jkroepke / openvpn-auth-oauth2 Goto Github PK

openvpn-auth-oauth2 is a plugin/management interface client for OpenVPN server to handle an OIDC based single sign-on (SSO) auth flows

Home Page: https://github.com/jkroepke/openvpn-auth-oauth2/wiki

License: MIT License

Makefile 0.93% Go 94.63% Dockerfile 0.37% Shell 0.76% CSS 3.20% JavaScript 0.11%

oauth2 oauth2-client openvpn openvpn-auth openvpn-server oauth2-authentication vpn oidc sso sso-authentication

openvpn-auth-oauth2's Introduction

openvpn-auth-oauth2

⭐ Don't forget to star this repository! ⭐

About

openvpn-auth-oauth2 is a management client for OpenVPN that handles the single sign-on (SSO) authentication against various OIDC providers. This project aims to simplify the process of integrating OpenVPN with OIDC providers such as

Microsoft Entra ID (Azure AD)
GitHub
Okta
Google Workspace
Zittal
Digitalocean
Keycloak
... any other OIDC compatible auth server

Installation

For detailed installation instructions, please refer to the Installation Guide.

Configuration

For information on how to configure openvpn-auth-oauth2, please refer to the Configuration Guide.

OpenVPN Version Requirements

For information on the OpenVPN version requirements, please refer to the OpenVPN Guide.

Related Projects

License

This project is licensed under the MIT License.

Acknowledgements

Thanks to JetBrains IDEs and Sparklabs for their support.

JetBrains IDEs	Sparklabs

openvpn-auth-oauth2's People

Contributors

Stargazers

Watchers

Forkers

enricosuardi puluto sergiogiuffrida denvilk vincib chiefwiggum tuxpowered42 teikametrics pionerd mhm0ud lxfontes ihipop vasuinukollu freeddser jenarutamara

openvpn-auth-oauth2's Issues

IDP Connection

I've tried to use this plugin with Github(doesn't work), goAuthentik(doesn't work), Zitadel(doesn't work).
Can you write some instructions how to setup library with any of this IDP, please?

Long common name of client certificate causes authentication process to fail

Current Behavior

The common name is included in the auth URL state parameter. Due to the length limit of the auth URL that the application can pass over the management channel to the OpenVPN server longer common names make the auth process fail.

Expected Behavior

The application documentation states limitation in the length of the common name.
The application offers an option to not add the common name to the state parameter, effectively preventing use of the common name further on in the authentication process. Use of for example the preferred_username from the token claims might then have to be enforced.

Steps To Reproduce

1. Create a client certificate with a long common name.
2. Try to authenticate using the new client certificate.

Environment

openvpn-auth-oauth2 Version: 1.11.0
OpenVPN Server Version: 2.6.7
Server OS: Ubuntu
OpenVPN Client (flavor, OS): Viscosity, MacOS

Anything else?

No response

Dependency Dashboard

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Pending Approval

These branches will be created by Renovate only once you click their checkbox below.

chore(deps): update ubuntu docker tag to v24

Detected dependencies

docker-compose

docs/demo/docker-compose.yaml

dockerfile

pkg/plugin/Dockerfile

ubuntu 22.04

github-actions

.github/workflows/ci.yaml

actions/checkout v4

actions/setup-go v5

goreleaser/goreleaser-action v5

codecov/codecov-action v4

actions/upload-artifact v4

actions/checkout v4

actions/setup-go v5

golangci/golangci-lint-action v5

actions/checkout v4

actions/setup-go v5

goreleaser/goreleaser-action v5

.github/workflows/pr-check.yaml

.github/workflows/stale.yaml

actions/stale v9

.github/workflows/wiki.yaml

actions/checkout v4

actions/checkout v4

gomod

go.mod

go 1.22

github.com/go-viper/mapstructure/v2 v2.0.0-alpha.1

github.com/knadh/koanf/parsers/yaml v0.1.0

github.com/knadh/koanf/providers/basicflag v1.0.0

github.com/knadh/koanf/providers/env v0.1.0

github.com/knadh/koanf/providers/file v0.1.0

github.com/knadh/koanf/providers/structs v0.1.0

github.com/knadh/koanf/v2 v2.1.1

github.com/madflojo/testcerts v1.1.1

github.com/stretchr/testify v1.9.0

github.com/zitadel/logging v0.6.0

github.com/zitadel/oidc/v3 v3.22.1

golang.org/x/net v0.24.0

golang.org/x/oauth2 v0.19.0

golang.org/x/text v0.14.0

pkg/plugin/go.mod

go 1.22

regex

.github/workflows/ci.yaml

golangci/golangci-lint v1.57.2

Makefile

golangci/golangci-lint v1.57.2

Check this box to trigger a request for Renovate to run again on this repository

Missing common_name Username

Current Behavior

I have tried on a few clients and it doesn't seem to pick it up

time=2024-01-25T10:37:05.540Z level=INFO msg="accept OpenVPN client cid 26, kid 1" cid=26 kid=1 common_name="" idtoken.subject=ZTDL76jW67ch6sbug7r5FaP427EYygr4CjH3xqZPnmE47idtoken.preferred_username=[email protected]=ZTDL7426jW67ch6sbug7r5FaPYygr4CjH3xqZPnmE48 user.preferred_username=[email protected]

time=2024-01-25T10:37:05.683Z level=INFO msg="client established" cid=26 common_name="" reason=ESTABLISHED username=""

Expected Behavior

common_name="" reason=ESTABLISHED username="" both are blank on default setup for Viscosity and OpenVPN connect. idtoken.preferred_username is populated

Steps To Reproduce

Ubuntu 23.04
OpenVPN 2.6.8 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO]
library versions: OpenSSL 3.0.2 15 Mar 2022, LZO 2.10

Environment

openvpn-auth-oauth2 Version: 1.13.5
OpenVPN Server Version: 2.6.8
Server OS: 23.04
OpenVPN Client (flavor, OS): Tunnelblick beta , OpenVPN connect latest

Anything else?

Nothing else to add.

openvpn-auth-oauth2 requires OpenVPN management interface version 5 or higher

Current Behavior

openvpn-auth-oauth2 requires OpenVPN management interface version 5 or higher

Expected Behavior

Working plugin

Steps To Reproduce

1. configuring openvpn with [script](https://rawsrv.medium.com/how-to-install-your-own-openvpn-server-in-under-five-minutes-6d8624f18a50)
2. setup openvpn-auth-oauth2 as linux package
3. configuring plugin as in wiki

Environment

openvpn-auth-oauth2 Version: 1.8.0
OpenVPN Server Version: 2.4.12
Server OS: Centos stream 8
OpenVPN Client (flavor, OS): tunnelblick, macos

Anything else?

No response

unable to make it work for google oauth

Current Behavior

getting below error:

Dec 23 14:02:16 vaditest-openvpn-google systemd[1]: openvpn-auth-oauth2.service: Service RestartSec=5s expired, scheduling restart.
Dec 23 14:02:16 vaditest-openvpn-google systemd[1]: openvpn-auth-oauth2.service: Scheduled restart job, restart counter is at 321.
Dec 23 14:02:16 vaditest-openvpn-google systemd[1]: Stopped OpenVPN authenticator.
Dec 23 14:02:16 vaditest-openvpn-google systemd[1]: Started OpenVPN authenticator.
Dec 23 14:02:16 vaditest-openvpn-google openvpn-auth-oauth2[324571]: time=2023-12-23T14:02:16.037Z level=INFO msg="discover oidc auto configuration with provider generic for issuer https://accounts.google.com/.well-known/openid-configuration"
Dec 23 14:02:16 vaditest-openvpn-google openvpn-auth-oauth2[324571]: time=2023-12-23T14:02:16.171Z level=ERROR msg="newProviderWithDiscovery: http status not ok: 404 Not Found <html lang=en><meta charset=utf-8><meta name=viewport content=\"initial-scale=1, minimum-scale=1, width=device-width\"><title>Error 404 (Not Found)!!1</title><style nonce=\"c7w3kzaxeA31SLc-q1Va-w\">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px;}* > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}pre{white-space:pre-wrap;}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) 0}}@media only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:150px}</style><main id=\"af-error-container\" role=\"main\"><a href=//www.google.com><span id=logo aria-label=Google role=img></span></a><p><b>404.</b> <ins>That’s an error.</ins><p>The requested URL was not found on this server. <ins>That’s all we know.</ins></main>"
Dec 23 14:02:16 vaditest-openvpn-google systemd[1]: openvpn-auth-oauth2.service: Main process exited, code=exited, status=1/FAILURE
Dec 23 14:02:16 vaditest-openvpn-google systemd[1]: openvpn-auth-oauth2.service: Failed with result 'exit-code'.

Expected Behavior

No response

Steps To Reproduce

below configuration is from : /etc/sysconfig/openvpn-auth-oauth2
CONFIG_OPENVPN_ADDR=unix:///run/openvpn/server.sock
CONFIG_OPENVPN_PASSWORD=XXXXXX
CONFIG_OAUTH2_ISSUER=https://accounts.google.com/.well-known/openid-configuration
CONFIG_OAUTH2_CLIENT_ID=162738495-xxxxx.apps.googleusercontent.com (it is not correct-ID)
CONFIG_OAUTH2_CLIENT_SECRET=GOCSPX-xxxxxxxx (it is not correct-SECRET)
# Define a random value with 16 or 24 characters
CONFIG_HTTP_SECRET=cFL3QzfPJUqdsdsdsds
# Define the public http endpoint here.
CONFIG_HTTP_LISTEN=:9000
CONFIG_HTTP_BASE_URL=https://login.example.com (it is not correct-domain name)

1> referring to document, it has mentioned either of this 2 in different place:
CONFIG_HTTP_BASEURL
CONFIG_HTTP_BASE_URL 
not sure which one is correct.
2>i have setup reverse proxy to make use tls for 9000 PORT and i am not sure what PORT i need to use in CONFIG_HTTP_LISTEN

upstream app {
    server 127.0.0.1:9000;
}

server {
    if ($host = login.example.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot
    listen 80 default_server;
    server_name login.example.com;
    return 404; # managed by Certbot

}

server {
    listen 443 ssl; # managed by Certbot
    server_name login.example.com;
    ssl_certificate /etc/letsencrypt/live/login.example.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/login.example.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
    location / {
      proxy_pass http://app;
      proxy_set_header X-Real-IP  $remote_addr;
      proxy_set_header X-Forwarded-For $remote_addr;
      proxy_set_header Host $host;
      proxy_set_header X-Real-Port $server_port;
      proxy_set_header X-Real-Scheme $scheme;
    }
}



### Environment

- openvpn-auth-oauth2 Version:openvpn-auth-oauth2-1.12.2-1.x86_64
- OpenVPN Server Version:openvpn-2.6.8-1.el8.x86_64
- Server OS:Rocky Linux release 8.9 (Green Obsidian)
- OpenVPN Client (flavor, OS):  openvpn3       21-1+jammy   amd64        OpenVPN 3 Linux client


### Anything else?

please help me to fix this. Thanks

Azure AD----The redirect URI XXX specified in the request does not match the redirect URIs

This is detailed error information：

Request Id: 309871e1-882b-4b51-a738-2e87d2215c03
Correlation Id: 4b558249-711b-45cd-ba30-09c5e9b5adb7
Timestamp: 2024-01-03T08:40:59Z
Message: AADSTS50011: The redirect URI 'http://:9000/oauth2/callback' specified in the request does not match the redirect URIs configured for the application '0bf12583-c907-48ad-a45f-182b3d44379e'. Make sure the redirect URI sent in the request matches one added to your application in the Azure portal. Navigate to https://aka.ms/redirectUriMismatchError to learn more about how to fix this.

this is redirect_uri:
https://login.microsoftonline.com/XXXXXX/oauth2/v2.0/authorize?client_id=&code_challenge=FSE0ppw-i0Gw59jB4M3eN4n27GSFvf060t5hbbzmsog&code_challenge_method=S256&nonce=AMzA7-wvRNzOZ7hfkfbHXtNWzq0KAAF0hihZQP2vaxulWsvcax0P6KGZSPEKQsd4scbaLg&redirect_uri=http%3A%2F%2F%3A9000%2Foauth2%2Fcallback&response_type=code&scope=openid+profile+email+offline_access&state=AMzA7-wvRNzOZ7hfkfbHXtNWzq0KAAF0hihZQP2vaxulWsvcax0P6KGZSPEKQsd4scbaLg

and this is Azure AD config

my openvpn-auth-oauth2 conf

CONFIG_OPENVPN_ADDR=unix:///run/openvpn-server/server.sock
CONFIG_OPENVPN_PASSWORD=xxx
CONFIG_OAUTH2_ISSUER=https://login.microsoftonline.com/xxx/v2.0
#CONFIG_OAUTH2_ISSUER=https://login.chinacloudapi.cn/dfc040c2-172e-4b45-8702-2d500250efbf/v2.0
CONFIG_OAUTH2_CLIENT_ID= #CLIENT_ID
CONFIG_OAUTH2_CLIENT_SECRET=#CLIENT_SECRET
CONFIG_HTTP_LISTEN=:9000
# Define a random value with 16 or 24 characters
CONFIG_HTTP_SECRET=1jd93h5b6s82lf03jh5b2hf9
# Define the public http endpoint here.
CONFIG_HTTP_BASEURL=http://<ip>:9000

can you help me? @jkroepke

How to use openvpn to connect to casdoor And use Wecom as Casdoor's provider?

Problem Statement

No response

Proposed Solution

No response

Additional information

No response

Acceptance Criteria

No response

Azure Entra ID / Safari Browser: Access Denied / named cookie not present

Current Behavior

I'm trying to set up integration with Entra ID, but unfortunately I do not get the whole chain working. I get an Access Denied error in my browser after successfully logging into Azure, which is coming from the openvpn-auth-oauth2 component as it seems.

client.conf

client
proto udp
explicit-exit-notify
remote <domainname> 1194
dev tun
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
verify-x509-name server_2gxU7CObCpLBg6IL name
auth SHA256
auth-nocache
cipher AES-128-GCM
tls-client
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
ignore-unknown-option block-outside-dns
setenv opt block-outside-dns # Prevent Windows 10 DNS leak
verb 3
<ca>
-----BEGIN CERTIFICATE-----
xxx
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
xxx
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
xxx
-----END PRIVATE KEY-----
</key>
<tls-crypt>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
xxx
-----END OpenVPN Static key V1-----
</tls-crypt>
auth-user-pass
# Not sure if auth-user-pass is necessary, I get no browser popup without this (just hangs), saw it used in another ticket

server.conf

port 1194
proto udp
dev tun
user nobody
group nogroup
persist-key
persist-tun
keepalive 10 120
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
push "redirect-gateway def1 bypass-dhcp"
dh none
ecdh-curve prime256v1
tls-crypt tls-crypt.key
crl-verify crl.pem
ca ca.crt
cert server_2gxU7CObCpLBg6IL.crt
key server_2gxU7CObCpLBg6IL.key
auth SHA256
cipher AES-128-GCM
ncp-ciphers AES-128-GCM
tls-server
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
client-config-dir /etc/openvpn/ccd
status /var/log/openvpn/status.log
verb 3
# verify-client-cert optional
management /run/openvpn/server.sock unix /etc/openvpn/password.txt
management-client-auth

/etc/sysconfig/openvpn-auth-oauth2

CONFIG_OPENVPN_ADDR=unix:///run/openvpn/server.sock
CONFIG_OPENVPN_PASSWORD=<password>
CONFIG_OAUTH2_ISSUER=https://login.microsoftonline.com/<tenant_id>/v2.0
CONFIG_OAUTH2_CLIENT_ID=<client_id>
CONFIG_OAUTH2_CLIENT_SECRET=<client_secret>
CONFIG_HTTP_LISTEN=:9000
# Define a random value with 16 or 24 characters
CONFIG_HTTP_SECRET=1jd93h5b6s82lf03jh5b2hf3
# Define the public http endpoint here.
CONFIG_HTTP_BASEURL=https://<domainname>:9000
CONFIG_HTTP_TLS=true
CONFIG_HTTP_KEY=/etc/sysconfig/server.key
CONFIG_HTTP_CERT=/etc/sysconfig/server.crt
CONFIG_OAUTH2_REFRESH_ENABLED=true
CONFIG_OAUTH2_REFRESH_EXPIRES=8h
CONFIG_OAUTH2_REFRESH_SECRET=<random_secret | I got an error that this value was missing, could not find it in the docs>

journalctl for ovpn

Jan 03 20:08:43 shared-hub-vpn-gateway ovpn-server[614865]: <client_ip>:62496 VERIFY OK: depth=1, CN=cn_y17JhGwUdyb1QJrr
Jan 03 20:08:43 shared-hub-vpn-gateway ovpn-server[614865]: <client_ip>:62496 VERIFY OK: depth=0, CN=default
Jan 03 20:08:43 shared-hub-vpn-gateway ovpn-server[614865]: <client_ip>:62496 peer info: IV_VER=3.8.1
Jan 03 20:08:43 shared-hub-vpn-gateway ovpn-server[614865]: <client_ip>:62496 peer info: IV_PLAT=mac
Jan 03 20:08:43 shared-hub-vpn-gateway ovpn-server[614865]: <client_ip>:62496 peer info: IV_NCP=2
Jan 03 20:08:43 shared-hub-vpn-gateway ovpn-server[614865]: <client_ip>:62496 peer info: IV_TCPNL=1
Jan 03 20:08:43 shared-hub-vpn-gateway ovpn-server[614865]: <client_ip>:62496 peer info: IV_PROTO=990
Jan 03 20:08:43 shared-hub-vpn-gateway ovpn-server[614865]: <client_ip>:62496 peer info: IV_MTU=1600
Jan 03 20:08:43 shared-hub-vpn-gateway ovpn-server[614865]: <client_ip>:62496 peer info: IV_CIPHERS=AES-128-CBC:AES-192-CBC:AES-256-CBC:AES-128-GCM:AES-192-GCM:AES-256-GCM:CHACHA20-POLY1305
Jan 03 20:08:43 shared-hub-vpn-gateway ovpn-server[614865]: <client_ip>:62496 peer info: IV_GUI_VER=OCmacOS_3.4.4-4629
Jan 03 20:08:43 shared-hub-vpn-gateway ovpn-server[614865]: <client_ip>:62496 peer info: IV_SSO=webauth,openurl,crtext
Jan 03 20:08:43 shared-hub-vpn-gateway ovpn-server[614865]: <client_ip>:62496 TLS: Username/Password authentication deferred for username 'test'
Jan 03 20:08:43 shared-hub-vpn-gateway ovpn-server[614865]: <client_ip>:62496 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
Jan 03 20:08:43 shared-hub-vpn-gateway ovpn-server[614865]: <client_ip>:62496 TLS: tls_multi_process: initial untrusted session promoted to semi-trusted
Jan 03 20:08:43 shared-hub-vpn-gateway ovpn-server[614865]: MANAGEMENT: CMD 'client-pending-auth 11 1 "WEB_AUTH::https://<domainname>:9000/oauth2/start?state=-6oVDgqXTVQq9ycDfralmAlFYs26rzbuFbZbad8wVe5-S1cT0xR6sBkC3Guc>
Jan 03 20:08:43 shared-hub-vpn-gateway ovpn-server[614865]: SENT CONTROL [default]: 'AUTH_PENDING,timeout 180' (status=1)
Jan 03 20:08:43 shared-hub-vpn-gateway ovpn-server[614865]: SENT CONTROL [default]: 'INFO_PRE,WEB_AUTH::https://<domainname>:9000/oauth2/start?state=-6oVDgqXTVQq9ycDfralmAlFYs26rzbuFbZbad8wVe5-S1cT0xR6sBkC3Guc1d6XQFPSZ>
Jan 03 20:08:43 shared-hub-vpn-gateway ovpn-server[614865]: <client_ip>:62496 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 256 bits ECprime256v1, signature: ecdsa-with-SHA256, peer temporary key: 253 >
Jan 03 20:08:43 shared-hub-vpn-gateway ovpn-server[614865]: <client_ip>:62496 [default] Peer Connection Initiated with [AF_INET]<client_ip>:62496
Jan 03 20:08:43 shared-hub-vpn-gateway ovpn-server[614865]: <client_ip>:62496 PUSH: Received control message: 'PUSH_REQUEST'
Jan 03 20:08:44 shared-hub-vpn-gateway ovpn-server[614865]: <client_ip>:62496 PUSH: Received control message: 'PUSH_REQUEST'

journalctl for your component:

Jan 03 20:08:43 shared-hub-vpn-gateway openvpn-auth-oauth2[615049]: time=2024-01-03T20:08:43.863Z level=INFO msg="new client connection" cid=11 kid=1 reason=CONNECT common_name=default username=<username>
Jan 03 20:08:43 shared-hub-vpn-gateway openvpn-auth-oauth2[615049]: time=2024-01-03T20:08:43.863Z level=INFO msg="start pending auth" cid=11 kid=1 reason=CONNECT common_name=default username=<username>
Jan 03 20:08:44 shared-hub-vpn-gateway openvpn-auth-oauth2[615049]: time=2024-01-03T20:08:44.198Z level=INFO msg="initialize authorization via oauth2" common_name=default cid=11 kid=1
Jan 03 20:08:44 shared-hub-vpn-gateway openvpn-auth-oauth2[615049]: time=2024-01-03T20:08:44.509Z level=WARN msg="Unauthorized: failed to get state: http: named cookie not present"

Expected Behavior

No response

Steps To Reproduce

No response

Environment

openvpn-auth-oauth2 Version: 1.13.0
OpenVPN Server Version: OpenVPN 2.6.8 x86_64-pc-linux-gnu
Server OS: Ubuntu 22.04.3 LTS
OpenVPN Client (flavor, OS): OpenVPN Connect Version 3.4.4 (4629) on MacOS

Anything else?

No response

IOS OpenVPN Connect will disconnect after lock screen for about 20 seconds and can not auto re-connect after unlock

Current Behavior

when I lock the screen， after about 20s after the screen turns to black, the server will get a message that the client has disconnected
when I unlock it, the IOS OpenVPN Connect will pop up a message and says that the connection has been disconnected
I have to open the app again and wait for the browser to open and then auto-close
this could not be done in the background with auto

this option still helps nothing

oauth2.refresh.enabled=true enabled too

If I disable openvpn-auth-oauth2, the auto-reconnect will be done in the background without any manual access

Expected Behavior

Steps To Reproduce

Environment

openvpn-auth-oauth2 Version: master
OpenVPN Server Version: OpenVPN 2.6.8 [git:makepkg/3b0d9489cc423da3+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO] built on Nov 17 2023
Server OS: Manjaro Linux 23.1.3
OpenVPN Client (flavor, OS): OpenVPN Connect 3.4.1 (5463)/ IOS 15.8.1
OIDC Provider: STD oauth2 provider

openvpn-auth-oauth2 logs

time=2024-02-19T09:17:01.092+08:00 level=INFO msg="new client connection" cid=67 kid=1 [email protected] reason=CONNECT username=""
time=2024-02-19T09:17:01.092+08:00 level=INFO msg="start pending auth" cid=67 kid=1 [email protected] reason=CONNECT username=""
time=2024-02-19T09:17:02.903+08:00 level=INFO msg="client disconnected" cid=66 [email protected] reason=DISCONNECT username=""
time=2024-02-19T09:17:22.231+08:00 level=INFO msg="initialize authorization via oauth2" cid=67 kid=1 [email protected]
time=2024-02-19T09:17:22.814+08:00 level=INFO msg="successful authorization via oauth2" cid=67 kid=1 [email protected] idtoken.subject=on_a0cb95cc0a79d1d72d11050d855ac1c5 idtoken.preferred_username="" user.subject=on_a0cb95cc0a79d1d72d11050d855ac1c5 user.preferred_username=""
time=2024-02-19T09:17:22.814+08:00 level=INFO msg="accept OpenVPN client cid 67, kid 1" cid=67 kid=1 [email protected] idtoken.subject=on_a0cb95cc0a79d1d72d11050d855ac1c5 idtoken.preferred_username="" user.subject=on_a0cb95cc0a79d1d72d11050d855ac1c5 user.preferred_username=""
time=2024-02-19T09:17:26.120+08:00 level=INFO msg="client established" cid=67 [email protected] reason=ESTABLISHED username=""
time=2024-02-19T09:17:59.607+08:00 level=INFO msg="client disconnected" cid=67 [email protected] reason=DISCONNECT username=""

openvpn server logs

2024-02-19 09:17:01 172.18.1.243:59878 peer info: IV_VER=3.8.3connect1
2024-02-19 09:17:01 172.18.1.243:59878 peer info: IV_PLAT=ios
2024-02-19 09:17:01 172.18.1.243:59878 peer info: IV_NCP=2
2024-02-19 09:17:01 172.18.1.243:59878 peer info: IV_TCPNL=1
2024-02-19 09:17:01 172.18.1.243:59878 peer info: IV_PROTO=990
2024-02-19 09:17:01 172.18.1.243:59878 peer info: IV_MTU=1600
2024-02-19 09:17:01 172.18.1.243:59878 peer info: IV_CIPHERS=AES-128-CBC:AES-192-CBC:AES-256-CBC:AES-128-GCM:AES-192-GCM:AES-256-GCM:CHACHA20-POLY1305
2024-02-19 09:17:01 172.18.1.243:59878 peer info: IV_AUTO_SESS=1
2024-02-19 09:17:01 172.18.1.243:59878 peer info: IV_GUI_VER=net.openvpn.connect.ios_3.4.1-5463
2024-02-19 09:17:01 172.18.1.243:59878 peer info: IV_SSO=webauth,openurl,crtext
2024-02-19 09:17:01 172.18.1.243:59878 peer info: IV_BS64DL=1
2024-02-19 09:17:01 172.18.1.243:59878 [[email protected]] Peer Connection Initiated with [AF_INET]172.18.1.243:59878
2024-02-19 09:17:26 [email protected]/172.18.1.243:59878 MULTI_sva: pool returned IPv4=10.172.18.2, IPv6=(Not enabled)
2024-02-19 09:17:54 [email protected]/172.18.1.243:59878 CC-EEN exit message received by peer
2024-02-19 09:17:54 read UDPv4 [ECONNREFUSED]: Connection refused (fd=5,code=111)

Anything else?

No response

Username UNDEF if not using client-certs

Problem Statement

By initial motivation (https://medium.com/@jkroepke/openvpn-sso-via-oauth2-ab2583ee8477), this manager should make using client certificates for openvpn authentication unneeded. Actually, openvpn/openvpn-auth-oauth2 works fine with verify-client-cert none, but the status file will state "UNDEF" as user, and consequently ipp.txt won't help to re-use IP addresses when the same user reconnects.
Current, client certificates and verify-client-cert required/optional is necessary to obtain the username in openvpn.

Proposed Solution

openvpn-auth-oauth2 should report the username back to openvpn, so that openvpn-status and ipp.txt can work as expected.
Preferrably, the username should be taken from the OAuth2 claims. For this, I propose a setting oauth2.userclaim, to specify where to take the username from (might be one of e.g. preferred_username, email, name).

Additional information

No response

Acceptance Criteria

No response

Email as a common name.

Problem Statement

Hello.
I'm trying to set up a plugin with Google OIDC, and I have a small question. Can I use the email from the data obtained from OIDC to fill in the common name field?
Let me try to explain in more detail. I am using a configuration without client certificates and passwords (a sample client config is below). All authentication is performed only through openvpn-auth-oauth2. This is quite convenient, one configuration file for all clients.

remote vpn.example.com 8001
remote-cert-tls server
client
dev tun
proto tcp
key-direction 1
cipher AES-256-CBC
nobind
persist-key
verb 3
keepalive 10 60
 
<ca>
.....
</ca>
<tls-auth>
.....
</tls-auth>

But in this case, there is a small problem, since we do not specify a username anywhere, which can later be used as CN, so if you look at the statistics, it is not clear which user is which client (Common Name = UNDEF)

root@localhost:~# cat  /var/run/openvpn-server/status-tcp8001.log
OpenVPN CLIENT LIST
Updated,2023-12-27 08:10:21
Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since
UNDEF,219.93.0.130:48881,1784,3808,2023-12-27 08:10:02
UNDEF,219.93.0.130:58579,1558,3660,2023-12-27 08:10:16
ROUTING TABLE
Virtual Address,Common Name,Real Address,Last Ref
10.8.0.36,UNDEF,219.93.0.130:58579,2023-12-27 08:10:19
10.8.0.37,UNDEF,219.93.0.130:48881,2023-12-27 08:10:20
GLOBAL STATS
Max bcast/mcast queue length,2
END
root@localhost:~#

Can you advise how to configure the plugin so that it passes the CN value to OpenVPN through the management interface, or is such functionality not available at the moment?

Proposed Solution

No response

Additional information

No response

Acceptance Criteria

No response

Client disconnected after a few minutes

Thank you for your library. I can successfully use Azure AD to login.
But after just a few minutes, client was disconnected with OpenVPN server. Can you help me figure out why this is happening.

OpenVPN server log:

2023-09-21 10:35:56 Note: --cipher is not set. OpenVPN versions before 2.5 defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
2023-09-21 10:35:56 Note: Kernel support for ovpn-dco missing, disabling data channel offload.
2023-09-21 10:35:56 WARNING: Using --management on a TCP port WITHOUT passwords is STRONGLY discouraged and considered insecure
2023-09-21 10:35:56 OpenVPN 2.6.6 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] [DCO]
2023-09-21 10:35:56 library versions: OpenSSL 1.1.1f  31 Mar 2020, LZO 2.10
2023-09-21 10:35:56 DCO version: N/A
2023-09-21 10:35:56 MANAGEMENT: TCP Socket listening on [AF_INET][undef]:8081
2023-09-21 10:35:56 Need hold release from management interface, waiting...
2023-09-21 10:41:41 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:59898
2023-09-21 10:41:41 MANAGEMENT: CMD 'hold release'
2023-09-21 10:41:41 net_route_v4_best_gw query: dst 0.0.0.0
2023-09-21 10:41:41 net_route_v4_best_gw result: via 172.16.7.1 dev eth0
2023-09-21 10:41:41 TUN/TAP device tun0 opened
2023-09-21 10:41:41 net_iface_mtu_set: mtu 1500 for tun0
2023-09-21 10:41:41 net_iface_up: set tun0 up
2023-09-21 10:41:41 net_addr_v4_add: 10.8.0.1/24 dev tun0
2023-09-21 10:41:41 Could not determine IPv4/IPv6 protocol. Using AF_INET
2023-09-21 10:41:41 Socket Buffers: R=[212992->212992] S=[212992->212992]
2023-09-21 10:41:41 UDPv4 link local (bound): [AF_INET][undef]:1194
2023-09-21 10:41:41 UDPv4 link remote: [AF_UNSPEC]
2023-09-21 10:41:41 UID set to nobody
2023-09-21 10:41:41 GID set to nogroup
2023-09-21 10:41:41 Capabilities retained: CAP_NET_ADMIN
2023-09-21 10:41:41 MULTI: multi_init called, r=256 v=256
2023-09-21 10:41:41 IFCONFIG POOL IPv4: base=10.8.0.2 size=253
2023-09-21 10:41:41 Initialization Sequence Completed
2023-09-21 10:41:41 MANAGEMENT: CMD 'version'
2023-09-21 10:42:04 A.B.C.D:50849 VERIFY OK: depth=1, CN=Easy-RSA CA
2023-09-21 10:42:04 A.B.C.D:50849 VERIFY OK: depth=0, CN=client
2023-09-21 10:42:04 A.B.C.D:50849 peer info: IV_VER=v3.7.1
2023-09-21 10:42:04 A.B.C.D:50849 peer info: IV_PLAT=linux
2023-09-21 10:42:04 A.B.C.D:50849 peer info: IV_NCP=2
2023-09-21 10:42:04 A.B.C.D:50849 peer info: IV_TCPNL=1
2023-09-21 10:42:04 A.B.C.D:50849 peer info: IV_PROTO=30
2023-09-21 10:42:04 A.B.C.D:50849 peer info: IV_CIPHERS=AES-128-GCM:AES-192-GCM:AES-256-GCM:CHACHA20-POLY1305
2023-09-21 10:42:04 A.B.C.D:50849 peer info: IV_AUTO_SESS=1
2023-09-21 10:42:04 A.B.C.D:50849 peer info: IV_GUI_VER=OpenVPN3/Linux/v19_beta
2023-09-21 10:42:04 A.B.C.D:50849 peer info: IV_SSO=openurl,webauth
2023-09-21 10:42:04 A.B.C.D:50849 peer info: IV_BS64DL=1
2023-09-21 10:42:04 A.B.C.D:50849 TLS: Username/Password authentication deferred for username '' 
2023-09-21 10:42:04 A.B.C.D:50849 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
2023-09-21 10:42:04 A.B.C.D:50849 TLS: tls_multi_process: initial untrusted session promoted to semi-trusted
2023-09-21 10:42:04 MANAGEMENT: CMD 'client-pending-auth 0 1 "WEB_AUTH::https://placeholder.com/oauth2/start?state=nJwAv54EWmnB%2B5OvIG9mZuEn1w0wCD2O4q53d6r05ApNNkb9DEv0oUmvn3agIUyknxTRoxLWZ4fVBR3xx3lqFSOQWsUmHxSRRHpjWdO7i8wun8s8bw8NrMbJYXORGApFHYQyi584LWu5QA%3D%3D" 600'
2023-09-21 10:42:04 SENT CONTROL [client]: 'AUTH_PENDING,timeout 60' (status=1)
2023-09-21 10:42:04 SENT CONTROL [client]: 'INFO_PRE,WEB_AUTH::https://placeholder.com/oauth2/start?state=nJwAv54EWmnB%2B5OvIG9mZuEn1w0wCD2O4q53d6r05ApNNkb9DEv0oUmvn3agIUyknxTRoxLWZ4fVBR3xx3lqFSOQWsUmHxSRRHpjWdO7i8wun8s8bw8NrMbJYXORGApFHYQyi584LWu5QA%3D%3D' (status=1)
2023-09-21 10:42:04 A.B.C.D:50849 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 253 bit ED25519, signature: ED25519
2023-09-21 10:42:04 A.B.C.D:50849 [client] Peer Connection Initiated with [AF_INET]A.B.C.D:50849
2023-09-21 10:42:04 A.B.C.D:50849 PUSH: Received control message: 'PUSH_REQUEST'
2023-09-21 10:42:05 A.B.C.D:50849 PUSH: Received control message: 'PUSH_REQUEST'
2023-09-21 10:42:13 A.B.C.D:50849 PUSH: Received control message: 'PUSH_REQUEST'
2023-09-21 10:42:21 A.B.C.D:50849 PUSH: Received control message: 'PUSH_REQUEST'
2023-09-21 10:42:29 A.B.C.D:50849 PUSH: Received control message: 'PUSH_REQUEST'
2023-09-21 10:42:37 A.B.C.D:50849 PUSH: Received control message: 'PUSH_REQUEST'
2023-09-21 10:42:45 A.B.C.D:50849 PUSH: Received control message: 'PUSH_REQUEST'
2023-09-21 10:42:46 MANAGEMENT: Client disconnected
2023-09-21 10:42:53 A.B.C.D:50849 PUSH: Received control message: 'PUSH_REQUEST'
2023-09-21 10:43:01 A.B.C.D:50849 PUSH: Received control message: 'PUSH_REQUEST'
2023-09-21 10:43:04 A.B.C.D:50849 Delayed exit in 5 seconds
2023-09-21 10:43:04 A.B.C.D:50849 SENT CONTROL [UNDEF]: 'AUTH_FAILED' (status=1)
2023-09-21 10:43:04 A.B.C.D:50849 SENT CONTROL [client]: 'AUTH_FAILED' (status=1)
2023-09-21 10:43:09 A.B.C.D:50849 SIGTERM[soft,delayed-exit] received, client-instance exiting
2023-09-21 10:43:53 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:59752
2023-09-21 10:43:53 MANAGEMENT: CMD 'hold release'
2023-09-21 10:43:53 MANAGEMENT: CMD 'version'
2023-09-21 10:44:13 A.B.C.D:50550 VERIFY OK: depth=0, CN=client
2023-09-21 10:44:13 A.B.C.D:50550 peer info: IV_VER=v3.7.1
2023-09-21 10:44:13 A.B.C.D:50550 peer info: IV_PLAT=linux
2023-09-21 10:44:13 A.B.C.D:50550 peer info: IV_NCP=2
2023-09-21 10:44:13 A.B.C.D:50550 peer info: IV_TCPNL=1
2023-09-21 10:44:13 A.B.C.D:50550 peer info: IV_PROTO=30
2023-09-21 10:44:13 A.B.C.D:50550 peer info: IV_CIPHERS=AES-128-GCM:AES-192-GCM:AES-256-GCM:CHACHA20-POLY1305
2023-09-21 10:44:13 A.B.C.D:50550 peer info: IV_AUTO_SESS=1
2023-09-21 10:44:13 A.B.C.D:50550 peer info: IV_GUI_VER=OpenVPN3/Linux/v19_beta
2023-09-21 10:44:13 A.B.C.D:50550 peer info: IV_SSO=openurl,webauth
2023-09-21 10:44:13 A.B.C.D:50550 peer info: IV_BS64DL=1
2023-09-21 10:44:13 A.B.C.D:50550 TLS: Username/Password authentication deferred for username '' 
2023-09-21 10:44:13 A.B.C.D:50550 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
2023-09-21 10:44:13 A.B.C.D:50550 TLS: tls_multi_process: initial untrusted session promoted to semi-trusted
2023-09-21 10:44:13 MANAGEMENT: CMD 'client-pending-auth 1 1 "WEB_AUTH::https://placeholder.com/oauth2/start?state=ePEZ1OSTa9XOPamzzWE1nZ6eATmjHiOFtyyj7TfkNHBkYWUtwjtv57WtApkvu3OG45XNqr2YBBu%2B%2F%2B0DKdwyDsyYyQZ29HG8JmZMGZXnkiLx2WjuXvvQFEESdvufWklaKCY2ZNtpmNbAkw%3D%3D" 600'
2023-09-21 10:44:13 SENT CONTROL [client]: 'AUTH_PENDING,timeout 60' (status=1)
2023-09-21 10:44:13 SENT CONTROL [client]: 'INFO_PRE,WEB_AUTH::https://placeholder.com/oauth2/start?state=ePEZ1OSTa9XOPamzzWE1nZ6eATmjHiOFtyyj7TfkNHBkYWUtwjtv57WtApkvu3OG45XNqr2YBBu%2B%2F%2B0DKdwyDsyYyQZ29HG8JmZMGZXnkiLx2WjuXvvQFEESdvufWklaKCY2ZNtpmNbAkw%3D%3D' (status=1)
2023-09-21 10:44:13 A.B.C.D:50550 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 253 bit ED25519, signature: ED25519
2023-09-21 10:44:13 A.B.C.D:50550 [client] Peer Connection Initiated with [AF_INET]A.B.C.D:50550
2023-09-21 10:44:13 A.B.C.D:50550 PUSH: Received control message: 'PUSH_REQUEST'
2023-09-21 10:44:14 A.B.C.D:50550 PUSH: Received control message: 'PUSH_REQUEST'
2023-09-21 10:44:17 MANAGEMENT: CMD 'client-auth-nt 1 1'
2023-09-21 10:44:22 A.B.C.D:50550 PUSH: Received control message: 'PUSH_REQUEST'
2023-09-21 10:44:22 client/A.B.C.D:50550 MULTI_sva: pool returned IPv4=10.8.0.2, IPv6=(Not enabled)
2023-09-21 10:44:22 client/A.B.C.D:50550 MULTI: Learn: 10.8.0.2 -> client/A.B.C.D:50550
2023-09-21 10:44:22 client/A.B.C.D:50550 MULTI: primary virtual IP for client/A.B.C.D:50550: 10.8.0.2
2023-09-21 10:44:22 client/A.B.C.D:50550 SENT CONTROL [client]: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.8.0.2 255.255.255.0,peer-id 0,cipher AES-256-GCM,key-derivation tls-ekm' (status=1)
2023-09-21 10:44:23 client/A.B.C.D:50550 Data Channel: cipher 'AES-256-GCM', peer-id: 0
2023-09-21 10:44:23 client/A.B.C.D:50550 Timers: ping 10, ping-restart 120
2023-09-21 10:44:23 client/A.B.C.D:50550 Protocol options: explicit-exit-notify 1, protocol-flags tls-ekm
2023-09-21 10:45:12 client/A.B.C.D:50550 TLS: soft reset sec=59/59 bytes=375191/-1 pkts=1096/0
2023-09-21 10:45:14 client/A.B.C.D:50550 VERIFY OK: depth=1, CN=Easy-RSA CA
2023-09-21 10:45:14 client/A.B.C.D:50550 VERIFY OK: depth=0, CN=client
2023-09-21 10:45:14 client/A.B.C.D:50550 peer info: IV_VER=v3.7.1
2023-09-21 10:45:14 client/A.B.C.D:50550 peer info: IV_PLAT=linux
2023-09-21 10:45:14 client/A.B.C.D:50550 peer info: IV_NCP=2
2023-09-21 10:45:14 client/A.B.C.D:50550 peer info: IV_TCPNL=1
2023-09-21 10:45:14 client/A.B.C.D:50550 peer info: IV_PROTO=30
2023-09-21 10:45:14 client/A.B.C.D:50550 peer info: IV_CIPHERS=AES-128-GCM:AES-192-GCM:AES-256-GCM:CHACHA20-POLY1305
2023-09-21 10:45:14 client/A.B.C.D:50550 peer info: IV_AUTO_SESS=1
2023-09-21 10:45:14 client/A.B.C.D:50550 peer info: IV_GUI_VER=OpenVPN3/Linux/v19_beta
2023-09-21 10:45:14 client/A.B.C.D:50550 peer info: IV_SSO=openurl,webauth
2023-09-21 10:45:14 client/A.B.C.D:50550 TLS: Username/Password authentication deferred for username '' 
2023-09-21 10:45:14 MANAGEMENT: CMD 'client-pending-auth 1 3 "WEB_AUTH::https://placeholder.com/oauth2/start?state=5%2FEh5MMw%2BIjZZQau1gRhvMIxnr8PSI%2B9SsTowA1yCjhDo0trR7JA3Vo5xAvL0BUo%2FvxUYCw8hhN6AbkT0QKMsSz53%2B3VWzn3TFlKydvJ4tvFmhDFGqynH%2F%2FNEWOMtJAo9UhbuQO4WDQP7g%3D%3D" 600'
2023-09-21 10:45:14 SENT CONTROL [client]: 'AUTH_PENDING,timeout 58' (status=1)
2023-09-21 10:45:14 SENT CONTROL [client]: 'INFO_PRE,WEB_AUTH::https://placeholder.com/oauth2/start?state=5%2FEh5MMw%2BIjZZQau1gRhvMIxnr8PSI%2B9SsTowA1yCjhDo0trR7JA3Vo5xAvL0BUo%2FvxUYCw8hhN6AbkT0QKMsSz53%2B3VWzn3TFlKydvJ4tvFmhDFGqynH%2F%2FNEWOMtJAo9UhbuQO4WDQP7g%3D%3D' (status=1)
2023-09-21 10:45:14 client/A.B.C.D:50550 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 253 bit ED25519, signature: ED25519
2023-09-21 10:46:13 client/A.B.C.D:50550 Delayed exit in 5 seconds
2023-09-21 10:46:13 client/A.B.C.D:50550 SENT CONTROL [UNDEF]: 'AUTH_FAILED' (status=1)
2023-09-21 10:46:13 client/A.B.C.D:50550 SENT CONTROL [client]: 'AUTH_FAILED' (status=1)
2023-09-21 10:46:18 client/A.B.C.D:50550 SIGTERM[soft,delayed-exit] received, client-instance exiting

server.conf:

dev tun
server 10.8.0.0 255.255.255.0
verb 3
ca /etc/openvpn/pki/ca.crt
key /etc/openvpn/pki/private/server.key
cert /etc/openvpn/pki/issued/server.crt
dh none
keepalive 10 60
persist-key
persist-tun
explicit-exit-notify

push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"


tls-cert-profile preferred

topology subnet
proto udp
port 1194

fast-io
user nobody
group nogroup

management 0.0.0.0 8081
management-hold
management-client-auth
#auth-gen-token 0 external-auth

reneg-sec 60
auth-user-pass-optional

client.ovpn:

client
dev tun
nobind
remote A.B.C.D 1194 udp4
remote-cert-tls server
resolv-retry infinite
tls-cert-profile preferred
persist-tun
verb 3

<key></key>
<cert></cert>
<ca></ca>

No auth after openvpn SIGHUP

Current Behavior

To change the openvpn's server config, the process needs to be signalled SIGHUP, which will basically restart. After that, no OAuth2 auth takes place until the openvpn-auth-oauth2 service is restarted.
Checking the management interface using telnet, I see >HOLD:Waiting for hold release:0 after SIGHUP. I guess the auth service will release the hold only on first connect, not expecting holds later.

Expected Behavior

No response

Steps To Reproduce

No response

Environment

No response

openvpn-auth-oauth2 logs

No response

openvpn server logs

No response

Anything else?

No response

Template

Current Behavior

When authentication ends, shows

Expected Behavior

Redirect to page with my template

Steps To Reproduce

1. set custom template into config
2. authenticate to vpn
3. get default page

Environment

openvpn-auth-oauth2 Version: 1.10.0
OpenVPN Server Version: 2.6.6
Server OS: Ubuntu Server 22.04
OpenVPN Client (flavor, OS): Tunnelblick 4.0.0, macos

Anything else?

No response

Please support/move to plugin

Problem Statement

Implementing the oauth2-connector as plugin is just what the plugin interface is designed for, and it has several advantages:

common logfile
no services dependent on each other (which causes some trouble currently)
keeps the management interface free for managers (#146)

As of 1.15.0, I wasn't able to get it working on Debian Bookworm with OpenVPN 2.6.3 (always blocking after PLUGIN openvpn-auth-oauth2: INFO: discover oidc auto configuration with provider generic for issuer https://oidp.net, without any network traffic to the IDP).

Proposed Solution

No response

Additional information

No response

Acceptance Criteria

No response

Google as a Provider

Problem Statement

I'd like to use google workspaces as a oauth2 provider with this program

Proposed Solution

I found a way to configure it and it worked, I'll post here the configuration I used, if you want to enhance your documentation :)

Additional information

No response

Acceptance Criteria

No response

openvpn.passwordfile

Problem Statement

Cleartext passwords should be in as few places as possible, so I propose to read the openvpn management password from a file. This would re-use the password.txt file that openvpn already requires, via a configuration option openvpn.passwordfile.

Proposed Solution

No response

Additional information

No response

Acceptance Criteria

No response

Authentication failed after 1.13.0 with CONFIG_OAUTH2_VALIDATE_IPADDR=1

Current Behavior

When I have upgraded on version 1.13 or after, validation of IP adress doesn't work, we have this message:
level=WARN msg="missing claim: ipaddr"
If I rollback to 1.12.2, it's working.
On Azure, ipaddr claim has been setted

Expected Behavior

No response

Steps To Reproduce

1- On Debian package 1.13
2- With this config:
CONFIG_OPENVPN_ADDR=unix:///dev/openvpn
CONFIG_OAUTH2_ISSUER=https://login.microsoftonline.com/xxxxx/v2.0
CONFIG_OAUTH2_CLIENT_ID=xxxx
CONFIG_OAUTH2_CLIENT_SECRET=xxxx
CONFIG_HTTP_LISTEN=:443
CONFIG_HTTP_SECRET=xxxx
CONFIG_HTTP_BASEURL=https://xxxxx
CONFIG_HTTP_TLS=1
CONFIG_HTTP_CERT=xxxx
CONFIG_HTTP_KEY=xxxx
CONFIG_LOG_LEVEL=debug
CONFIG_HTTP_CALLBACK_TEMPLATE_PATH=https://xxx
CONFIG_HTTP_ENABLE__PROXY__HEADERS=1
CONFIG_OAUTH2_VALIDATE_IPADDR=1

Environment

openvpn-auth-oauth2 Version: 1.13
OpenVPN Server Version: 2.6.3-1+deb12u2
Server OS: Debian 12
OpenVPN Client (flavor, OS): Windows 10, Client GUI 11.45.0.0 (Openvpn 2.6.7)

Anything else?

No response

[Google] Refresh token

Problem Statement

Logs for google say: Feb 12 15:09:32 shared-hub-vpn-gateway openvpn-auth-oauth2[78178]: time=2024-02-12T15:09:32.333Z level=WARN msg="oauth2.refresh is enabled, but provider does not return refresh token"

If I search online, refresh tokens seem to be supported. Also your Google codes seems to mention getting refresh tokens. Is it supported?

Environment

openvpn-auth-oauth2 Version:
OpenVPN Server Version:
Server OS:
OpenVPN Client (flavor, OS):

When I integrate Azure AD, there is an error that cannot be handled.

This is the client configuration.

client
dev tun
proto udp
remote xx.xx.xxx.xxx 1194
resolv-retry infinite
nobind
persist-key
persist-tun
auth-user-pass default_pass.txt
ca ovpn2/ca.crt
cert ovpn2/client.crt
key ovpn2/client.key
comp-lzo
verb 3

openvpn server configuration

port 1194
proto udp
dev tun
#dev tap
ca /etc/openvpn/server/keys/ca.crt
cert /etc/openvpn/server/keys/server.crt
key /etc/openvpn/server/keys/server.key
#tls-auth /etc/openvpn/server/keys/ta.key 0
dh /etc/openvpn/server/keys/dh.pem
#server 10.10.10.0 255.255.255.0
server 10.8.0.0 255.255.255.0

push "route 10.0.0.0 255.255.255.0"

ifconfig-pool-persist /var/log/openvpn/ipp.txt
keepalive 10 120
#cipher AES-256-GCM
persist-key
persist-tun
comp-lzo
status /var/log/openvpn/openvpn-status.log
log /var/log/openvpn/openvpn.log
verb 3
duplicate-cn
client-to-client


# /etc/openvpn/password.txt is a password file where the password must be on first line
management /run/openvpn-server/server.sock unix /etc/openvpn/server/password.txt
management-hold
management-client-auth

openvpn-auth-oauth2 configuration

CONFIG_OPENVPN_ADDR=unix:///run/openvpn-server/server.sock
CONFIG_OPENVPN_PASSWORD=XXXX
CONFIG_OAUTH2_ISSUER=https://login.microsoftonline.com/XXX/v2.0
CONFIG_OAUTH2_CLIENT_ID= #CLIENT_ID
CONFIG_OAUTH2_CLIENT_SECRET= #CLIENT_SECRET
CONFIG_HTTP_LISTEN=:9000
# Define a random value with 16 or 24 characters
CONFIG_HTTP_SECRET=1jd93h5b6s82lf03jh5b2hf9
# Define the public http endpoint here.
CONFIG_HTTP_BASEURL=http://localhost:9000
CONFIG_HTTP_KEY= /etc/openvpn/server/keys/server.key
CONFIG_HTTP_CERT= /etc/openvpn/server/keys/server.crt

client error log

Wed Jan  3 10:37:33 2024 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
Wed Jan  3 10:37:33 2024 Note: --cipher is not set. OpenVPN versions before 2.5 defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
Wed Jan  3 10:37:33 2024 Note: '--allow-compression' is not set to 'no', disabling data channel offload.
Wed Jan  3 10:37:33 2024 OpenVPN 2.6.0 [git:v2.6.0/b999466418dddb89] Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] [DCO] built on Feb 15 2023
Wed Jan  3 10:37:33 2024 Windows version 10.0 (Windows 10 or greater), amd64 executable
Wed Jan  3 10:37:33 2024 library versions: OpenSSL 3.0.8 7 Feb 2023, LZO 2.10
Wed Jan  3 10:37:33 2024 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25342
Wed Jan  3 10:37:33 2024 Need hold release from management interface, waiting...
Wed Jan  3 10:37:33 2024 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:53226
Wed Jan  3 10:37:33 2024 MANAGEMENT: CMD 'state on'
Wed Jan  3 10:37:33 2024 MANAGEMENT: CMD 'log on all'
Wed Jan  3 10:37:33 2024 MANAGEMENT: CMD 'echo on all'
Wed Jan  3 10:37:33 2024 MANAGEMENT: CMD 'bytecount 5'
Wed Jan  3 10:37:33 2024 MANAGEMENT: CMD 'state'
Wed Jan  3 10:37:33 2024 MANAGEMENT: CMD 'hold off'
Wed Jan  3 10:37:33 2024 MANAGEMENT: CMD 'hold release'
Wed Jan  3 10:37:33 2024 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Wed Jan  3 10:37:33 2024 TCP/UDP: Preserving recently used remote address: [AF_INET]47.97.166.244:1194
Wed Jan  3 10:37:33 2024 Socket Buffers: R=[65536->65536] S=[65536->65536]
Wed Jan  3 10:37:33 2024 UDPv4 link local: (not bound)
Wed Jan  3 10:37:33 2024 UDPv4 link remote: [AF_INET]xx.xx.xxx.xxx:1194
Wed Jan  3 10:37:33 2024 MANAGEMENT: >STATE:1704249453,WAIT,,,,,,
Wed Jan  3 10:38:33 2024 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Wed Jan  3 10:38:33 2024 TLS Error: TLS handshake failed
Wed Jan  3 10:38:33 2024 SIGUSR1[soft,tls-error] received, process restarting
Wed Jan  3 10:38:33 2024 MANAGEMENT: >STATE:1704249513,RECONNECTING,tls-error,,,,,
Wed Jan  3 10:38:33 2024 Restart pause, 1 second(s)

It looks like the server did not receive the request, and no logs were found. Can you provide some advice?

Conditional access on linux doesn't work

Current Behavior

I try to use the conditional access with a linux client, but isn't working.
When the client configuration open the website to connect on azure it tell me my access is granted but my computer isn't compliant. The conditional access rule is configured to accept only compliant computer.
It's working well on windows but not on linux.

Expected Behavior

I need to be block at the connexion after the azure connection.

Steps To Reproduce

1. Be no compliant
2. Connection to a VPN Site
3. Access granted

Environment

openvpn-auth-oauth2 Version: 1.13.5
OpenVPN Server Version: 2.6.8
Server OS: Ubuntu
OpenVPN Client (flavor, OS): OpenVPN3 client with openssl3 / Linux

openvpn-auth-oauth2 logs

No response

openvpn server logs

No response

Anything else?

No response

Ami Support

Problem Statement

Does this code support the OpenVPN Access Server AMI version?

openvpn-auth-oauth2 --http.secret=xxxxxx--oauth2.client.id=xxxxxxxxx --oauth2.client.secret=xxxxxxxx --oauth2.issuer=https://accounts.google.com --http.baseurl=https://xxxxxx:9000/ --http.listen=:9000

As far as i understand the port (9000) selected will be new.

time=2023-12-20T23:38:30.936Z level=INFO msg="discover oidc auto configuration with provider generic for issuer https://accounts.google.com"
time=2023-12-20T23:38:30.967Z level=INFO msg="start HTTP server listener on :9000 with base url https://xxxxxxxxxx:9000/"
time=2023-12-20T23:38:30.967Z level=INFO msg="connect to openvpn management interface unix:/run/openvpn/server.sock"
time=2023-12-20T23:38:30.967Z level=ERROR msg="error OpenVPN: unable to connect to openvpn management interface unix:/run/openvpn/server.sock: dial unix /run/openvpn/server.sock: connect: no such file or directory"
time=2023-12-20T23:38:30.968Z level=INFO msg="shutdown OpenVPN management connection"
time=2023-12-20T23:38:30.968Z level=INFO msg="start graceful shutdown of http listener"
time=2023-12-20T23:38:30.968Z level=INFO msg="http listener successfully terminated"

Ami version does not have :/run/openvpn/server.sock running on ubuntu.
But have this
#/usr/local/openvpn_as/etc/sock# ls
sagent sagent.api sagent.localroot

Thanks in advance.

Proposed Solution

No response

Additional information

Could be easier if we have a google section.

Acceptance Criteria

No response

Setup with digitalocean

Hi,

I'm trying to set this up with DO's OAuth (https://docs.digitalocean.com/reference/api/oauth-api/)
I think I'm not setting the correct issuer url, this is what I get in the logs
INFO msg="discover oidc auto configuration with provider generic for issuer https://cloud.digitalocean.com/v1/oauth"
ERROR msg="newProviderWithDiscovery: failed to unmarshal response: invalid character '<' looking for beginning of value <!doctype html><html lang="en"><head data-version="e89958fa0c2ddfb9098d82e3a8fb935cdb0f21f8"><meta charset="utf-8"/><meta name="viewport" content="width=device-width,initial-scale=1"/>

Am I missing something?
Does supporting DO's implementation require changes in openvpn-auth-oauth2?

Documentation unclear/incomplete

Current Behavior

Reviewing the configuration file section of the documentation, I found:

http:
  tls: true
  key: <keyfile>
  cert: <certfile>
openvpn:
  bypass:
    commonnames: ""
oauth2:
  validate:
    commonname: ""
    roles: ""

TLS configuration works fine for me, section missing
Both commonname options appear surprising to me, since the command line options are --openvpn.bypass.cn and --oauth2.validate.common-name
Wondering about oauth2.validate.roles: is a single role checked, or multiple, if multiple is the string comma or space separated, or maybe list of strings?

Expected Behavior

No response

Steps To Reproduce

No response

Environment

openvpn-auth-oauth2 Version:
OpenVPN Server Version:
Server OS:
OpenVPN Client (flavor, OS):
OIDC Provider:

openvpn-auth-oauth2 logs

No response

openvpn server logs

No response

Anything else?

No response

validate.common-name is is case-sensitive

Current Behavior

In 1.16B3, a preferred_username of "MyName" is compared as mismatch to the openvpn username "myname".
as cnames are case-allowed-but-insensitive (https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.6), oaa should compare case insensitive.

Expected Behavior

No response

Steps To Reproduce

No response

Environment

No response

openvpn-auth-oauth2 logs

No response

openvpn server logs

No response

Anything else?

No response

"This site can’t provide a secure connection" [ ERR_SSL_PROTOCOL_ERROR ]

Current Behavior

It seems that I cannot get the certificates to bind to the native HTTPS listener within openvpn-auth-oauth2. I've tried my own wildcard cert [from trusted authority] as well as generating a self-signed key/crt from the example provided. I've turned the logging up to DEBUG level and do not see anything useful in there.

snippet of self-signed config below:

CONFIG_HTTP_BASEURL=https://ovpn1.mycompany.com:9000
CONGIG_HTTP_TLS=true
CONFIG_HTTP_KEY=/etc/sysconfig/server2.key
CONFIG_HTTP_CERT=/etc/sysconfig/server2.crt
CONFIG_LOG_LEVEL=DEBUG

I guess my question is where can I look to troubleshoot the native HTTPS listener and the loading of the crt and key into it?

[If I change it to http:9000 the page will load properly, but unfortunately AAD will not accept http URLs for redirect.]

Expected Behavior

No response

Steps To Reproduce

No response

Environment

openvpn-auth-oauth2 Version: 1.13.5
OpenVPN Server Version: 2.6.8
Server OS: jammy
OpenVPN Client (flavor, OS): [tried both] on windows

Anything else?

v1.16.0-rc.2: provider `google` not recognised in client.yaml

Current Behavior

Previously, I used CONFIG_OAUTH2_PROVIDER=google in /etc/sysconfig/openvpn-auth-oauth.

My current config.yaml includes:

provider:
  google:
    admin-email: "[email protected]"
    service-account-config: "file:///etc/openvpn-auth-oauth2/sa.json"

but the logs show:

xx@xx:/etc/systemd/system$ sudo /usr/bin/openvpn-auth-oauth2 --config /etc/openvpn-auth-oauth2/config.yaml
time=2024-02-14T11:41:33.689Z level=INFO msg="discover oidc auto configuration with provider **generic** for issuer https://accounts.google.com"

Leads to similar errors as before when authentication without CONFIG_OAUTH2_PROVIDER=google:

Some requested scopes were invalid. {valid=[openid, https://www.googleapis.com/auth/userinfo.profile], invalid=[offline_access]}

Expected Behavior

No response

Steps To Reproduce

No response

Environment

openvpn-auth-oauth2 Version:
OpenVPN Server Version:
Server OS:
OpenVPN Client (flavor, OS):
OIDC Provider:

openvpn-auth-oauth2 logs

No response

openvpn server logs

No response

Anything else?

No response

What is openvpn-auth-oauth2.so used for?

Problem Statement

There is a openvpn-auth-oauth2.so located in the tar ,what is this used for? I can not find any document about that

Environment

No response

Auth-token-user setting does not seem to be working

Current Behavior

According to the code and documentation it seems that the application should set the client username to the preferred_username claim by default. For some reason this does not seem to be happening for me. I don't see any difference in behavior when configuring CONFIG_OPENVPN_AUTH_TOKEN_USER to either true or false.

I see the following in the server logs (without configuring the property or when setting it to either true or false):

openvpn[49636]: MANAGEMENT: CMD 'client-auth 0 1'
openvpn[49636]: VPN Client v1/x.x.x.x:4242 MULTI_sva: pool returned IPv4=10.8.0.2, IPv6=2001:db8:0:123::1000

The corresponding logging from the application is this:

openvpn-auth-oauth2[49628]: time=2023-11-17T17:59:23.885Z level=INFO msg="successful authorization via oauth2" idtoken.subject=xxxxx idtoken.preferred_username=user.name@domain common_name="VPN Client v1" cid=0 kid=1 user.subject=xxxxx user.preferred_username=user.name@domain

Expected Behavior

When I look at the code in the OAUTH2 handler it seems to me that it should be sending the push auth-token-user command with the user.preferred_username value telling the server to use user.name@domain as client name.

Steps To Reproduce

No response

Environment

openvpn-auth-oauth2 Version: 1.10.1
OpenVPN Server Version: 2.6.7
Server OS: Ubuntu
OpenVPN Client (flavor, OS): Viscosity, MacOS

Anything else?

I think the issue could be with openvpn, but I'm not sure, so any suggestions would be appreciated.

Status of Keycloak Support?

Problem Statement

The README.md of the project mentioned keycloak as a supported Identity Provider (IdP). However, the Providers.md document has no mention of keycloak. This raises doubts about the current status of keycloak integration with openvpn-auth-oauth2.

I would like to seek clarification on the following points:

Is keycloak officially supported as an IdP?
If so, what is the recommended approach for configuring keycloak?
If keycloak support is not available or recommended, could you suggest any alternative self-hosted IdP, such as Hydra, that can be used with openvpn-auth-oauth2?

These clarifications will help me make an informed decision regarding the choice of IdP for openvpn-auth-oauth2. Thank you for your assistance.

Environment

openvpn-auth-oauth2 Version: latest
OpenVPN Server Version: 2.6.8
Server OS: FreeBSD
OpenVPN Client (flavor, OS): Tunnelblick 4.0.0beta13 / MacOS

Install & Configure Plugin On OpenVPN Access Server (OpenVPN-AS)

Problem Statement

Hi Team.
The latest version of OpenVPN Access Server now supports client authentication with Azure AD using the SAML protocol. However, for personal reasons, my OpenVPN Access Server is still using an older version that does not support client authentication with Azure AD. Therefore, I am currently looking for a way to authenticate OpenVPN-AS clients with Azure AD.
After reading:
https://github.com/jkroepke/openvpn-auth-oauth2/wiki
https://medium.com/@jkroepke/openvpn-sso-via-oauth2-ab2583ee8477
I installed plugin successfully on my OpenVPN-AS server, configured configuration file and try to start openvpn-auth-oauth2 service but got the following error:
Failed to add match 'openvpn-auth-oauth2': Invalid argument
I wonder if the plugin works with OpenVPN Access Server or not. And if it does, has anyone successfully set it up and configured it?
Please provide me with the documentation or instructions for this configuration if possible.
I sincerely appreciate your help.

Proposed Solution

No response

Additional information

OpenVPN Access Server Version 2.5
Ubuntu Server 16.04 LTS

Acceptance Criteria

No response

service not start

I Follow the Medium guide at https://medium.com/@jkroepke/openvpn-sso-via-oauth2-ab2583ee8477

but when i try to run i got this Error for a missing Config parameter.

I don't know what and how i need to add it.

{"level":"error","ts":1695507354.3251116,"msg":"error validating config: openvpn.bypass is nil"}

Is there opportunity to use CCD with user groups?

Problem Statement

I have Zitadel or anyone other SSO with configured user groups. I want to split resources in my vpn network by access for groups of users. In most cases .ccd used for it. How can we do it with that plugin?

Proposed Solution

Add splitted configurations for groups with routes to resources

Additional information

No response

Acceptance Criteria

No response

oauth2.validate.common-name not working

Current Behavior

Using openvpn-auth-oauth2_1.13.5_linux_amd64.deb, I configured openvpn-auth to start with the command line option --oauth2.validate.common-name preferred_username.

On the server side, I have

username-as-common-name
verify-client-cert none

When connecting using openvpn3 with username "nobody" (authorizing via Nextcloud), I see

TLS: Username/Password authentication deferred for username 'nobody' [CN SET]
msg="successful authorization via oauth2" cid=15 kid=1 
  common_name=""
  idtoken.subject=MyName
  idtoken.preferred_username=MyName
  user.subject=MyName
  user.preferred_username=MyName

Obviously, cn "nobody" and preferred_username don't match.

Expected Behavior

Deny connection if cn and configured field from oauth2 userinfo endpoint don't match.

Steps To Reproduce

No response

Environment

No response

openvpn-auth-oauth2 logs

No response

openvpn server logs

No response

Anything else?

No response

v1.16.0-rc.2: openvpn-auth-oauth2.service: Failed with result 'core-dump'.

@jkroepke I was already trying that yesterday, while refactoring my installation script to incorporate the ownership changes. So I do expect my current setup to fail, but I no longer get any details why it's failing in the new setup. Journalcl output:

Feb 14 11:24:28 shared-hub-vpn-gateway systemd[1]: Started OpenVPN authenticator.
░░ Subject: A start job for unit openvpn-auth-oauth2.service has finished successfully
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░ 
░░ A start job for unit openvpn-auth-oauth2.service has finished successfully.
░░ 
░░ The job identifier is 871563.
Feb 14 11:24:28 shared-hub-vpn-gateway systemd[1]: openvpn-auth-oauth2.service: Main process exited, code=dumped, status=31/SYS
░░ Subject: Unit process exited
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░ 
░░ An ExecStart= process belonging to unit openvpn-auth-oauth2.service has exited.
░░ 
░░ The process' exit code is 'dumped' and its exit status is 31.
Feb 14 11:24:28 shared-hub-vpn-gateway systemd[1]: openvpn-auth-oauth2.service: Failed with result 'core-dump'.
░░ Subject: Unit failed
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░ 
░░ The unit openvpn-auth-oauth2.service has entered the 'failed' state with result 'core-dump'.

I have to add: I also did try to change from the /etc/sysconfig/openvpn-auth-oauth2 file to /etc/openvpn-auth-oauth2/config.yaml

config.yaml

-rw-r-----   1 root openvpn-auth-oauth2  851 Feb 14 11:25 config.yaml

log:
  format: console
  level: INFO
http:
  baseurl: "https://xx:9000"
  cert: "/etc/openvpn-auth-oauth2/fullchain.pem"
  key: "/etc/openvpn-auth-oauth2/privkey.pem"
  listen: ":9000"
  secret: "xx"
  tls: true
openvpn:
  addr: "unix:///run/openvpn/server.sock"
  password: "xx"
oauth2:
  issuer: "https://accounts.google.com"
  client:
    id: "xx"
    secret: "xx"
  validate:
    groups:
      - xx-admin
      - xx-developer
  refresh:
    enabled: true
    expires: 8h0m0s
    secret: "xx"
provider:
  google:
    admin-email: "xx"
    service-account-config: "file:///etc/openvpn-auth-oauth2/sa.json"

/etc/sysconfig/openvpn-auth-oauth2

# This file is sourced by the openvpn-auth-oauth2.service

# CONFIG_FILE is the path to the configuration file and used in the systemd service file only.
CONFIG_FILE=/etc/openvpn-auth-oauth2/config.yaml

Please let me know how I can see errors/misconfigurations in your component again

Originally posted by @Pionerd in #168 (comment)

Error 400 returned for some clients connecting via IPv6

Current Behavior

I've configured openvpn-auth-oauth2 to use Azure as OAuth provider with the following config:

CONFIG_OAUTH2_ISSUER=https://login.microsoftonline.com/…/v2.0
CONFIG_OAUTH2_CLIENT_ID=…
CONFIG_OAUTH2_CLIENT_SECRET=…

CONFIG_OPENVPN_ADDR=unix:///run/openvpn/server-udp-1194.sock
CONFIG_OPENVPN_PASSWORD=… # The same password as in /etc/openvpn/password.txt

CONFIG_HTTP_LISTEN=:9000
CONFIG_HTTP_SECRET=…
CONFIG_HTTP_BASEURL=https://vpn-test.$COMPANY.com/
CONFIG_HTTP_ENABLEPROXYHEADERS=true

CONFIG_LOG_LEVEL=debug

There's nginx to provide TLS:

server {
    listen 80 default_server;
    listen [::]:80 default_server;
    server_name vpn-test.$COMPANY.com;

    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl default_server;
    listen [::]:443 ssl default_server;
    server_name vpn-test.$COMPANY.com;
    ssl_certificate /etc/ssl/private/star_$COMPANY_com_fullchain.pem;
    ssl_certificate_key /etc/ssl/private/star_$COMPANY_com.key;

    include /etc/nginx/include/well_known.conf;

    location / {
        proxy_pass http://localhost:9000;
        proxy_set_header X-Real-IP  $remote_addr;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Real-Port $server_port;
        proxy_set_header X-Real-Scheme $scheme;
    }
}

In my tests I have tried a few client and platform combination and got different results:

Viscosity on Windows. Pops up its own browser window where authentication works fine, I'm being redirected to Microsoft and so on.
OpenVPN GUI on Windows. Opens the default web browser Edge with a page showing error 400. The same error is in logged by nginx.
Viscosity on Mac. Pops ip its own window with blank page. Nginx log says it's a 400.

App's log:

2024-01-18T10:57:28+0000vpn-test.$COMPANY.local openvpn-auth-oauth2[423118]: time=2024-01-18T10:57:28.355Z level=INFO msg="new client connection" cid=0 kid=1 common_name="" reason=CONNECT username=""
2024-01-18T10:57:28+0000vpn-test.$COMPANY.local openvpn-auth-oauth2[423118]: time=2024-01-18T10:57:28.355Z level=INFO msg="start pending auth" cid=0 kid=1 common_name="" reason=CONNECT username=""
2024-01-18T10:57:28+0000vpn-test.$COMPANY.local openvpn-auth-oauth2[423118]: time=2024-01-18T10:57:28.355Z level=DEBUG msg="client-pending-auth 0 1 \"WEB_AUTH::https://vpn-test.$COMPANY.com/oauth2/start?state=A_LONG_RANDOM_STRING\" 180"
2024-01-18T10:57:28+0000vpn-test.$COMPANY.local openvpn-auth-oauth2[423118]: time=2024-01-18T10:57:28.415Z level=WARN msg="invalid state: decode: EOF"
2024-01-18T10:57:28+0000vpn-test.$COMPANY.local openvpn-auth-oauth2[423118]: time=2024-01-18T10:57:28.415Z level=DEBUG msg=A_LONG_RANDOM_STRING

The A_LONG_RANDOM_STRING is the same as in the URL opened in the pop-up browser window:

https://vpn-test.$COMPANY.com/oauth2/start?state=A_LONG_RANDOM_STRING

Expected Behavior

URL https://vpn-test.$COMPANY.com/oauth2/start?state=A_LONG_RANDOM_STRING opening and redirecting me to Microsoft for all clients on all platforms.

Steps To Reproduce

No response

Environment

openvpn-auth-oauth2 Version: 1.13.4
OpenVPN Server Version: 2.6.3-1+deb12u2~bpo11+1
Server OS: Debian 11.8
OpenVPN Client (flavor, OS): OpenVPN GUI on Windows, Viscosity on Mac and Windows

Anything else?

No response

Google oAuth not working

Problem Statement

The OpenVPN client doesn't open a website page to authenticate with Google,

OpenVPN Server Configuration:

port 59940
proto udp
dev tun
user nobody
group nogroup
persist-key
persist-tun
keepalive 10 120
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
#push "redirect-gateway autolocal def1"
dh none
ecdh-curve prime256v1
tls-crypt tls-crypt.key
crl-verify crl.pem
ca ca.crt
cert server_zq3V825Hxe1vNadT.crt
key server_zq3V825Hxe1vNadT.key
auth SHA256
cipher AES-128-GCM
ncp-ciphers AES-128-GCM
tls-server
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
client-config-dir /etc/openvpn/ccd
status /var/log/openvpn/status.log
verb 3
management /run/openvpn/server.sock unix /etc/openvpn/password.txt
#management-hold
management-client-auth
push "route 34.88.39.116 255.255.255.255"
push "route 34.170.254.234 255.255.255.255"
push "route 35.226.71.232 255.255.255.255"

OpenVPN Client Config:

client
proto udp
explicit-exit-notify
remote xxxxxxxx 59940
dev tun
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
verify-x509-name server_zq3V825Hxe1vNadT name
auth SHA256
auth-nocache
cipher AES-128-GCM
tls-client
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
ignore-unknown-option block-outside-dns
setenv opt block-outside-dns # Prevent Windows 10 DNS leak
verb 3
<ca>
-----BEGIN CERTIFICATE-----
MIIB1zCCAX2g
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
MIIB2jCCAYGg
sWu186wIL/
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
MIGHAg
-----END PRIVATE KEY-----
</key>
<tls-crypt>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
50b3df6fc8d7246edd9e84156bc993f4

-----END OpenVPN Static key V1-----
</tls-crypt>

oAuth Configuration:

 GNU nano 5.4                                      /etc/sysconfig/openvpn-auth-oauth2                                                
CONFIG_OPENVPN_ADDR=unix:///run/openvpn/server.sock
CONFIG_OPENVPN_PASSWORD=xxxxxxxxxxx
CONFIG_OAUTH2_PROVIDER=google
CONFIG_OAUTH2_ISSUER=https://accounts.google.com
CONFIG_OAUTH2_CLIENT_ID=44611xxxxxxxxxxxx.apps.googleusercontent.com
CONFIG_OAUTH2_CLIENT_SECRET=xxxxxxxxxxxxxxxx
CONFIG_HTTP_LISTEN=127.0.0.1:9000
# Define a random value with 16 or 24 characters
CONFIG_HTTP_SECRET=xxxxxxxxxxx
# Define the public http endpoint here.
CONFIG_HTTP_BASEURL=https://xxxxxxxx.com
CONFIG_PROVIDER_GOOGLE_SERVICE__ACCOUNT__CONFIG=file:///etc/openvpn-auth-oauth2/service.json

OpenVPN Server Logs:

2024-02-14 16:10:41 89.207.14.192:51579 VERIFY OK: depth=1, CN=cn_uG2Me9YlBKEZpZQ3
2024-02-14 16:10:41 89.207.14.192:51579 VERIFY OK: depth=0, CN=test-test
2024-02-14 16:10:41 89.207.14.192:51579 peer info: IV_VER=3.8.2connect3
2024-02-14 16:10:41 89.207.14.192:51579 peer info: IV_PLAT=mac
2024-02-14 16:10:41 89.207.14.192:51579 peer info: IV_NCP=2
2024-02-14 16:10:41 89.207.14.192:51579 peer info: IV_TCPNL=1
2024-02-14 16:10:41 89.207.14.192:51579 peer info: IV_PROTO=990
2024-02-14 16:10:41 89.207.14.192:51579 peer info: IV_MTU=1600
2024-02-14 16:10:41 89.207.14.192:51579 peer info: IV_CIPHERS=AES-128-GCM:AES-192-GCM:AES-256-GCM:CHACHA20-POLY1305
2024-02-14 16:10:41 89.207.14.192:51579 peer info: IV_AUTO_SESS=1
2024-02-14 16:10:41 89.207.14.192:51579 peer info: IV_GUI_VER=OCmacOS_3.4.6-4699
2024-02-14 16:10:41 89.207.14.192:51579 peer info: IV_SSO=webauth,crtext
2024-02-14 16:10:41 89.207.14.192:51579 TLS Error: Auth Username/Password was not provided by peer
2024-02-14 16:10:41 89.207.14.192:51579 TLS Error: TLS handshake failed
2024-02-14 16:10:41 89.207.14.192:51579 SIGUSR1[soft,tls-error] received, client-instance restarting
2024-02-14 16:10:59 89.207.14.192:55947 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
2024-02-14 16:10:59 89.207.14.192:55947 TLS Error: TLS handshake failed
2024-02-14 16:10:59 89.207.14.192:55947 SIGUSR1[soft,tls-error] received, client-instance restarting
2024-02-14 16:11:41 89.207.14.192:51579 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
2024-02-14 16:11:41 89.207.14.192:51579 TLS Error: TLS handshake failed
2024-02-14 16:11:41 89.207.14.192:51579 SIGUSR1[soft,tls-error] received, client-instance restarting

OpenVPN Client Logs:


⏎[Feb 14, 2024, 19:08:13] Connecting to [xxxxxxxx]:59940 (xxxxxxxx) via UDP
⏎[Feb 14, 2024, 19:08:13] EVENT: CONNECTING ⏎[Feb 14, 2024, 19:08:13] Tunnel Options:V4,dev-type tun,link-mtu 1521,tun-mtu 1500,proto UDPv4,cipher AES-128-GCM,auth [null-digest],keysize 128,key-method 2,tls-client
⏎[Feb 14, 2024, 19:08:13] Creds: UsernameEmpty/PasswordEmpty
⏎[Feb 14, 2024, 19:08:13] Sending Peer Info:
IV_VER=3.8.2connect3
IV_PLAT=mac
IV_NCP=2
IV_TCPNL=1
IV_PROTO=990
IV_MTU=1600
IV_CIPHERS=AES-128-GCM:AES-192-GCM:AES-256-GCM:CHACHA20-POLY1305
IV_AUTO_SESS=1
IV_GUI_VER=OCmacOS_3.4.6-4699
IV_SSO=webauth,crtext

⏎[Feb 14, 2024, 19:08:29] EVENT: CONNECTION_TIMEOUT  BYTES_IN : 4367
 BYTES_OUT : 6280
 PACKETS_IN : 12
 PACKETS_OUT : 16
 KEEPALIVE_TIMEOUT : 1
 CONNECTION_TIMEOUT : 1
 N_RECONNECT : 1
⏎[Feb 14, 2024, 19:08:29] EVENT: DISCONNECTED ⏎[Feb 14, 2024, 19:09:57] Raw stats on disconnect:
 BYTES_IN : 4367
 BYTES_OUT : 6280
 PACKETS_IN : 12
 PACKETS_OUT : 16
 KEEPALIVE_TIMEOUT : 1
 CONNECTION_TIMEOUT : 1
 N_RECONNECT : 1

⏎[Feb 14, 2024, 19:09:57] Performance stats on disconnect:
  CPU usage (microseconds): 111055911
  Network bytes per CPU second: 95
  Tunnel bytes per CPU second: 0
⏎[Feb 14, 2024, 19:09:57] OpenVPN core 3.8.2connect3 mac arm64 64-bit built on Dec  1 2023 03:25:45
⏎[Feb 14, 2024, 19:09:57] Frame=512/2112/512 mssfix-ctrl=1250
⏎[Feb 14, 2024, 19:09:57] NOTE: This configuration contains options that were not used:
⏎[Feb 14, 2024, 19:09:57] Ignored by option 'ignore-unknown-option'
⏎[Feb 14, 2024, 19:09:57] 18 [block-outside-dns]
⏎[Feb 14, 2024, 19:09:57] Unsupported option (ignored)
⏎[Feb 14, 2024, 19:09:57] 2 [explicit-exit-notify]
⏎[Feb 14, 2024, 19:09:57] 5 [resolv-retry] [infinite]
⏎[Feb 14, 2024, 19:09:57] 7 [persist-key]
⏎[Feb 14, 2024, 19:09:57] 8 [persist-tun]
⏎[Feb 14, 2024, 19:09:57] 12 [auth-nocache]
⏎[Feb 14, 2024, 19:09:57] EVENT: RESOLVE ⏎[Feb 14, 2024, 19:09:57] Contacting xxxxx:59940 via UDP
⏎[Feb 14, 2024, 19:09:57] EVENT: WAIT ⏎[Feb 14, 2024, 19:09:57] UnixCommandAgent: transmitting bypass route to /var/run/agent_ovpnconnect.sock
{
	"host" : "xxxxx",
	"ipv6" : false,
	"pid" : 9076
}

⏎[Feb 14, 2024, 19:09:57] Connecting to [xxxxx]:59940 (xxxxx) via UDP
⏎[Feb 14, 2024, 19:09:57] EVENT: CONNECTING ⏎[Feb 14, 2024, 19:09:57] Tunnel Options:V4,dev-type tun,link-mtu 1521,tun-mtu 1500,proto UDPv4,cipher AES-128-GCM,auth [null-digest],keysize 128,key-method 2,tls-client
⏎[Feb 14, 2024, 19:09:57] Creds: UsernameEmpty/PasswordEmpty
⏎[Feb 14, 2024, 19:09:57] Sending Peer Info:
IV_VER=3.8.2connect3
IV_PLAT=mac
IV_NCP=2
IV_TCPNL=1
IV_PROTO=990
IV_MTU=1600
IV_CIPHERS=AES-128-GCM:AES-192-GCM:AES-256-GCM:CHACHA20-POLY1305
IV_AUTO_SESS=1
IV_GUI_VER=OCmacOS_3.4.6-4699
IV_SSO=webauth,crtext

⏎[Feb 14, 2024, 19:10:39] Session invalidated: KEEPALIVE_TIMEOUT
⏎[Feb 14, 2024, 19:10:39] Client terminated, restarting in 2000 ms...
⏎[Feb 14, 2024, 19:10:41] EVENT: RECONNECTING ⏎[Feb 14, 2024, 19:10:41] EVENT: RESOLVE ⏎[Feb 14, 2024, 19:10:41] Contacting 35.232.197.149:59940 via UDP
⏎[Feb 14, 2024, 19:10:41] EVENT: WAIT ⏎[Feb 14, 2024, 19:10:41] UnixCommandAgent: transmitting bypass route to /var/run/agent_ovpnconnect.sock
{
	"host" : "xxxxxxxxx",
	"ipv6" : false,
	"pid" : 9076
}

Environment

openvpn-auth-oauth2 Version: openvpn-auth-oauth2_1.15.0_linux_amd64.deb
OpenVPN Server Version: OpenVPN 2.6.6 x86_64-pc-linux-gnu
Server OS: Debian GNU/Linux 11 (bullseye)
OpenVPN Client (flavor, OS): MacOS, OpenVPN Connect Version 3.4.6 (4699)

20s delay for autorization after process restart

Current Behavior

When restarting the openvpn-auth-oauth2 service, the next authorization will take a 20s nap:

time=2024-02-07T13:19:27.701+01:00 level=INFO msg="initialize authorization via oauth2" cid=4 kid=1
time=2024-02-07T13:19:47.884+01:00 level=INFO msg="successful authorization via oauth2" cid=4 kid=1

The client side browser will get a timeout (504 from the reverse proxy in front of openvpn-auth-oauth2), while accessing oauth2/callback. Still, after 20+ seconds, the connection is established successfully.

With log.level=DEBUG, nothing is logged in between.

After the first delayed auth, all others will succeed within fractions of a second as expected.

Expected Behavior

No response

Steps To Reproduce

No response

Environment

No response

openvpn-auth-oauth2 logs

No response

openvpn server logs

No response

Anything else?

No response

Openvpn management interface passthrough (OpnSense compatibility)

Problem Statement

openvpn will serve only one manager connection, additional connections don't receive status or take commands.

Proposed Solution

Unless openvpn-auth-oauth2 is going to implement a state-of-the-art REST and/or websocket API to control the openvpn server :-), I propose that the program should serve an additional port, passing through all openvpn status messages, and commands issued on that port, to enable external openvpn managers to work again.
That Man-In-The-Middle would probably enable all existing solutions to work (I guess currently OpenVPN AS blocks the management port itself?).

Additional information

No response

Acceptance Criteria

No response

CONFIG_HTTP_BASE_URL is not working, but CONFIG_HTTP_BASEURL works

Current Behavior

Fix in documentation
--http.baseurl string listen addr for client listener. (env: CONFIG_HTTP_BASE_URL) (default "http://localhost:9000")

to CONFIG_HTTP_BASEURL

Expected Behavior

No response

Steps To Reproduce

No response

Environment

openvpn-auth-oauth2 Version:
OpenVPN Server Version:
Server OS:
OpenVPN Client (flavor, OS):

Anything else?

No response

Layout changed

Current Behavior

Current layout is less pretty than it used to be in previous releases

Expected Behavior

Please revert to the old lay out, options to make it configurable (css/own logo) would be awesome but not required.

Steps To Reproduce

No response

Environment

openvpn-auth-oauth2 Version:
OpenVPN Server Version:
Server OS:
OpenVPN Client (flavor, OS):
OIDC Provider:

openvpn-auth-oauth2 logs

No response

openvpn server logs

No response

Anything else?

No response

validate.common-name fails with "openvpn client is empty"

Current Behavior

Testing with V1.15.0 on openvpn 2.6.3 (Debian Bookworm):

msg="start pending auth" cid=1 kid=1 common_name="" reason=CONNECT username=myself
msg="initialize authorization via oauth2" cid=1 kid=1 common_name=""
msg="deny OpenVPN client cid 1, kid 1" cid=1 kid=1 common_name="" idtoken.preferred_username=MySelf (..) 
msg="user validation: common_name mismatch: openvpn client is empty" cid=1 kid=1 common_name="" (..)

My setup is with username-as-common-name; verify-client-cert none. When connecting, the management interface will receive

>CLIENT:CONNECT,3,1
>CLIENT:ENV,n_clients=0
>CLIENT:ENV,password=password,of_course
>CLIENT:ENV,untrusted_port=53732
>CLIENT:ENV,untrusted_ip=11.22.33.44
>CLIENT:ENV,username=myself
>CLIENT:ENV,IV_SSO=openurl,webauth,crtext
>CLIENT:ENV,IV_GUI_VER=OpenVPN3/Linux/v21
>CLIENT:ENV,IV_CIPHERS=AES-128-GCM:AES-192-GCM:AES-256-GCM:CHACHA20-POLY1305
>CLIENT:ENV,IV_MTU=1600
>CLIENT:ENV,IV_PROTO=990
>CLIENT:ENV,IV_TCPNL=1
>CLIENT:ENV,IV_NCP=2
>CLIENT:ENV,IV_PLAT=linux
>CLIENT:ENV,IV_VER=v3.8.2
>CLIENT:ENV,remote_port_1=1194
>CLIENT:ENV,local_port_1=1194
>CLIENT:ENV,proto_1=udp
>CLIENT:ENV,daemon_pid=44361
>CLIENT:ENV,daemon_start_time=1707741604
>CLIENT:ENV,daemon_log_redirect=1
>CLIENT:ENV,daemon=1
>CLIENT:ENV,verb=4
>CLIENT:ENV,config=/etc/openvpn/server.conf
>CLIENT:ENV,ifconfig_local=192.168.1.1
>CLIENT:ENV,ifconfig_netmask=255.255.255.0
>CLIENT:ENV,script_context=init
>CLIENT:ENV,tun_mtu=1500
>CLIENT:ENV,dev=tun0
>CLIENT:ENV,dev_type=tun
>CLIENT:ENV,redirect_gateway=0
>CLIENT:ENV,END

So in case cn is empty (since no certs were used), the common_name should be obtained from CLIENT:ENV,username.
Please compare case-insensitive...

Expected Behavior

No response

Steps To Reproduce

No response

Environment

No response

openvpn-auth-oauth2 logs

No response

openvpn server logs

No response

Anything else?

No response

Openvpn Connect v.3

Hi,
I'm testing with Openvpn connect 3 as mac client, it not work.
it is supposed to work with Openvpn connect?

Google OIDC Groups claim

Problem Statement

Google natively does not support fetching groups, but a workaround is using a ServiceAccount including Domain Wide Delegation. Would be great if that were to be supported.

PS. What is the correct format of the oauth2.validate.groups parameter if I want to validate on multiple groups?

Proposed Solution

See for example:

Additional information

No response

Acceptance Criteria

No response

Implement OR-Based Group Validation

Problem Statement

While testing #150 I implemented group validation in my Azure setup first. I noticed that the group membership check is currently requiring a user to be a member of ALL mentioned groups (AND). I would expect (or at least would like to have the option) that a user would only need to be part of one of the mentioned groups (OR).

Proposed Solution

No response

Additional information

No response

Acceptance Criteria

No response

failed to exchange token: oauth2: "bad_verification_code" "The code passed is incorrect or expired." "https://docs.github.com/apps/managing-oauth-apps/troubleshooting-oauth-app-access-token-request-errors/#bad-verification-code"

Current Behavior

When logging in github, after accepting access for application, callback gives error
failed to exchange token: oauth2: "bad_verification_code" "The code passed is incorrect or expired." "https://docs.github.com/apps/managing-oauth-apps/troubleshooting-oauth-app-access-token-request-errors/#bad-verification-code"

Expected Behavior

When logging in github, after accepting access, openvpn connecting successfully

Steps To Reproduce

1. default configuration openvpn with script
2. updating openvpn to 2.6.6 version
3. installing plugin with Installing  page
4. configuration plugin with Configuration page
5. try to connect to vpn server
6. enter github credentials
7. give access for organsization on github
8. get error

Environment

openvpn-auth-oauth2 Version: 1.8.0
OpenVPN Server Version: 2.6.6
Server OS: Ubuntu Server 22.04
OpenVPN Client (flavor, OS): Tunnelblick 4.0.0, MacOS

Anything else?

No response

Client does not support SSO authentication

Current Behavior

Hello,

It's more a question than a bug. I would like to use openvpn without a client certificate and Azure authentication but I success.

Feb 01 15:27:28 ip-10-30-2-190 openvpn-auth-oauth2[198416]: time=2024-02-01T15:27:28.391Z level=INFO msg="new client connection" cid=0 kid=1 common_name="" reason=CONNECT username=<my mail>
Feb 01 15:27:28 ip-10-30-2-190 openvpn-auth-oauth2[198416]: time=2024-02-01T15:27:28.391Z level=WARN msg="OpenVPN Client does not support SSO authentication via webauth" cid=0 kid=1 common_name="" reason=CONNECT username=<mail>
Feb 01 15:27:28 ip-10-30-2-190 openvpn-auth-oauth2[198416]: time=2024-02-01T15:27:28.391Z level=INFO msg="deny OpenVPN client cid 0, kid 1" cid=0 kid=1 common_name="" reason=CONNECT username=<mail>

Expected Behavior

No response

Steps To Reproduce

My server conf

dev tun0
verb 3
server 10.200.200.0 255.255.255.0
keepalive 10 120
persist-key
persist-tun
topology subnet
dh /etc/ssl/private/dhparam-server.pem
proto udp
ca /etc/letsencrypt/live/xxx/chain.pem
key /etc/letsencrypt/live/xxx/privkey.pem
cert /etc/letsencrypt/live/xxx/cert.pem
allow-pull-fqdn
verify-client-cert none
port 1194
management /run/openvpn/server.sock unix /etc/openvpn/password/server.txt
management-client-auth
cipher AES-256-GCM

My client conf

 xxx 1194
auth-user-pass
dev tun0
allow-pull-fqdn
pull
tls-client
ca /etc/ssl/certs/ca-bundle.crt

Environment

openvpn-auth-oauth2 Version: 1.13.5
OpenVPN Server Version: 2.6.8
Server OS: ubuntu 22.04
OpenVPN Client (flavor, OS): 2.6.8-1 (Arch Linux)

Anything else?

The issue com from my client ? It's look like com from this function, but I don't understand why

Unwelcome reconnections

Hello,

I've tried your plugin and got it to work with Microsoft Entra ID, many thanks for all the work you put into this !!

I still have two problems with this, and I'm not sure if it's a feature request, a bug or a misconfiguration :

When the TLS soft reset occurs, it relaunch the web auth, popping a browser in the face of the user and sometimes during a presentation, or in the wrong browser session, causing all sort of troubles. Is there a way to prevent the web-auth durint TLS soft reset ? In other words, is there a way to prevent the server to REAUTH when reneg-sec has expired ? I know I can set reneg-sec to 0 to prevent TLS soft reset, but I don't want to create a security issue

2023-12-21 16:13:41 pc-xxxxxx/A.B.C.D:59833 TLS: soft reset sec=3596/3596 bytes=11766644/-1 pkts=20362/0
2023-12-21 16:13:41 pc-xxxxxx/A.B.C.D:59833 VERIFY OK: depth=1, C=, ST=, L=, O=, OU=, CN= CA, name=, emailAddress=
2023-12-21 16:13:41 pc-xxxxxx/A.B.C.D:59833 VERIFY KU OK
2023-12-21 16:13:41 pc-xxxxxx/A.B.C.D:59833 Validating certificate extended key usage
2023-12-21 16:13:41 pc-xxxxxx/A.B.C.D:59833 ++ Certificate has EKU (str) TLS Web Client Authentication, expects TLS Web Client Authentication
2023-12-21 16:13:41 pc-xxxxxx/A.B.C.D:59833 VERIFY EKU OK
2023-12-21 16:13:41 pc-xxxxxx/A.B.C.D:59833 VERIFY OK: depth=0, C=, ST=, L=, O=, OU=, CN= CA, name=, emailAddress=
2023-12-21 16:13:41 pc-xxxxxx/A.B.C.D:59833 peer info: IV_VER=2.6.8
2023-12-21 16:13:41 pc-xxxxxx/A.B.C.D:59833 peer info: IV_PLAT=win
2023-12-21 16:13:41 pc-xxxxxx/A.B.C.D:59833 peer info: IV_TCPNL=1
2023-12-21 16:13:41 pc-xxxxxx/A.B.C.D:59833 peer info: IV_MTU=1600
2023-12-21 16:13:41 pc-xxxxxx/A.B.C.D:59833 peer info: IV_NCP=2
2023-12-21 16:13:41 pc-xxxxxx/A.B.C.D:59833 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305
2023-12-21 16:13:41 pc-xxxxxx/A.B.C.D:59833 peer info: IV_PROTO=990
2023-12-21 16:13:41 pc-xxxxxx/A.B.C.D:59833 peer info: IV_LZO_STUB=1
2023-12-21 16:13:41 pc-xxxxxx/A.B.C.D:59833 peer info: IV_COMP_STUB=1
2023-12-21 16:13:41 pc-xxxxxx/A.B.C.D:59833 peer info: IV_COMP_STUBv2=1
2023-12-21 16:13:41 pc-xxxxxx/A.B.C.D:59833 peer info: IV_GUI_VER=OpenVPN_GUI_11.46.0.0
2023-12-21 16:13:41 pc-xxxxxx/A.B.C.D:59833 peer info: IV_SSO=openurl,webauth,crtext
2023-12-21 16:13:41 pc-xxxxxx/A.B.C.D:59833 TLS: Username/Password authentication deferred for username ''
2023-12-21 16:13:41 MANAGEMENT: CMD 'client-pending-auth 1 4 "WEB_AUTH::https://vpn.example.com/oauth2/start?state=XXXX" 180'
2023-12-21 16:13:41 SENT CONTROL [pc-xxxxxx]: 'AUTH_PENDING,timeout 180' (status=1)
2023-12-21 16:13:41 SENT CONTROL [pc-xxxxxx]: 'INFO_PRE,WEB_AUTH::https://vpn.example.com/oauth2/start?state=XXXX' (status=1)
2023-12-21 16:13:41 pc-xxxxxx/A.B.C.D:59833 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_CHACHA20_POLY1305_SHA256, peer certificate: 2048 bit RSA, signature: RSA-SHA256
2023-12-21 16:13:42 MANAGEMENT: CMD 'client-auth 1 4'

When I restart the openvpn server with a .service file, the line management-hold hangs the service, waiting for the openvpn-auth-oauth2 service to restart. It breaks all kind of automation, not releasing the prompt. Is it the expected behavior ? If yes, how should we use tools like Ansible with that kind of behavior ? I feel like I'm missing a parameter such as "wait in the background" but I'm not finding it !

Thank you !

Implement OpenVPN management interface listener

Let OpenVPN allow to connect to this daemon which enables HA setup