# SecuBox - Security Suite for OpenWrt **Version:** 1.0.0 **Last Updated:** 2025-12-28 **Status:** Active [![Build OpenWrt Packages](https://github.com/gkerma/secubox/actions/workflows/build-openwrt-packages.yml/badge.svg)](https://github.com/gkerma/secubox/actions/workflows/build-openwrt-packages.yml) [![Test & Validate](https://github.com/gkerma/secubox/actions/workflows/test-validate.yml/badge.svg)](https://github.com/gkerma/secubox/actions/workflows/test-validate.yml) [![License](https://img.shields.io/badge/License-Apache%202.0-green.svg)](LICENSE) ## πŸ“š Documentation pour DΓ©veloppeurs **NOUVEAU (2025-12-26):** Guides complets de dΓ©veloppement disponibles! | Guide | Description | Public | |-------|-------------|--------| | **[DEVELOPMENT-GUIDELINES.md](./DEVELOPMENT-GUIDELINES.md)** | ⭐ Guide complet: Design System, RPCD/ubus, ACL, JavaScript, CSS, Debugging (100+ pages) | DΓ©veloppeurs, IA assistants | | **[QUICK-START.md](./QUICK-START.md)** | ⚑ Aide-mΓ©moire rapide: RΓ¨gles critiques, commandes, templates de code | DΓ©veloppeurs expΓ©rimentΓ©s | | **[CLAUDE.md](./CLAUDE.md)** | πŸ—οΈ Architecture & Build: SDK OpenWrt, structure fichiers, CI/CD | Claude Code, automation | | **[deploy-module-template.sh](./deploy-module-template.sh)** | πŸš€ Script de dΓ©ploiement standardisΓ© avec backup automatique | DevOps | **⚠️ RΓ¨gles Critiques:** 1. RPCD naming: fichier = objet ubus (`luci.system-hub`) 2. Menu paths: path menu = fichier vue (`system-hub/overview.js`) 3. Permissions: RPCD=755, CSS/JS=644 4. **TOUJOURS valider:** `./secubox-tools/validate-modules.sh` **Design System (v0.3.0):** InspirΓ© de [demo Cybermind](https://cybermind.fr/apps/system-hub/demo.html) - Palette dark: `#0a0a0f` (fond), `#6366f1β†’#8b5cf6` (gradients) - Fonts: Inter (texte), JetBrains Mono (valeurs) - CSS classes: `.sh-*` (System Hub), `.sb-*` (SecuBox) --- ## 🎯 Overview SecuBox is a comprehensive security and network management suite for OpenWrt, providing a unified ecosystem of specialized dashboards and tools. All modules are compiled automatically for multiple OpenWrt architectures via GitHub Actions. --- ## πŸ“¦ SecuBox Modules ### πŸŽ›οΈ Core Control #### **luci-app-secubox** - SecuBox Central Hub Unified security dashboard providing central management for all SecuBox components. **Features:** - Centralized dashboard for all modules - Integrated monitoring and management - Unified navigation interface [View Details](luci-app-secubox/README.md) --- #### **luci-app-system-hub** - System Control Center Central control and remote assistance dashboard for OpenWrt. **Features:** - 🧩 Component management (start/stop/restart all services) - πŸ’š Health monitoring with score (0-100) and recommendations - πŸ–₯️ Remote assistance via RustDesk integration - πŸ” Diagnostic collection with anonymization - πŸ“‹ Unified logs from all components - πŸ“… Scheduled tasks (health reports, backups) [View Details](luci-app-system-hub/README.md) --- ### πŸ”’ Security & Monitoring #### **luci-app-crowdsec-dashboard** - Collaborative Security Modern dashboard for CrowdSec intrusion prevention on OpenWrt. **Features:** - πŸ›‘οΈ Real-time ban monitoring and alerts - πŸ“Š Decision management (view, search, ban/unban IPs) - πŸ“ˆ Metrics dashboard (engine stats, parsers, scenarios) - 🌍 Geographic threat visualization - ⚑ Auto-refresh with dark cybersecurity theme [View Details](luci-app-crowdsec-dashboard/README.md) --- #### **luci-app-netdata-dashboard** - Real-time Monitoring System monitoring dashboard with live metrics visualization. **Features:** - πŸ“Š CPU, memory, disk, network monitoring - 🌑️ Temperature sensor readings - βš™οΈ Process monitor with resource usage - 🎨 Animated gauges and sparklines - πŸ”„ 2-second auto-refresh [View Details](luci-app-netdata-dashboard/README.md) --- ### 🌐 Network Intelligence #### **luci-app-netifyd-dashboard** - Deep Packet Inspection Network intelligence dashboard with DPI for OpenWrt. **Features:** - πŸ” Application detection (Netflix, YouTube, Zoom, etc.) - πŸ“‘ Protocol identification (HTTP, HTTPS, DNS, QUIC) - πŸ”„ Live network flow tracking - πŸ’» Automatic device discovery - πŸ“Š Traffic categorization (Web, Streaming, Gaming, VoIP) [View Details](luci-app-netifyd-dashboard/README.md) --- #### **luci-app-network-modes** - Network Configuration Configure different network operation modes with one click. **Features:** - πŸ” **Sniffer Bridge Mode**: Transparent inline bridge for traffic analysis with Netifyd DPI - πŸ‘οΈ **Sniffer Passive Mode**: Out-of-band monitoring via SPAN/TAP for zero-impact forensics - πŸ“Ά **Access Point**: WiFi AP with 802.11r/k/v roaming and band steering - πŸ”„ **Relay/Extender**: Network relay with WireGuard VPN and MTU optimization - 🌐 **Router Mode**: Full router with proxy, HTTPS frontend, and virtual hosts - πŸŽ›οΈ One-click mode switching with automatic backup - πŸ“Š Real-time interface and service status monitoring [View Details](luci-app-network-modes/README.md) --- ### πŸ” VPN & Access Control #### **luci-app-wireguard-dashboard** - VPN Management Modern WireGuard VPN monitoring dashboard. **Features:** - πŸ” Tunnel status monitoring - πŸ‘₯ Peer management (active/idle/inactive) - πŸ“Š Per-peer traffic statistics - βš™οΈ Configuration visualization - πŸ”’ Secure (private keys never exposed) [View Details](luci-app-wireguard-dashboard/README.md) --- #### **luci-app-client-guardian** - Network Access Control NAC system with captive portal, quarantine, and parental controls. **Features:** - πŸ” Real-time client detection and monitoring - 🏠 Zone management (LAN, IoT, Guest, Quarantine) - ⏳ Default quarantine policy for new clients - πŸšͺ Modern captive portal with authentication - πŸ‘¨β€πŸ‘©β€πŸ‘§β€πŸ‘¦ Parental controls (time limits, content filtering) - πŸ”” SMS/Email alerts for security events [View Details](luci-app-client-guardian/README.md) --- #### **luci-app-auth-guardian** - Authentication System Comprehensive authentication and session management. **Features:** - 🎨 Customizable captive portal - πŸ”‘ OAuth integration (Google, GitHub, Facebook, Twitter) - 🎟️ Voucher system with time/bandwidth limits - πŸͺ Secure session management - ⏭️ MAC/IP/Domain bypass rules [View Details](luci-app-auth-guardian/README.md) --- ### πŸ“Š Bandwidth & Traffic #### **luci-app-bandwidth-manager** - QoS & Quotas Advanced bandwidth management with automatic media detection. **Features:** - 🎯 8 configurable QoS priority classes - πŸ“Š Daily and monthly bandwidth quotas - 🎬 Automatic media detection (VoIP, Gaming, Streaming) - ⏰ Time-based scheduling (peak/off-peak) - πŸ‘₯ Per-client statistics and controls [View Details](luci-app-bandwidth-manager/README.md) --- #### **luci-app-media-flow** - Media Traffic Detection Advanced streaming and media traffic monitoring. **Features:** - 🎬 Real-time streaming service detection - πŸ“‘ Protocol identification (RTSP, HLS, DASH, RTP) - πŸ“ž VoIP/Video call monitoring - πŸ“Š Per-service bandwidth tracking - πŸ“ˆ Quality of experience metrics **Supported Services:** - Netflix, YouTube, Twitch, Disney+ - Spotify, Apple Music, Tidal - Zoom, Teams, Google Meet, WebEx [View Details](luci-app-media-flow/README.md) --- ### πŸš€ Performance & Services #### **luci-app-cdn-cache** - Bandwidth Optimization Local CDN cache proxy for bandwidth savings. **Features:** - πŸ’Ύ Smart caching of frequently accessed content - πŸ“Š Real-time hit ratio and bandwidth savings stats - πŸ“‹ Configurable policies by domain/extension - πŸ”§ Automatic purge and preload capabilities - πŸ“ˆ Statistical graphs and trends **Cache Policies:** - Windows Update, Linux Repos - Static content (JS, CSS, images) - Configurable TTL per content type [View Details](luci-app-cdn-cache/README.md) --- #### **luci-app-vhost-manager** - Virtual Hosts Virtual host and local SaaS gateway management. **Features:** - 🏠 Internal virtual hosts with custom domains - β†ͺ️ External service redirection - πŸ”’ SSL/TLS with Let's Encrypt or self-signed - βš™οΈ Automatic nginx reverse proxy configuration **Supported Services:** - Nextcloud, GitLab, Jellyfin - Home Assistant and more [View Details](luci-app-vhost-manager/README.md) --- ## πŸ—οΈ Supported Architectures SecuBox packages are automatically compiled for all major OpenWrt architectures: ### ARM 64-bit (AArch64) | Target | Devices | |--------|---------| | `aarch64-cortex-a53` | ESPRESSObin, Sheeva64, BananaPi R64 | | `aarch64-cortex-a72` | MOCHAbin, Raspberry Pi 4, NanoPi R4S | | `aarch64-generic` | Rock64, Pine64, QEMU ARM64 | | `mediatek-filogic` | GL.iNet MT3000, BananaPi R3 | | `rockchip-armv8` | NanoPi R4S/R5S, FriendlyARM | | `bcm27xx-bcm2711` | Raspberry Pi 4, Compute Module 4 | ### ARM 32-bit | Target | Devices | |--------|---------| | `arm-cortex-a7-neon` | Orange Pi, BananaPi, Allwinner | | `arm-cortex-a9-neon` | Linksys WRT, Turris Omnia | | `qualcomm-ipq40xx` | Google WiFi, Zyxel NBG6617 | | `qualcomm-ipq806x` | Netgear R7800, R7500 | ### MIPS | Target | Devices | |--------|---------| | `mips-24kc` | TP-Link Archer, Ubiquiti | | `mipsel-24kc` | Xiaomi, GL.iNet, Netgear | | `mipsel-74kc` | Broadcom BCM47xx | ### x86 | Target | Devices | |--------|---------| | `x86-64` | PC, VMs, Docker, Proxmox | | `x86-generic` | Legacy PC, old Atom | --- ## πŸ“ Repository Structure ``` secubox/ β”œβ”€β”€ .github/ β”‚ └── workflows/ β”‚ β”œβ”€β”€ build-openwrt-packages.yml # Multi-arch build CI β”‚ β”œβ”€β”€ build-secubox-images.yml # Custom image builder β”‚ └── test-validate.yml # Tests & validation β”œβ”€β”€ luci-app-secubox/ # Central hub β”œβ”€β”€ luci-app-system-hub/ # System control center β”œβ”€β”€ luci-app-crowdsec-dashboard/ # CrowdSec security β”œβ”€β”€ luci-app-netdata-dashboard/ # System monitoring β”œβ”€β”€ luci-app-netifyd-dashboard/ # DPI & traffic analysis β”œβ”€β”€ luci-app-wireguard-dashboard/ # WireGuard VPN β”œβ”€β”€ luci-app-network-modes/ # Network configuration β”œβ”€β”€ luci-app-client-guardian/ # NAC & captive portal β”œβ”€β”€ luci-app-auth-guardian/ # Authentication β”œβ”€β”€ luci-app-bandwidth-manager/ # QoS & quotas β”œβ”€β”€ luci-app-media-flow/ # Media detection β”œβ”€β”€ luci-app-cdn-cache/ # CDN proxy cache β”œβ”€β”€ luci-app-vhost-manager/ # Virtual hosts β”œβ”€β”€ makefiles/ # Reference makefiles β”œβ”€β”€ secubox-tools/ # Repair & debug tools └── templates/ # Package templates ``` ### Package Structure (Standard LuCI App) ``` luci-app-*/ β”œβ”€β”€ Makefile # OpenWrt package definition β”œβ”€β”€ README.md # Module documentation β”œβ”€β”€ htdocs/luci-static/resources/ β”‚ β”œβ”€β”€ view/*/ # JavaScript UI views β”‚ └── */ β”‚ β”œβ”€β”€ api.js # RPC API client β”‚ └── dashboard.css # Module styles └── root/ β”œβ”€β”€ etc/config/ # UCI configuration └── usr/ β”œβ”€β”€ libexec/rpcd/ # RPCD backend (shell/exec) └── share/ β”œβ”€β”€ luci/menu.d/ # Menu JSON └── rpcd/acl.d/ # ACL permissions JSON ``` --- ## πŸš€ Installation ### Option 1: From Pre-built Packages Download the latest packages from [GitHub Releases](https://github.com/gkerma/secubox/releases): ```bash # Install individual modules opkg update opkg install luci-app-secubox_*.ipk # Or install specific modules opkg install luci-app-system-hub_*.ipk opkg install luci-app-crowdsec-dashboard_*.ipk opkg install luci-app-client-guardian_*.ipk ``` ### Option 2: Build from Source ```bash # Clone into OpenWrt SDK package directory cd ~/openwrt-sdk/package/ git clone https://github.com/gkerma/secubox.git # Build all packages cd ~/openwrt-sdk/ make package/secubox/luci-app-secubox/compile V=s make package/secubox/luci-app-system-hub/compile V=s # ... etc for other modules ``` ### Option 3: Add to OpenWrt Feed Add to `feeds.conf.default`: ``` src-git secubox https://github.com/gkerma/secubox.git ``` Then: ```bash ./scripts/feeds update secubox ./scripts/feeds install -a -p secubox make menuconfig # Select modules under LuCI > Applications make V=s ``` --- ## πŸ”§ Development ### Create a New Module ```bash # Copy template cp -r templates/luci-app-template luci-app-newmodule # Edit Makefile cd luci-app-newmodule vi Makefile # Update PKG_NAME, PKG_VERSION, LUCI_TITLE, LUCI_DEPENDS # Create required files mkdir -p htdocs/luci-static/resources/{view/newmodule,newmodule} mkdir -p root/usr/{libexec/rpcd,share/{luci/menu.d,rpcd/acl.d}} # Implement your module... ``` ### Test Locally ```bash # Build package make package/luci-app-newmodule/compile V=s # Package will be in bin/packages//base/ scp bin/packages/*/base/luci-app-newmodule_*.ipk root@router:/tmp/ # Install on router ssh root@router opkg install /tmp/luci-app-newmodule_*.ipk /etc/init.d/rpcd restart ``` ### Run Tests ```bash # Lint and validate shellcheck luci-app-*/root/usr/libexec/rpcd/* jsonlint luci-app-*/root/usr/share/luci/menu.d/*.json jsonlint luci-app-*/root/usr/share/rpcd/acl.d/*.json # Or use GitHub Actions workflow git push # Triggers test-validate.yml ``` --- ## πŸ€– CI/CD ### Automated Builds Packages are compiled automatically when: - **Push to main/master**: Test compilation - **Pull Request**: Validation and testing - **Tag `v*`**: Release creation with all architectures ### Manual Build 1. Go to **Actions** β†’ **Build OpenWrt Packages** 2. Click **Run workflow** 3. Select build options: - **Package name**: Choose a specific package or leave empty for all packages - **OpenWrt version**: 25.12.0-rc1, 24.10.5, 23.05.5, or SNAPSHOT - **Architectures**: `all` or comma-separated list #### Build All Packages Leave "Package name" empty and select architectures: ```bash # Architecture examples all # All supported architectures x86-64 # x86_64 only aarch64-cortex-a53,aarch64-cortex-a72 # ARM64 devices mips-24kc,mipsel-24kc # MIPS routers ``` #### Build Single Package Select a specific package from the dropdown to build only that module: - `luci-app-secubox` - Central Hub - `luci-app-system-hub` - System Control Center - `luci-app-crowdsec-dashboard` - CrowdSec Security - `luci-app-netdata-dashboard` - System Monitoring - `luci-app-netifyd-dashboard` - DPI & Traffic Analysis - `luci-app-wireguard-dashboard` - WireGuard VPN - `luci-app-network-modes` - Network Configuration - `luci-app-client-guardian` - NAC & Captive Portal - `luci-app-auth-guardian` - Authentication System - `luci-app-bandwidth-manager` - QoS & Quotas - `luci-app-media-flow` - Media Detection - `luci-app-cdn-cache` - CDN Proxy Cache - `luci-app-vhost-manager` - Virtual Hosts **Use case**: Quickly test a single module after making changes, without waiting for all packages to build. ### Download Artifacts 1. Go to **Actions** β†’ Select workflow run 2. Click on the run 3. Download **Artifacts** at bottom of page Artifacts are organized by architecture: ``` packages-x86-64/ β”œβ”€β”€ luci-app-secubox_1.0.0-1_all.ipk β”œβ”€β”€ luci-app-system-hub_1.0.0-1_all.ipk β”œβ”€β”€ luci-app-crowdsec-dashboard_1.0.0-1_all.ipk β”œβ”€β”€ ... └── SHA256SUMS ``` --- ## πŸ“Š OpenWrt Compatibility | Version | Status | Package Format | Notes | |---------|--------|----------------|-------| | 25.12.0-rc1 | πŸ§ͺ Testing | `.apk` | Latest RC, new apk package manager | | 24.10.x | βœ… Supported | `.ipk` | **Recommended** (latest stable) | | 23.05.x | βœ… Supported | `.ipk` | Previous stable | | 22.03.x | βœ… Supported | `.ipk` | LTS | | 21.02.x | ⚠️ Partial | `.ipk` | End of support | | SNAPSHOT | βœ… Supported | `.apk` | Unstable, bleeding edge | **Note:** OpenWrt 25.12+ uses the new Alpine Package Manager (apk) instead of opkg. Our build workflows automatically detect the version and build the appropriate package format. --- ## 🧰 SecuBox Tools ### secubox-repair.sh Automated repair tool for all SecuBox modules. **Features:** - Auto-detect and fix Makefile issues - Generate missing RPCD files - Validate package structure - Batch repair all modules ```bash ./secubox-tools/secubox-repair.sh ``` ### secubox-debug.sh Debug and diagnostic tool for development. **Features:** - Validate package structure - Check dependencies - Test RPCD backends - Generate diagnostic reports ```bash ./secubox-tools/secubox-debug.sh luci-app-module-name ``` --- ## 🏷️ Creating Releases ```bash # Create versioned tag git tag -a v1.2.0 -m "Release 1.2.0: Add new features" git push origin v1.2.0 ``` The release will be created automatically with: - Individual `.tar.gz` archives per architecture - Global archive with all architectures - SHA256 checksums - Auto-generated release notes --- ## πŸ”— Links - **Documentation**: [CyberMind SecuBox](https://cybermind.fr/secubox) - **Website**: [CyberMind.fr](https://cybermind.fr) - **OpenWrt SDK**: [Documentation](https://openwrt.org/docs/guide-developer/using_the_sdk) - **LuCI Development**: [Wiki](https://github.com/openwrt/luci/wiki) - **Issue Tracker**: [GitHub Issues](https://github.com/gkerma/secubox/issues) --- ## πŸ“„ License Apache-2.0 Β© 2025 CyberMind.fr Individual modules may have additional licensing terms - see each module's README. --- ## 🀝 Contributing Contributions are welcome! Please: 1. Fork the repository 2. Create a feature branch (`git checkout -b feature/amazing-feature`) 3. Commit your changes (`git commit -m 'Add amazing feature'`) 4. Push to the branch (`git push origin feature/amazing-feature`) 5. Open a Pull Request --- ## πŸ‘€ Author **Gandalf** - [CyberMind.fr](https://cybermind.fr) --- **Made with ❀️ in France πŸ‡«πŸ‡·**