# SecuBox - Security Suite for OpenWrt [![Build OpenWrt Packages](https://github.com/gkerma/secubox/actions/workflows/build-openwrt-packages.yml/badge.svg)](https://github.com/gkerma/secubox/actions/workflows/build-openwrt-packages.yml) [![Test & Validate](https://github.com/gkerma/secubox/actions/workflows/test-validate.yml/badge.svg)](https://github.com/gkerma/secubox/actions/workflows/test-validate.yml) [![License](https://img.shields.io/badge/License-Apache%202.0-green.svg)](LICENSE) ## ๐ŸŽฏ Overview SecuBox is a comprehensive security and network management suite for OpenWrt, providing a unified ecosystem of specialized dashboards and tools. All modules are compiled automatically for multiple OpenWrt architectures via GitHub Actions. --- ## ๐Ÿ“ฆ SecuBox Modules ### ๐ŸŽ›๏ธ Core Control #### **luci-app-secubox** - SecuBox Central Hub Unified security dashboard providing central management for all SecuBox components. **Features:** - Centralized dashboard for all modules - Integrated monitoring and management - Unified navigation interface [View Details](luci-app-secubox/README.md) --- #### **luci-app-system-hub** - System Control Center Central control and remote assistance dashboard for OpenWrt. **Features:** - ๐Ÿงฉ Component management (start/stop/restart all services) - ๐Ÿ’š Health monitoring with score (0-100) and recommendations - ๐Ÿ–ฅ๏ธ Remote assistance via RustDesk integration - ๐Ÿ” Diagnostic collection with anonymization - ๐Ÿ“‹ Unified logs from all components - ๐Ÿ“… Scheduled tasks (health reports, backups) [View Details](luci-app-system-hub/README.md) --- ### ๐Ÿ”’ Security & Monitoring #### **luci-app-crowdsec-dashboard** - Collaborative Security Modern dashboard for CrowdSec intrusion prevention on OpenWrt. **Features:** - ๐Ÿ›ก๏ธ Real-time ban monitoring and alerts - ๐Ÿ“Š Decision management (view, search, ban/unban IPs) - ๐Ÿ“ˆ Metrics dashboard (engine stats, parsers, scenarios) - ๐ŸŒ Geographic threat visualization - โšก Auto-refresh with dark cybersecurity theme [View Details](luci-app-crowdsec-dashboard/README.md) --- #### **luci-app-netdata-dashboard** - Real-time Monitoring System monitoring dashboard with live metrics visualization. **Features:** - ๐Ÿ“Š CPU, memory, disk, network monitoring - ๐ŸŒก๏ธ Temperature sensor readings - โš™๏ธ Process monitor with resource usage - ๐ŸŽจ Animated gauges and sparklines - ๐Ÿ”„ 2-second auto-refresh [View Details](luci-app-netdata-dashboard/README.md) --- ### ๐ŸŒ Network Intelligence #### **luci-app-netifyd-dashboard** - Deep Packet Inspection Network intelligence dashboard with DPI for OpenWrt. **Features:** - ๐Ÿ” Application detection (Netflix, YouTube, Zoom, etc.) - ๐Ÿ“ก Protocol identification (HTTP, HTTPS, DNS, QUIC) - ๐Ÿ”„ Live network flow tracking - ๐Ÿ’ป Automatic device discovery - ๐Ÿ“Š Traffic categorization (Web, Streaming, Gaming, VoIP) [View Details](luci-app-netifyd-dashboard/README.md) --- #### **luci-app-network-modes** - Network Configuration Configure different network operation modes with one click. **Features:** - ๐Ÿ” **Sniffer Mode**: Transparent bridge for traffic analysis - ๐Ÿ“ถ **Access Point**: WiFi AP with 802.11r/k/v roaming - ๐Ÿ”„ **Relay/Extender**: Network relay with WireGuard - ๐ŸŒ **Router Mode**: Full router with proxy and HTTPS frontend - ๐ŸŽ›๏ธ One-click mode switching with auto-backup [View Details](luci-app-network-modes/README.md) --- ### ๐Ÿ” VPN & Access Control #### **luci-app-wireguard-dashboard** - VPN Management Modern WireGuard VPN monitoring dashboard. **Features:** - ๐Ÿ” Tunnel status monitoring - ๐Ÿ‘ฅ Peer management (active/idle/inactive) - ๐Ÿ“Š Per-peer traffic statistics - โš™๏ธ Configuration visualization - ๐Ÿ”’ Secure (private keys never exposed) [View Details](luci-app-wireguard-dashboard/README.md) --- #### **luci-app-client-guardian** - Network Access Control NAC system with captive portal, quarantine, and parental controls. **Features:** - ๐Ÿ” Real-time client detection and monitoring - ๐Ÿ  Zone management (LAN, IoT, Guest, Quarantine) - โณ Default quarantine policy for new clients - ๐Ÿšช Modern captive portal with authentication - ๐Ÿ‘จโ€๐Ÿ‘ฉโ€๐Ÿ‘งโ€๐Ÿ‘ฆ Parental controls (time limits, content filtering) - ๐Ÿ”” SMS/Email alerts for security events [View Details](luci-app-client-guardian/README.md) --- #### **luci-app-auth-guardian** - Authentication System Comprehensive authentication and session management. **Features:** - ๐ŸŽจ Customizable captive portal - ๐Ÿ”‘ OAuth integration (Google, GitHub, Facebook, Twitter) - ๐ŸŽŸ๏ธ Voucher system with time/bandwidth limits - ๐Ÿช Secure session management - โญ๏ธ MAC/IP/Domain bypass rules [View Details](luci-app-auth-guardian/README.md) --- ### ๐Ÿ“Š Bandwidth & Traffic #### **luci-app-bandwidth-manager** - QoS & Quotas Advanced bandwidth management with automatic media detection. **Features:** - ๐ŸŽฏ 8 configurable QoS priority classes - ๐Ÿ“Š Daily and monthly bandwidth quotas - ๐ŸŽฌ Automatic media detection (VoIP, Gaming, Streaming) - โฐ Time-based scheduling (peak/off-peak) - ๐Ÿ‘ฅ Per-client statistics and controls [View Details](luci-app-bandwidth-manager/README.md) --- #### **luci-app-media-flow** - Media Traffic Detection Advanced streaming and media traffic monitoring. **Features:** - ๐ŸŽฌ Real-time streaming service detection - ๐Ÿ“ก Protocol identification (RTSP, HLS, DASH, RTP) - ๐Ÿ“ž VoIP/Video call monitoring - ๐Ÿ“Š Per-service bandwidth tracking - ๐Ÿ“ˆ Quality of experience metrics **Supported Services:** - Netflix, YouTube, Twitch, Disney+ - Spotify, Apple Music, Tidal - Zoom, Teams, Google Meet, WebEx [View Details](luci-app-media-flow/README.md) --- ### ๐Ÿš€ Performance & Services #### **luci-app-cdn-cache** - Bandwidth Optimization Local CDN cache proxy for bandwidth savings. **Features:** - ๐Ÿ’พ Smart caching of frequently accessed content - ๐Ÿ“Š Real-time hit ratio and bandwidth savings stats - ๐Ÿ“‹ Configurable policies by domain/extension - ๐Ÿ”ง Automatic purge and preload capabilities - ๐Ÿ“ˆ Statistical graphs and trends **Cache Policies:** - Windows Update, Linux Repos - Static content (JS, CSS, images) - Configurable TTL per content type [View Details](luci-app-cdn-cache/README.md) --- #### **luci-app-vhost-manager** - Virtual Hosts Virtual host and local SaaS gateway management. **Features:** - ๐Ÿ  Internal virtual hosts with custom domains - โ†ช๏ธ External service redirection - ๐Ÿ”’ SSL/TLS with Let's Encrypt or self-signed - โš™๏ธ Automatic nginx reverse proxy configuration **Supported Services:** - Nextcloud, GitLab, Jellyfin - Home Assistant and more [View Details](luci-app-vhost-manager/README.md) --- ## ๐Ÿ—๏ธ Supported Architectures SecuBox packages are automatically compiled for all major OpenWrt architectures: ### ARM 64-bit (AArch64) | Target | Devices | |--------|---------| | `aarch64-cortex-a53` | ESPRESSObin, Sheeva64, BananaPi R64 | | `aarch64-cortex-a72` | MOCHAbin, Raspberry Pi 4, NanoPi R4S | | `aarch64-generic` | Rock64, Pine64, QEMU ARM64 | | `mediatek-filogic` | GL.iNet MT3000, BananaPi R3 | | `rockchip-armv8` | NanoPi R4S/R5S, FriendlyARM | | `bcm27xx-bcm2711` | Raspberry Pi 4, Compute Module 4 | ### ARM 32-bit | Target | Devices | |--------|---------| | `arm-cortex-a7-neon` | Orange Pi, BananaPi, Allwinner | | `arm-cortex-a9-neon` | Linksys WRT, Turris Omnia | | `qualcomm-ipq40xx` | Google WiFi, Zyxel NBG6617 | | `qualcomm-ipq806x` | Netgear R7800, R7500 | ### MIPS | Target | Devices | |--------|---------| | `mips-24kc` | TP-Link Archer, Ubiquiti | | `mipsel-24kc` | Xiaomi, GL.iNet, Netgear | | `mipsel-74kc` | Broadcom BCM47xx | ### x86 | Target | Devices | |--------|---------| | `x86-64` | PC, VMs, Docker, Proxmox | | `x86-generic` | Legacy PC, old Atom | --- ## ๐Ÿ“ Repository Structure ``` secubox/ โ”œโ”€โ”€ .github/ โ”‚ โ””โ”€โ”€ workflows/ โ”‚ โ”œโ”€โ”€ build-openwrt-packages.yml # Multi-arch build CI โ”‚ โ”œโ”€โ”€ build-secubox-images.yml # Custom image builder โ”‚ โ””โ”€โ”€ test-validate.yml # Tests & validation โ”œโ”€โ”€ luci-app-secubox/ # Central hub โ”œโ”€โ”€ luci-app-system-hub/ # System control center โ”œโ”€โ”€ luci-app-crowdsec-dashboard/ # CrowdSec security โ”œโ”€โ”€ luci-app-netdata-dashboard/ # System monitoring โ”œโ”€โ”€ luci-app-netifyd-dashboard/ # DPI & traffic analysis โ”œโ”€โ”€ luci-app-wireguard-dashboard/ # WireGuard VPN โ”œโ”€โ”€ luci-app-network-modes/ # Network configuration โ”œโ”€โ”€ luci-app-client-guardian/ # NAC & captive portal โ”œโ”€โ”€ luci-app-auth-guardian/ # Authentication โ”œโ”€โ”€ luci-app-bandwidth-manager/ # QoS & quotas โ”œโ”€โ”€ luci-app-media-flow/ # Media detection โ”œโ”€โ”€ luci-app-cdn-cache/ # CDN proxy cache โ”œโ”€โ”€ luci-app-vhost-manager/ # Virtual hosts โ”œโ”€โ”€ makefiles/ # Reference makefiles โ”œโ”€โ”€ secubox-tools/ # Repair & debug tools โ””โ”€โ”€ templates/ # Package templates ``` ### Package Structure (Standard LuCI App) ``` luci-app-*/ โ”œโ”€โ”€ Makefile # OpenWrt package definition โ”œโ”€โ”€ README.md # Module documentation โ”œโ”€โ”€ htdocs/luci-static/resources/ โ”‚ โ”œโ”€โ”€ view/*/ # JavaScript UI views โ”‚ โ””โ”€โ”€ */ โ”‚ โ”œโ”€โ”€ api.js # RPC API client โ”‚ โ””โ”€โ”€ dashboard.css # Module styles โ””โ”€โ”€ root/ โ”œโ”€โ”€ etc/config/ # UCI configuration โ””โ”€โ”€ usr/ โ”œโ”€โ”€ libexec/rpcd/ # RPCD backend (shell/exec) โ””โ”€โ”€ share/ โ”œโ”€โ”€ luci/menu.d/ # Menu JSON โ””โ”€โ”€ rpcd/acl.d/ # ACL permissions JSON ``` --- ## ๐Ÿš€ Installation ### Option 1: From Pre-built Packages Download the latest packages from [GitHub Releases](https://github.com/gkerma/secubox/releases): ```bash # Install individual modules opkg update opkg install luci-app-secubox_*.ipk # Or install specific modules opkg install luci-app-system-hub_*.ipk opkg install luci-app-crowdsec-dashboard_*.ipk opkg install luci-app-client-guardian_*.ipk ``` ### Option 2: Build from Source ```bash # Clone into OpenWrt SDK package directory cd ~/openwrt-sdk/package/ git clone https://github.com/gkerma/secubox.git # Build all packages cd ~/openwrt-sdk/ make package/secubox/luci-app-secubox/compile V=s make package/secubox/luci-app-system-hub/compile V=s # ... etc for other modules ``` ### Option 3: Add to OpenWrt Feed Add to `feeds.conf.default`: ``` src-git secubox https://github.com/gkerma/secubox.git ``` Then: ```bash ./scripts/feeds update secubox ./scripts/feeds install -a -p secubox make menuconfig # Select modules under LuCI > Applications make V=s ``` --- ## ๐Ÿ”ง Development ### Create a New Module ```bash # Copy template cp -r templates/luci-app-template luci-app-newmodule # Edit Makefile cd luci-app-newmodule vi Makefile # Update PKG_NAME, PKG_VERSION, LUCI_TITLE, LUCI_DEPENDS # Create required files mkdir -p htdocs/luci-static/resources/{view/newmodule,newmodule} mkdir -p root/usr/{libexec/rpcd,share/{luci/menu.d,rpcd/acl.d}} # Implement your module... ``` ### Test Locally ```bash # Build package make package/luci-app-newmodule/compile V=s # Package will be in bin/packages//base/ scp bin/packages/*/base/luci-app-newmodule_*.ipk root@router:/tmp/ # Install on router ssh root@router opkg install /tmp/luci-app-newmodule_*.ipk /etc/init.d/rpcd restart ``` ### Run Tests ```bash # Lint and validate shellcheck luci-app-*/root/usr/libexec/rpcd/* jsonlint luci-app-*/root/usr/share/luci/menu.d/*.json jsonlint luci-app-*/root/usr/share/rpcd/acl.d/*.json # Or use GitHub Actions workflow git push # Triggers test-validate.yml ``` --- ## ๐Ÿค– CI/CD ### Automated Builds Packages are compiled automatically when: - **Push to main/master**: Test compilation - **Pull Request**: Validation and testing - **Tag `v*`**: Release creation with all architectures ### Manual Build 1. Go to **Actions** โ†’ **Build OpenWrt Packages** 2. Click **Run workflow** 3. Select build options: - **Package name**: Choose a specific package or leave empty for all packages - **OpenWrt version**: 23.05.5, 24.10.0, or SNAPSHOT - **Architectures**: `all` or comma-separated list #### Build All Packages Leave "Package name" empty and select architectures: ```bash # Architecture examples all # All supported architectures x86-64 # x86_64 only aarch64-cortex-a53,aarch64-cortex-a72 # ARM64 devices mips-24kc,mipsel-24kc # MIPS routers ``` #### Build Single Package Select a specific package from the dropdown to build only that module: - `luci-app-secubox` - Central Hub - `luci-app-system-hub` - System Control Center - `luci-app-crowdsec-dashboard` - CrowdSec Security - `luci-app-netdata-dashboard` - System Monitoring - `luci-app-netifyd-dashboard` - DPI & Traffic Analysis - `luci-app-wireguard-dashboard` - WireGuard VPN - `luci-app-network-modes` - Network Configuration - `luci-app-client-guardian` - NAC & Captive Portal - `luci-app-auth-guardian` - Authentication System - `luci-app-bandwidth-manager` - QoS & Quotas - `luci-app-media-flow` - Media Detection - `luci-app-cdn-cache` - CDN Proxy Cache - `luci-app-vhost-manager` - Virtual Hosts **Use case**: Quickly test a single module after making changes, without waiting for all packages to build. ### Download Artifacts 1. Go to **Actions** โ†’ Select workflow run 2. Click on the run 3. Download **Artifacts** at bottom of page Artifacts are organized by architecture: ``` packages-x86-64/ โ”œโ”€โ”€ luci-app-secubox_1.0.0-1_all.ipk โ”œโ”€โ”€ luci-app-system-hub_1.0.0-1_all.ipk โ”œโ”€โ”€ luci-app-crowdsec-dashboard_1.0.0-1_all.ipk โ”œโ”€โ”€ ... โ””โ”€โ”€ SHA256SUMS ``` --- ## ๐Ÿ“Š OpenWrt Compatibility | Version | Status | Notes | |---------|--------|-------| | 24.10.x | ๐Ÿ”œ Planned | Awaiting release | | 23.05.x | โœ… Supported | **Recommended** | | 22.03.x | โœ… Supported | LTS | | 21.02.x | โš ๏ธ Partial | End of support | | SNAPSHOT | โœ… Supported | Unstable | --- ## ๐Ÿงฐ SecuBox Tools ### secubox-repair.sh Automated repair tool for all SecuBox modules. **Features:** - Auto-detect and fix Makefile issues - Generate missing RPCD files - Validate package structure - Batch repair all modules ```bash ./secubox-tools/secubox-repair.sh ``` ### secubox-debug.sh Debug and diagnostic tool for development. **Features:** - Validate package structure - Check dependencies - Test RPCD backends - Generate diagnostic reports ```bash ./secubox-tools/secubox-debug.sh luci-app-module-name ``` --- ## ๐Ÿท๏ธ Creating Releases ```bash # Create versioned tag git tag -a v1.2.0 -m "Release 1.2.0: Add new features" git push origin v1.2.0 ``` The release will be created automatically with: - Individual `.tar.gz` archives per architecture - Global archive with all architectures - SHA256 checksums - Auto-generated release notes --- ## ๐Ÿ”— Links - **Documentation**: [CyberMind SecuBox](https://cybermind.fr/secubox) - **Website**: [CyberMind.fr](https://cybermind.fr) - **OpenWrt SDK**: [Documentation](https://openwrt.org/docs/guide-developer/using_the_sdk) - **LuCI Development**: [Wiki](https://github.com/openwrt/luci/wiki) - **Issue Tracker**: [GitHub Issues](https://github.com/gkerma/secubox/issues) --- ## ๐Ÿ“„ License Apache-2.0 ยฉ 2025 CyberMind.fr Individual modules may have additional licensing terms - see each module's README. --- ## ๐Ÿค Contributing Contributions are welcome! Please: 1. Fork the repository 2. Create a feature branch (`git checkout -b feature/amazing-feature`) 3. Commit your changes (`git commit -m 'Add amazing feature'`) 4. Push to the branch (`git push origin feature/amazing-feature`) 5. Open a Pull Request --- ## ๐Ÿ‘ค Author **Gandalf** - [CyberMind.fr](https://cybermind.fr) --- **Made with โค๏ธ in France ๐Ÿ‡ซ๐Ÿ‡ท**