Architecture

Control plane separated from data plane for maximum flexibility and reliability

Control Plane Architecture

GovernFlow operates as an external control plane, completely separated from the VPN data plane. This separation enables centralized management, independent scaling, and failover without affecting active VPN sessions.

governflowd

Main daemon providing REST API, cluster coordination, session management, and OpenVPN integration via Unix socket.

governflow-ls

Licensing server for multi-tenant license management with RSA-SHA256 signed licenses and tier-based feature control.

governflow-query

Lightweight helper called by OpenVPN for client configuration, firewall rules, and route management.

libgovernflow

Shared library with common functionality: logging, config parsing, database connection pooling, and license verification. 

┌──────────────────────────────────────────┐
│           GovernFlow Control Plane       │
├──────────────────────────────────────────┤
│                                          │
│  ┌────────────────────────────────────┐  │
│  │          governflowd               │  │
│  │  ┌──────────────────────────────┐  │  │
│  │  │ Core: config, log, db, http  │  │  │
│  │  └──────────────────────────────┘  │  │
│  │  ┌──────────────────────────────┐  │  │
│  │  │ Plugins: 14 dynamic modules  │  │  │
│  │  └──────────────────────────────┘  │  │
│  │  Ports: 8443 (API), 8444 (UDP),   │  │
│  │         8445 (Raft), Unix Socket  │  │
│  └────────────────────────────────────┘  │
│                    │                     │
│  ┌─────────────────┴──────────────────┐  │
│  │         libgovernflow.so           │  │
│  └────────────────────────────────────┘  │
│                                          │
├──────────────────────────────────────────┤
│          OpenVPN Data Plane              │
├──────────────────────────────────────────┤
│  ┌────────────────────────────────────┐  │
│  │  OpenVPN Server + governflow-query │  │
│  │  (client-connect/disconnect hooks) │  │
│  └────────────────────────────────────┘  │
└──────────────────────────────────────────┘

Cluster Topology

Distributed architecture with Raft consensus for high availability

Leader Node

Handles all write operations and coordinates cluster state. Automatically elected via Raft consensus.

Follower Nodes

Replicate state from leader and handle read operations. Can become leader if current leader fails.

Quorum Protection

Writes require majority confirmation. Prevents split-brain and ensures zero data loss during failover.

Communication Channels

Port 8443
HTTPS REST API
Client management, configuration
Port 8444
UDP Heartbeat
2-second intervals, HMAC-SHA256
Port 8445
Raft Consensus
mTLS encrypted, state replication

Data Flow

How GovernFlow integrates with OpenVPN for real-time configuration

1

Client Connects to OpenVPN

OpenVPN receives connection request and triggers client-connect script

2

governflow-query Fetches Config

Queries governflowd via Unix socket for client configuration (IP, routes, QoS, zone)

3

Configuration Applied

Firewall rules via pf/iptables, routes added, push file generated for OpenVPN

4

Session Tracked in Cluster

Session registered across all cluster nodes with distributed locking to prevent duplicates

Technology Stack

Built with performance and reliability in mind

C
Native performance
SQLite
Zero dependencies
OpenSSL
Cryptography
libmicrohttpd
HTTP/S server

Learn more about GovernFlow

Schedule a technical deep-dive with our engineering team.

Request Demo