SunduVault — Hybrid Security Framework

// master_project :: hybrid_security_framework

SunduVault

Hybrid Security Framework Integrating
Firewall & VPN Technologies

A unified security platform combining iptables-based firewall management with WireGuard VPN tunnelling, orchestrated through a Python/Flask backend, RBAC, 2FA, IDS, and a real-time monitoring dashboard.

WireGuard VPN iptables PHP / Flask MongoDB AES-256 ChaCha20-Poly1305 RBAC 2FA / TOTP IDS JWT / OAuth 2.0 Real-time Dashboard

View Code ← Back to Projects

M.Sc. Capstone Project — Dr. MGR University

85%Attack Reduction

<1msVPN Latency

200msRule Update

5Security Layers

254Max Peers

12/12Tests Passed

// abstract

Project Abstract

The proliferation of cyber threats in modern network environments necessitates robust, multi-layered security architectures combining perimeter defence with encrypted communication channels. SunduVault is a Hybrid Security Framework that seamlessly integrates iptables-based firewall management with WireGuard VPN technology, orchestrated through a PHP/Flask backend and a real-time monitoring dashboard.

The framework enforces network access control through dynamically configurable iptables rule sets, providing stateful packet inspection, port-level filtering, and traffic shaping. WireGuard's cryptographic tunnelling ensures all inter-node communications are protected using AES-256 encryption and SHA-256 hashing, mitigating MITM and eavesdropping attacks. The system incorporates RBAC, Two-Factor Authentication (2FA), and an IDS module monitoring live traffic for anomalous patterns.

Experimental results demonstrate SunduVault reduces unauthorised access attempts by over 85%, maintains sub-millisecond VPN handshake latency, and processes firewall rule updates within 200 milliseconds.

Keywords: WireGuard VPN · iptables · Hybrid Security · RBAC · 2FA · IDS · AES-256 · Real-Time Monitoring · Network Access Control

// chapter_1 :: problem_statement

Why SunduVault?

⚠ Problem

Organisations manage firewall rules, VPN configurations, user accounts, and monitoring systems as entirely separate concerns — each with its own interface, log format, and failure mode. This fragmentation creates configuration drift, delayed intrusion response, and audit gaps.

✓ Solution

SunduVault provides a single control plane that enforces consistent policy across all security layers — replacing manual CLI tools with an automated, web-based unified security management framework accessible to both administrators and end users.

Limitations of Existing Fragmented Systems

❌ No centralised firewall + VPN management interface

❌ Manual WireGuard peer configuration via CLI

❌ No real-time traffic visibility or alerting

❌ Fragmented audit logs across system files

❌ No automated IP address allocation

❌ Zero user self-service capability

❌ Poor scalability as network complexity grows

❌ Privilege escalation risks from inconsistent RBAC

// chapter_3 :: system_specification

Technology Stack

Software Requirements

🐧

Ubuntu Server

22.04 LTS

🔐

WireGuard VPN

v1.0.0+

🛡️

iptables

v1.8.7+

🐘

PHP Backend

v8.1+

🍃

MongoDB

v6.0+

🌐

Apache / Nginx

Latest

🎨

Bootstrap UI

v5.3.2

🔑

JWT / OAuth 2.0

RFC 6749

📲

TOTP 2FA

RFC 6238

📊

Chart.js

Traffic Viz

Hardware Requirements

⚙️

CPU

Min: Dual-Core 1.5GHz

Rec: Quad-Core 2.5GHz+

💾

RAM

Min: 2 GB

Rec: 4 GB+

💿

Storage

Min: 20 GB SSD

Rec: 50 GB SSD

🌐

Network

UDP 51820 (WireGuard)

TCP 80/443 (Web)

// chapter_4 :: system_design

System Architecture

🌐

Web Dashboard

Bootstrap UI

→

🔗

REST API

JWT Bearer

→

🔑

Auth Module

OAuth2 + TOTP

→

⚙️

App Logic

PHP Backend

→

🍃

MongoDB

Data Store

🔐

WireGuard Mgr

Peer CRUD

🛡️

Firewall Mgr

iptables Rules

🔢

IP Network

CIDR Allocation

🚨

IDS Module

Anomaly Detection

📊

Dashboard

Real-time Metrics

// security_architecture

Defence in Depth — 5 Layers

Network Perimeter — iptables

Stateful packet filtering enforcing deny-by-default policy. Permits only UDP 51820 (WireGuard), TCP 80/443 (HTTPS), SSH 22, ICMP, and established/related connections. All other inbound traffic is dropped.

Transport Encryption — WireGuard

All inter-peer traffic encrypted with ChaCha20-Poly1305 cipher and Curve25519 key exchange — preventing eavesdropping, MITM, and replay attacks with forward secrecy guarantees.

Application Authentication — OAuth 2.0 JWT

Short-lived JWT access tokens (15-minute expiry) with 7-day refresh token rotation. HMAC-SHA256 signature verification on every protected API endpoint. Automatic 401 interception with seamless token refresh.

Identity Verification — TOTP 2FA

RFC 6238 Time-based One-Time Password with 30-second window. Compatible with Google Authenticator, Authy, and standard TOTP apps. Stolen credentials alone are insufficient for access.

Authorisation — RBAC

Two-tier role model: Administrator (full system control) and User (self-service device management only). NIST RBAC standard (INCITS 359-2004) compliant. Enforces principle of least privilege across all API endpoints.

// chapter_5 :: implementation

Implementation Modules

🔑

Module 1: Authentication System

JWT-based login flow with bcrypt password verification (cost factor 12), TOTP 2FA validation, and OAuth 2.0 token lifecycle management. Token validation on every protected endpoint via HMAC-SHA256 signature check.

🔐

Module 2: WireGuard Peer Management

Full peer CRUD via wg set CLI wrapper. Automated IP allocation, persistent config file updates with LOCK_EX concurrency control, and browser-side QR code provisioning using qrcode.js.

🛡️

Module 3: Firewall Management

Dynamic iptables rule insertion and deletion via PHP shell_exec() with escapeshellarg() injection protection. MongoDB-backed rule persistence with atomic flush-and-rebuild strategy ensuring live kernel consistency.

🔢

Module 4: IP Address Management

CIDR-aware IPNetwork class with MongoDB-backed allocation bitmap. Sequential getNextIP() skipping network/gateway addresses. Cross-reference reconciliation on startup to resolve config drift between WireGuard interface and database.

📊

Module 5: Real-Time Dashboard

Client-side polling at 5-second intervals via Fetch API. Per-peer traffic stats (received/transmitted bytes) with online classification — peers online if handshake within 3 minutes. Chart.js network throughput visualisation.

🚨

Module 6: Intrusion Detection System

Hybrid IDS combining signature-based detection (port scans, SYN floods, ICMP floods) with threshold-based anomaly detection — auto-blocking source IPs exceeding 100 connection attempts/minute via dynamic iptables DROP rules.

Sample: WireGuard Peer Addition Flow

// Module 2: addPeer() orchestration
function addPeer($publicKey, $deviceName, $deviceType, $owner) {
  $cidr = this->getCIDR();              // Parse wg config header
  $ip   = IPNetwork::getNextIP($cidr);  // CIDR-aware allocation

  shell_exec(                                   // Add to live interface
    "wg set wgvpn peer " . escapeshellarg($publicKey) .
    " allowed-ips " . escapeshellarg($ip . "/32")
  );

  file_put_contents(WG_CONF, $peerBlock, FILE_APPEND | LOCK_EX); // Persist
  IPNetwork::allocateIP($ip, $publicKey, $owner, $deviceName);  // Record in MongoDB
  return ['ip' => $ip, 'cidr' => $cidr, 'interface' => 'wgvpn'];
}
          

// chapter_4 :: api_design

RESTful API Endpoints

Authentication Endpoints

Endpoint	Method	Auth
/auth/login	POST	None
/auth/refresh	POST	Refresh
/auth/signup	POST	Admin JWT
/auth/current	GET	Bearer JWT

WireGuard Peer Endpoints

Endpoint	Method	Auth
/wg/add_peer	POST	Bearer JWT
/wg/get_peer	GET	Bearer JWT
/wg/get_peers	GET	Bearer JWT
/wg/remove_peer	POST	Bearer JWT

Standards & Protocols

RFC 7519

JWT Token Format

RFC 6749

OAuth 2.0 Auth Flow

RFC 6238

TOTP 2FA Standard

WireGuard Protocol

VPN Tunnelling & Key Exchange

NIST SP 800-53

Security Control Framework

NIST RBAC

INCITS 359-2004 Role Model

// chapter_6 :: testing_results

Testing & Results

45msAvg API Response@ 10 concurrent users

892Mbps VPN Throughput@ 10 concurrent peers

1.2msHandshake LatencyWireGuard local peer

15/15Attack ScenariosAll mitigated ✓

Unit Test Results — All 12 Cases Passed

Test Case	Module	Expected	Result
TC-01: Valid Login	Auth	JWT tokens issued	PASS
TC-02: Invalid Password	Auth	401 Unauthorized	PASS
TC-03: Expired Token	OAuth	401, token refresh	PASS
TC-04: Add Peer	WireGuard	Peer added, IP allocated	PASS
TC-05: Duplicate Key	WireGuard	Error returned	PASS
TC-06: Remove Peer	WireGuard	Peer removed, IP freed	PASS
TC-07: IP Allocation	IPNetwork	Sequential IP returned	PASS
TC-08: Full Subnet	IPNetwork	Error: subnet full	PASS
TC-09: TOTP Valid	Auth	Login succeeds	PASS
TC-10: TOTP Invalid	Auth	403 Forbidden	PASS
TC-11: RBAC User→Admin	Auth	403 Forbidden	PASS
TC-12: Firewall Rule Add	Firewall	Rule active in iptables	PASS

// competitive_analysis

vs. Existing Systems

Feature	SunduVault	pfSense	OpenVPN AS	WireGuard CLI
Unified Web UI	✓	✓	✓	✗
WireGuard Support	✓	Partial	✗	✓
RBAC	✓	✓	✓	✗
2FA	✓	✓	✓	✗
REST API	✓	✓	✓	✗
QR Code Provisioning	✓	✗	✗	Manual
Cost	Free	Free/Paid	Paid	Free
Dedicated Hardware	Not Required	Required	Depends	Not Required