ocserv-admin-mcp is a safe administrative package for ocserv.
It is not a bot, chat runtime, or general agent framework. It provides a constrained localhost backend plus an MCP server that expose a small audited tool surface for VPN administration. Any MCP-capable agent can integrate with it, including NanoBot.
- A localhost-only admin API for approved
ocservoperations - A strict MCP tool surface for agents
- Safety controls for confirmations, allowlists, and rate limits
- Deterministic audit logging, rollback, reload safety, and verification artifacts
- Deployment artifacts for
systemd,sudo -n, and VPS installation
- Telegram integration
- Chat UX or conversation orchestration
- Free-text intent parsing
- Arbitrary shell access
- A replacement for NanoBot or any other agent runtime
list_userslist_sessionslist_groupsshow_user_ipsdisconnect_sessioncreate_userupdate_user_ipdisable_userdisable_group_usersdelete_userassign_groupcreate_groupdelete_groupreload_servicerollback_last_changeconfirm_action
validate_config remains an internal backend capability and is not part of the default public MCP tool set.
- NanoBot via
deploy/examples/nanobot-config.example.json - Generic MCP clients via
deploy/examples/generic-mcp-client.example.json
- Backend binds to loopback only
- Clients authenticate with a shared bearer token
- Actors must be explicitly allowlisted with
OCSERV_ADMIN_ALLOWED_ACTORS - Privileged operations execute only through
sudo -nallowlisted commands - Destructive actions require explicit confirmation and are audited
src/— backend, adapter, safety, audit, and MCP transport layersdeploy/—systemd,sudoers, env examples, and client config examplesdocs/— requirements, development plan, verification plan, knowledge graphtests/— unit and integration coverage for the approved admin surface
Start with deploy/README.md for host setup, runtime expectations, VPN client-to-client routing/firewall requirements, static per-user IP behavior, and recovery guidance.