, config, and snapshots.
443/tcp endpoint.
ovpn; embedded runtime assets are materialized during deploy.The CLI is the operator surface for initial bootstrap, normal deploys, user lifecycle, quotas, monitoring, and recovery.
server init and deploy render desired state and apply it through SSH/SCP.user add, user rm, quota-set, and expiry commands mirror users across enabled servers.doctor, status, logs, backups, restore, cleanup, and monitoring are built-in workflows../ovpn version
./ovpn server add \
--name <server> \
--host <server-ip> \
--domain <domain> \
--ssh-user root \
--ssh-port 22
./ovpn server init <server>
./ovpn deploy <server>
./ovpn doctor <server>
./ovpn user quota-set --username <user> --monthly-gb 400
./ovpn user link --server <server> --username <user>
Documentation links open in the GitHub Pages renderer so Markdown files remain readable outside GitHub.
Follow development notes on X, or support maintenance through the donation page.