Skip to content

Open-source VPN management panel + desktop client supporting WireGuard, OpenVPN, V2Ray/Xray, IKEv2, L2TP and DNSTT tunneling.

Notifications You must be signed in to change notification settings

AmiRCandy/CandyConnect

Repository files navigation

🍬 CandyConnect VPN


⚠️ FOR EDUCATIONAL PURPOSES ONLY

This project is intended strictly for educational and research purposes. The authors do not condone or support any illegal, unauthorized, or unethical use of this software. Use it only on systems and networks you own or have explicit permission to operate. The authors bear no responsibility for any misuse.


🚧 BETA SOFTWARE β€” WORK IN PROGRESS

This project is currently in beta. It is functional but may contain bugs, incomplete features, and missing options. Things may break between updates. Features will be added and improved over time. Use in production at your own risk and always keep backups.


License Version Platform Status


πŸ“Έ Screenshots

Web Panel Dashboard Β Β  CandyConnect Desktop Client

Web Panel Dashboard Β Β Β Β Β Β Β Β Β Β Β Β Β Β Β Β Β Β Β Β Β Β Β Β Β Β  Desktop Client


🍭 Overview

CandyConnect is an all-in-one VPN server management system that supports multiple VPN protocols from a single control plane, with a web admin panel and a cross-platform desktop client.

Protocol Engine Status
V2Ray / Xray VLESS, VMess, Trojan, Shadowsocks βœ… Full
WireGuard Native kernel module βœ… Full
OpenVPN OpenVPN + Easy-RSA PKI βœ… Full
IKEv2/IPSec strongSwan βœ… Full
L2TP/IPSec xl2tpd + strongSwan βœ… Full
DNSTT DNS-over-UDP tunnel βœ… Full
SlipStream β€” πŸ”œ Planned
TrustTunnel β€” πŸ”œ Planned

Architecture

β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚                  CandyConnect Server                β”‚
β”‚                                                     β”‚
β”‚  β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”  β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”  β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”‚
β”‚  β”‚ Panel API β”‚  β”‚Client API β”‚  β”‚Protocol Managersβ”‚ β”‚
β”‚  β”‚  /api/*   β”‚  β”‚/client-   β”‚  β”‚ WG Β· V2Ray Β· OV β”‚ β”‚
β”‚  β”‚           β”‚  β”‚  api/*    β”‚  β”‚ IKE Β· L2TP Β· DNSβ”‚ β”‚
β”‚  β””β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”˜  β””β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”˜  β””β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β”‚
β”‚        β”‚              β”‚                  β”‚          β”‚
β”‚        β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜                  β”‚          β”‚
β”‚              β”‚                           β”‚          β”‚
β”‚       β”Œβ”€β”€β”€β”€β”€β”€β”΄β”€β”€β”€β”€β”€β”€β”          β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”΄β”€β”€β”€β”€β”€β”€β”€β”€β” β”‚
β”‚       β”‚   FastAPI   β”‚          β”‚  System Cores    β”‚ β”‚
β”‚       β”‚   + Redis   β”‚          β”‚ (installed on    β”‚ β”‚
β”‚       β”‚   + JWT     β”‚          β”‚  the server)     β”‚ β”‚
β”‚       β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜          β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
        β”‚                              β”‚
        β–Ό                              β–Ό
β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”            β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚   Web Panel   β”‚            β”‚  Desktop Client  β”‚
β”‚ (React+Vite)  β”‚            β”‚ (Tauri+React)    β”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜            β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜

πŸš€ Quick Installation

Requirements

  • OS: Ubuntu 20.04+ / Debian 11+ (x86_64)
  • RAM: Minimum 1 GB (2 GB recommended)
  • Disk: Minimum 5 GB free space
  • Access: Root privileges
  • Ports: 8443 (panel), plus VPN protocol ports

Management Menu (Recommended)

Run the interactive menu to install, uninstall, or check the status:

git clone https://github.com/AmiRCandy/CandyConnect.git
cd CandyConnect
sudo bash menu.sh

The installer will:

  1. Install system dependencies (Python, Redis, Node.js)
  2. Set up the Python backend with virtual environment
  3. Build the web panel frontend
  4. Generate JWT secrets
  5. Configure firewall rules & IP forwarding
  6. Create and start a systemd service

Post-Installation

After installation completes, you'll see:

βœ…βœ…βœ…βœ…βœ…βœ…βœ…βœ…βœ…βœ…βœ…βœ…βœ…βœ…βœ…βœ…βœ…βœ…βœ…βœ…βœ…βœ…
  🍬 CandyConnect Installed Successfully!
βœ…βœ…βœ…βœ…βœ…βœ…βœ…βœ…βœ…βœ…βœ…βœ…βœ…βœ…βœ…βœ…βœ…βœ…βœ…βœ…βœ…βœ…

  Panel URL:    http://<SERVER_IP>:8443/candyconnect
  API URL:      http://<SERVER_IP>:8443/api
  Client API:   http://<SERVER_IP>:8443/client-api
  Admin User:   admin
  Admin Pass:   admin123

  ⚠️  Change the default password immediately!

🌐 Web Panel

The admin web panel provides full server management:

  • Dashboard β€” Server resources, VPN core status, active connections per protocol, real traffic stats, live logs
  • Clients β€” Create, edit, delete VPN users with per-protocol access control, traffic limits, time limits, and connection history
  • Core Configs β€” Configure each VPN protocol (ports, ciphers, keys, interfaces, DNS, etc.)
  • Panel Configs β€” Change panel port/path, admin password, view server info

Access

Open http://<SERVER_IP>:8443/candyconnect in your browser.

Default credentials:

  • Username: admin
  • Password: admin123

πŸ’» Desktop Client

The CandyConnect desktop client (built with Tauri + React) connects to the server backend and provides a native VPN experience on Windows, macOS, and Linux.

Supported Client Protocols

Protocol TUN Mode Proxy Mode
V2Ray (VLESS/VMess/Trojan) βœ… via sing-box βœ… via Xray SOCKS
WireGuard βœ… via sing-box βœ… via sing-box
OpenVPN βœ… Native β€”
IKEv2 βœ… Native β€”
L2TP βœ… Native β€”
DNSTT βœ… via tunnel β€”

How It Works

  1. User enters the server address (e.g., http://your-server:8443)
  2. Logs in with their client username/password (created via the web panel)
  3. The client fetches available VPN protocols and connection configs
  4. User selects a protocol and mode (TUN/Proxy) and connects
  5. Real-time speed and traffic stats are shown β€” only VPN interface traffic is counted (not general system traffic)

Building the Client

cd client
npm install
npm run dev          # Development mode
npm run build        # Production build (Tauri)

Note: Building the Tauri desktop app requires Rust and platform-specific dependencies. See Tauri Prerequisites.


πŸ–₯ Server Management

Service Commands

# Check status
sudo systemctl status candyconnect

# Restart
sudo systemctl restart candyconnect

# View live logs
sudo journalctl -u candyconnect -f

# Stop
sudo systemctl stop candyconnect

Configuration

Server configuration is stored in /opt/candyconnect/.env:

CC_DATA_DIR=/opt/candyconnect
CC_REDIS_URL=redis://127.0.0.1:6379/0
CC_JWT_SECRET=<auto-generated>
CC_PANEL_PORT=8443
CC_PANEL_PATH=/candyconnect
CC_ADMIN_USER=admin
CC_ADMIN_PASS=admin123

File Structure

/opt/candyconnect/
β”œβ”€β”€ server/          # Python backend
β”‚   β”œβ”€β”€ main.py      # FastAPI application
β”‚   β”œβ”€β”€ config.py    # Configuration
β”‚   β”œβ”€β”€ database.py  # Redis data layer
β”‚   β”œβ”€β”€ auth.py      # JWT authentication
β”‚   β”œβ”€β”€ system_info.py
β”‚   β”œβ”€β”€ protocols/   # VPN protocol managers
β”‚   β”‚   β”œβ”€β”€ base.py
β”‚   β”‚   β”œβ”€β”€ wireguard.py
β”‚   β”‚   β”œβ”€β”€ v2ray.py
β”‚   β”‚   β”œβ”€β”€ openvpn.py
β”‚   β”‚   β”œβ”€β”€ ikev2.py
β”‚   β”‚   β”œβ”€β”€ l2tp.py
β”‚   β”‚   β”œβ”€β”€ dnstt.py
β”‚   β”‚   └── manager.py
β”‚   └── routes/      # API endpoints
β”‚       β”œβ”€β”€ panel_api.py    # Web panel API
β”‚       └── client_api.py   # Desktop client API
β”œβ”€β”€ web-panel/       # React admin panel (built)
└── cores/           # VPN binaries (auto-installed)
    β”œβ”€β”€ xray/
    └── sing-box/

πŸ”§ Troubleshooting

Checking Protocol Status

# WireGuard
sudo wg show

# Xray
sudo /opt/candyconnect/cores/xray/xray run -c /opt/candyconnect/cores/xray/config.json

# IKEv2/IPSec
sudo ipsec statusall
sudo swanctl --list-conns

# OpenVPN
sudo tail -f /var/log/openvpn/openvpn-status.log

# L2TP
sudo journalctl -u xl2tpd -f

# DNSTT
ps aux | grep dnstt-server

βš™οΈ Manual Service Control

# WireGuard interface
sudo wg-quick down wg0
sudo wg-quick up wg0

# IPSec (IKEv2/L2TP)
sudo systemctl restart strongswan-starter

# L2TP Daemon
sudo systemctl restart xl2tpd

# SSH (for DNSTT tunnels)
sudo systemctl restart ssh

πŸ†˜ Emergency Port Release

If a protocol fails to start because "Port is already in use":

sudo lsof -i :<PORT_NUMBER>
# or
sudo netstat -tulpn | grep :<PORT_NUMBER>

πŸ”’ VPN Protocol Setup

After installation, VPN protocols need to be installed and started via the web panel or API:

Via Web Panel

  1. Go to Core Configs
  2. Configure each protocol's settings
  3. Click Save Config
  4. Use the Restart Service button (or install first if not yet installed)

Via API

TOKEN="your-admin-jwt-token"
SERVER="http://your-server:8443"

# Install & start all protocols
for proto in v2ray wireguard openvpn ikev2 l2tp dnstt; do
  curl -X POST "$SERVER/api/cores/$proto/install" -H "Authorization: Bearer $TOKEN"
  curl -X POST "$SERVER/api/cores/$proto/start" -H "Authorization: Bearer $TOKEN"
done

🌐 DNSTT Setup (DNS Tunnel)

DNSTT allows VPN traffic to be tunneled over DNS queries, bypassing most firewalls. It requires you to own a domain and configure two DNS records.

DNS Records Required

You must add the following records to your domain's DNS settings:

Type Name Value Purpose
A srv.YOURDOMAIN.COM YOUR_SERVER_IP Points to your CandyConnect server
NS dns.YOURDOMAIN.COM srv.YOURDOMAIN.COM Delegates DNS queries to your server

Example (domain: example.com, server IP: 1.2.3.4):

A     srv.example.com   β†’   1.2.3.4
NS    dns.example.com   β†’   srv.example.com

How It Works

  1. The client sends DNS queries to dns.YOURDOMAIN.COM
  2. The NS record delegates those queries to srv.YOURDOMAIN.COM (your server)
  3. Your server's DNSTT daemon handles the queries and tunnels VPN traffic through them
  4. Traffic appears as normal DNS UDP port 53 traffic β€” bypasses most deep packet inspection

DNSTT Configuration in Web Panel

  1. Go to Core Configs β†’ DNSTT
  2. Set DNS Zone to dns.YOURDOMAIN.COM
  3. Set Listen Port (default: 5300 for DNS; port 53 requires root)
  4. Save and start the DNSTT core

Note: Propagation of DNS records can take up to 24–48 hours depending on your registrar's TTL settings. Test with dig NS dns.yourdomain.com to confirm.


πŸ‘₯ Client Management

Creating a Client

Via the web panel:

  1. Go to Clients β†’ Add Client
  2. Set username, password, traffic limit, time limit
  3. Select which VPN protocols the client can access
  4. Click Create

Via API:

curl -X POST "$SERVER/api/clients" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "username": "john",
    "password": "SecurePass123!",
    "comment": "John Doe",
    "enabled": true,
    "traffic_limit": {"value": 50, "unit": "GB"},
    "time_limit": {"mode": "days", "value": 30, "on_hold": false},
    "protocols": {
      "v2ray": true, "wireguard": true, "openvpn": true,
      "ikev2": true, "l2tp": false, "dnstt": false,
      "slipstream": false, "trusttunnel": false
    }
  }'

Client Features

  • Traffic Limits β€” Per-client data caps in GB or MB
  • Time Limits β€” Expiry in days or months
  • On Hold β€” Pause a client's timer without deleting them
  • Per-Protocol Access β€” Enable/disable individual VPN protocols per client
  • Real Traffic Tracking β€” Per-protocol usage tracking (client-reported + server-measured)
  • Active Connections β€” Real-time connection count per protocol in the dashboard
  • Connection History β€” IP, protocol, duration logging

πŸ›  Development

Project Structure

CandyConnect/
β”œβ”€β”€ server/              # Python FastAPI backend
β”œβ”€β”€ web-panel/           # React + Vite + Tailwind admin panel
β”œβ”€β”€ client/              # Tauri + React desktop VPN client
β”‚   └── src-tauri/src/   # Rust backend (Tauri commands, VPN launching)
β”œβ”€β”€ install.sh           # Deployment script
β”œβ”€β”€ menu.sh              # Interactive management menu
└── README.md

Running in Development

Server:

cd server
python3 -m venv venv
source venv/bin/activate
pip install -r requirements.txt
# Requires Redis running locally
python main.py

Web Panel:

cd web-panel
npm install
npm run dev
# Opens at http://localhost:5174
# Proxies /api to http://127.0.0.1:8443

Client:

cd client
npm install
npm run dev

Tech Stack

Component Technology
Server Python 3.10+, FastAPI, Redis, JWT
Web Panel React 18, Vite, Tailwind CSS, Lucide Icons
Client React 19, Tauri 2, TypeScript, Vite
Client Backend Rust (Tauri), sing-box, Xray
Database Redis
Auth JWT (separate admin/client tokens)

πŸ”’ Security Notes

  • Change the default admin password immediately after installation
  • All API endpoints are JWT-protected
  • Client passwords are stored in Redis (consider encryption for production)
  • Admin password is bcrypt-hashed
  • Use HTTPS in production (configure SSL in CandyConnect settings)
  • Firewall rules are auto-configured during installation
  • This software is for educational use only β€” see disclaimer at top

πŸ“„ License

MIT License β€” see LICENSE for details.


🀝 Contributing

Contributions are welcome! Please:

  1. Fork the repository
  2. Create a feature branch (git checkout -b feature/amazing-feature)
  3. Commit your changes (git commit -m 'Add amazing feature')
  4. Push to the branch (git push origin feature/amazing-feature)
  5. Open a Pull Request


πŸ“‹ Roadmap / TODO

These are the features and improvements planned for future releases. Contributions toward any of these are especially welcome!

Status Feature Description
πŸ”œ SSL for Web Panel Built-in Let's Encrypt / self-signed SSL support for the admin panel, no manual nginx/caddy setup required
πŸ”œ Xray CDN Configs Auto-generate CDN-fronted configs (Cloudflare, ArvanCloud, etc.) for VLESS/VMess over WebSocket with TLS
πŸ”œ Psiphon Protocol Integrate Psiphon as a supported tunnel protocol for censorship circumvention
πŸ”œ Auto Tunneling Automatic best-protocol selection and fallback β€” the client tries protocols in order and switches seamlessly if one is blocked
πŸ”œ Paqet Protocol Full Paqet protocol support as a tunneling backend
πŸ”œ WARP Protocol Cloudflare WARP / WireGuard+WARP integration as a connectable protocol
πŸ”œ iOS Client Native iOS client app (Swift/Tauri mobile) connecting to the CandyConnect backend
πŸ”œ Android Client Native Android client app connecting to the CandyConnect backend
πŸ”œ SlipStream Protocol Complete SlipStream protocol implementation and integration
πŸ”œ TrustTunnel Protocol Complete TrustTunnel protocol implementation and integration

πŸ’‘ Have a feature idea not on this list? Open an issue or pull request β€” contributions are always welcome!


πŸ™ Acknowledgements & Credits

CandyConnect would not exist without the incredible open-source projects that power it under the hood. Huge respect and gratitude to the teams and communities behind:


⚑ Xray-core

The heart of the V2Ray engine in CandyConnect. Xray is a powerful, high-performance proxy platform supporting VLESS, VMess, Trojan, Shadowsocks and more β€” with cutting-edge features like XTLS and Reality. The XTLS team has pushed the boundaries of what's possible in censorship circumvention.

"Xray, Penetrates Everything."


πŸ“¦ sing-box

The universal proxy platform that powers CandyConnect's TUN mode on the desktop client. sing-box handles WireGuard-over-TUN, DNS routing, and transparent proxying with remarkable efficiency. A masterpiece of modern network engineering.

"The universal proxy platform."


πŸ”’ WireGuard

The modern VPN protocol that redefined simplicity and security. WireGuard's clean codebase (~4,000 lines vs OpenVPN's ~100,000) and state-of-the-art cryptography (ChaCha20, Poly1305, Curve25519) make it the gold standard for fast, secure tunneling.

"WireGuard: fast, modern, secure VPN tunnel." β€” Jason A. Donenfeld


πŸ›‘οΈ OpenVPN

The battle-tested VPN solution that has been securing networks for over two decades. OpenVPN's flexibility, wide platform support, and robust PKI infrastructure make it indispensable for enterprise and personal use alike.

"The world's most widely deployed open source VPN."


🌐 dnstt

The ingenious DNS tunnel tool by Dan Ayers (bamsoftware) that makes it possible to tunnel traffic over DNS queries β€” one of the few techniques that bypasses even the most aggressive firewalls. A remarkable piece of engineering for those who need it most.

"A DNS tunnel that actually works."


These projects are maintained by talented developers who give their time and expertise to the community for free. Please consider supporting them directly.


Made with 🍬 by AmiRCandy