openlan

English ็ฎ€ไฝ“ไธญๆ–‡

OpenLAN Logo

Go Report Card Codecov CodeQL Build Docs Releases GPL 3.0 License

๐ŸŒ What is OpenLAN?

OpenLAN is a multiple-tenant networking solution that carries LAN packets over WAN links, allowing you to build and operate multiple isolated virtual Ethernet networks across regions, clouds, and branch sites.

๐Ÿค” Why Choose OpenLAN?

If you need a flexible VPN solution for secure enterprise access, traffic proxying, or tunneling through public cloud instances, OpenLAN simplifies deployment and improves operational efficiency.

โœจ Key Features

๐Ÿ—บ๏ธ Use Cases

๐Ÿข Branch-to-Center Access

         Central Switch (Enterprise Center) - 10.16.1.10/24
                               ^
                               |
                            Wifi(DNAT)
                               |
                               |
         --------------------Internet-------------------
         ^                     ^                       ^
         |                     |                       |
      Branch1                Branch2                 Branch3
         |                     |                       |
      OpenLAN               OpenLAN                 OpenLAN
   10.16.1.11/24          10.16.1.12/24           10.16.1.13/24

OpenLAN can use a central switch as the enterprise access hub. Branch devices or edge gateways authenticate to the center over public networks and join the same virtual LAN with assigned addresses. This keeps branch-to-center and branch-to-branch traffic on a managed overlay, while the central switch can apply user authentication, shared crypt settings, ACLs, SNAT, DNAT, DHCP, and rate-limit policies from one control point.

๐ŸŒ Multi-Region Interconnection

192.168.1.20/24                                      192.168.1.21/24
     |                                                    |
OpenLAN -- Hotel Wifi --> Central Switch(NanJing) <--- Other Wifi --- OpenLAN
                                |
                                |
                              Internet
                                |
                                |
                  Central Switch(Shanghai) - 192.168.1.10/24
                                |
                                |
      --------------------------------------------------------
      ^                         ^                            ^
      |                         |                            |
   Office Wifi               Home Wifi                    Hotel Wifi
      |                         |                            |
   OpenLAN                    OpenLAN                     OpenLAN
192.168.1.11/24            192.168.1.12/24             192.168.1.13/24

OpenLAN can connect switches across cities, clouds, and temporary networks such as hotel or home Wi-Fi. Each region can keep its local OpenLAN switch while outputs build authenticated TCP/UDP tunnels between regions. Static routes or FindHop routes then make remote subnets and VIPs reachable through the proper nexthop, so applications can move across sites without exposing every backend directly to the Internet.

๐Ÿ” Zero-Trust Access Control

       Guest Endpoint            Staff Endpoint            Ops Endpoint
             |                        |                        |
          OpenVPN                  OpenVPN                  OpenVPN
             \                        |                        /
              \                       |                       /
               ---------------------Internet-------------------
                                      |
                                      |
                         Central Switch (Policy Hub)
                        ZTrust + ACL + Knock + Auth
                        /                         \
                       /                           \
      Guest Network (restricted)      Trusted Network (policy access)
            172.16.100.0/24                 10.16.1.0/24

OpenLAN Zero Trust turns a virtual network into a default-deny access plane for new traffic while keeping established flows intact. Remote users can connect through OpenVPN, but protected services stay unreachable until the user is registered as a ZTrust guest and creates a temporary knock rule for a specific protocol and socket, such as tcp/192.59.0.1:8081. This makes it useful for contractor access, emergency operations, and service-by-service approvals where network reachability, identity, and time-limited permission must be controlled together.

๐Ÿ›ก๏ธ Router GRE/IPIP/WireGuard Tunnels

        Site A Router/Switch                         Site B Router/Switch
        100.100.0.241                                100.100.0.242
              |                                            |
              +=========== GRE / IPIP tunnel ==============+
              |        10.253.1.1/30 <-> 10.253.1.2/30     |
              |        10.253.2.1/30 <-> 10.253.2.2/30     |
              |
              +=========== WireGuard tunnel ===============+
                       hub peers or explicit P2P endpoints

OpenLAN can also build router-level tunnels directly, without relying only on network output links. GRE and IPIP are useful for lightweight L3 site-to-site connectivity when both sides can reach each other by underlay addresses. WireGuard adds key-based encryption and supports both hub-style peers that dial one public endpoint and P2P peers with explicit remote endpoints. These modes fit migration, lab interconnect, cloud VPC bridging, and emergency routing where operators need simple tunnel interfaces, reload persistence, and clear remove/recreate behavior.

๐Ÿ”€ HTTP Route Forwarding

        Client request              Client request              Client request
        Host: group.test            Host: single.test           Host: unknown.test
              |                           |                           |
              +---------------------------+---------------------------+
                                          |
                                          v
                                  Ceci HTTP Service
                              listen: 192.168.1.10:13083
                                          |
                       +------------------+-----------------+
                       /                  |                  \
                      / group route       | single route      \ global backend
                     /                    |                    \
        sw2 group backends        sw2 single backend      sw3 fallback backend
         192.56.0.2:18084          192.56.0.2:18086         192.56.0.3:18088
         192.56.0.2:18085
         192.56.0.2:18087

OpenLAN can publish one local HTTP service endpoint and route requests to different backends by the HTTP Host header. A hostname such as single.test can map to one backend, while group.test can map to multiple backends with round-robin balancing. Requests without a matched hostname can fall back to a global backend. The backends may live behind other OpenLAN switches, so the service endpoint stays stable while applications are distributed across sites.

๐Ÿ“š Documentation

๐Ÿงช Scenario Tests

OpenLAN provides 46 executable scenario scripts under tests/cases, organized into 80+ validation functions with 1000+ assertions in total. The unified entrypoint is tests/start.sh.

Common commands:

# List all scenarios
bash tests/start.sh --list

# Run all scenarios
bash tests/start.sh

# Run selected scenarios
bash tests/start.sh switch_tcp access_success

# Generate test reports (md/html)
bash tests/start.sh --report

Report: run.md

Capability coverage by test scenario: