Lilypad
Lilypad is our Ansible-based orchestration framework used for deploying all server-side components.
The LEAP VPN stack is composed by the following components. Depending of the scale of the deployment they can run on separate hosts each. For smaller deployments at least 3 nodes are recommended: Reverse Proxy, Backend and Gateway.
| Component | Primary Services | Notes |
|---|---|---|
| Reverse Proxy | nginx, internal DNS, service dashboard, acme, reports collector | Provides the infrastructure front-end clients connect to |
| Backend | Menshen, Grafana, Prometheus, Elastic Search | Exposes the services the reverse proxy talks to, including Menshen, monitoring and alerting |
| Gateway(s) | OpenVPN including kresd, Menshen-Agent | Act as VPN gateways, each gateway includes its own DNS resolver |
| Bridge (optional) | obfsvpn | Obfuscation Proxy for the VPN tunnel, recomended to run on the same machine as a gateway, if OpenVPN ports are not exposed to the public |
| Introducer (optional) | obfsvpn | Obfuscation Proxy in front of the Reverse Proxy. Used to reach API from censored networks via an invite code to fetch private bridges and gateways. Recommended to run on port 443 |
| GeoIP (optional) | geoip-service | Helps clients find the nearest gateway. GeoIP lookup API at /lookup/geo |
Lilypad is built on top of float. Please refer to the float overview documentation and the documentation for the built-in services for further details on the following components:
- Single sign-on server for backend components
- Nginx
- Prometheus
- Log collector
- DNS
- ACME
- Reports collector
- Grafana
- Thanos
- Kibana
- Elastic search
- Tinc (used for overlay networking)
NoteThe backend API has been migrated from version 3 to API version 5. We will subsquently phase out the client support for v3. If you’re starting to deploy a new instance of the LEAP stack we recommend to support only API v5.
Please follow the installation tutorial if you want to setup the LEAP VPN stack using Lilypad.