Giter Club home page Giter Club logo

Comments (15)

Pionerd avatar Pionerd commented on May 26, 2024 1

Forget about my last post. Just tested your latest release and it works without credentials, in Safari! I'm really happy, thanks again!

from openvpn-auth-oauth2.

RichardSufliarsky avatar RichardSufliarsky commented on May 26, 2024 1

@jkroepke thank you very much, 1.13.3 works for me.

from openvpn-auth-oauth2.

jkroepke avatar jkroepke commented on May 26, 2024

Could to be possible that your browser does not accept cookies?

I got an error that this value was missing, could not find it in the docs

Thanks, fixed in #108

from openvpn-auth-oauth2.

Pionerd avatar Pionerd commented on May 26, 2024

Thanks for your quick response. I wouldn't think my browser is the issue. I work with all kinds of OAuth/SAML/OIDC apps all day and they work fine. Anything I can do to further debug this issue? Or do you have a full reference config (server and client) for Azure that works on your end?

from openvpn-auth-oauth2.

jkroepke avatar jkroepke commented on May 26, 2024

Or do you have a full reference config

The OpenVPN configuration is not related to this error. The openvpn-auth-oauth2 configuration is close to mine including TLS, expect I'm running with debug log level on my local machine.

Error messages says that it a specific cookie is missing. The cookie will be set on /oauth2/start then, redirect to Azure, and on callback URL, the cookie is requested again.

One error could be, if the hostname of /oauth2/start is different after redirect from Azure.

Ref: zitadel/oidc#331

from openvpn-auth-oauth2.

jkroepke avatar jkroepke commented on May 26, 2024

Debugging this issue is a bit hard. At least here is a step by step guide to debug the cookie handling on the browser.

I assume, you are using a Chrome based Browser.

  • Before connect to OpenVPN server, open a browser locally. On the new tab page, do right click, inspect. The browser console appears. Important: click on Network tab and ensure that "preserve log" is enabled.
    image

  • Ideally, you not logged on Azure with you main browser, otherwise you are not intercept the flow.

  • Ensure, you have access to OpenVPN server logs on real-time. Tip: If you are using journalctl, use the option --no-pager. This prevent that large links are truncated.

  1. Initiate connection to OpenVPN server, close the browser opened by OpenVPN client.

  2. Goto OpenVPN server logs, grab the line with INFO_PRE,WEB_AUTH and copy the link with the full state.

  3. Paste the link on the tab where the browser console in opened.

  4. Continue the auth flow.

  5. On the access denied screen, check the Browser Console for any errors.

  6. Then goto the Network tab again. There is a request with /oauth2/start. Click on Cookies and check, if response cookie are present.
    Example Screenshot: Bildschirmfoto 2024-01-03 um 23 10 09

  7. Then goto the Network tab again. There is a request with /oauth2/callback. Click on Cookies and check, if request cookie are present.
    Example Screenshot: Bildschirmfoto 2024-01-03 um 23 10 21

from openvpn-auth-oauth2.

Pionerd avatar Pionerd commented on May 26, 2024

So the weirdest thing happened. I followed your procedure using Safari, but in step 6, I could not find the /oauth2/start request, even though that was the original request. So, I tried Chrome. Which worked, straight away. Not a single issue.

I tried again in Safari multiple times, logging out from single Azure account, in incognito mode, Access Denied every single time. Copying the same url from the logs, using it in Safari first: Access Denied, same url in chrome: Access granted.

As it turned out in Safari the request is hidden under authorize. These are the cookies I see:
image

As for step 7: here there are no cookies at all...

==

Unrelated question: can you confirm auth-user-pass is necessary? The credentials I enter there are not used (if I enter test:test and use Chrome, the VPN connection gets created). But if I remove auth-user-pass the browser screen is not coming up. I see you use auth-user-pass-optional on the server side in one of your tests, is that related?

from openvpn-auth-oauth2.

jkroepke avatar jkroepke commented on May 26, 2024

As it turned out in Safari the request is hidden under authorize. These are the cookies I see:

It's not correct. authorize is the OIDC endpoint of azure and of course, the openvpn-auth-oauth2 will be not sent to Azure.

And I'm able reproduce the issue with Safari browser.

Unrelated question

On my tests, I used auth-user-pass and auth-user-pass-optional to play with auth-token features of OpenVPN which is replaced by builtin session refresh mechanism.

No, its not necessary and can be omit. Only

management /run/openvpn/server.sock unix /etc/openvpn/password.txt
management-client-auth

is mandatory and relates to openvpn-auth-oauth2.

from openvpn-auth-oauth2.

Pionerd avatar Pionerd commented on May 26, 2024

And I'm able reproduce the issue with Safari browser.

Do you expect this can be fixed in your module?

Unrelated question

What about the auth-user-pass in the client config? Without it, my browser does not open. With it, OpenVPN Connect on Mac shows a popup to enter the (required) credentials but they are not actually used (anything works)

Time for bed :)

from openvpn-auth-oauth2.

jkroepke avatar jkroepke commented on May 26, 2024

Do you expect this can be fixed in your module?

Yeah, turns out that I set a invalid path on the cookies. Instead /oauth2, I set oauth2 which is not conform, but interpreted correctly from Chrome browsers.

This is my client config connecting to a local OpenVPN server running inside docker:

client
dev tun
nobind
remote 127.0.0.1 1194 udp4
remote-cert-tls server
resolv-retry infinite
tls-cert-profile preferred
persist-tun
verb 9
reneg-sec 0
<key>
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
</key>
<cert>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</cert>
<ca>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</ca>

server

dev tun0
server 100.64.0.0 255.255.255.0
verb 3
ca /etc/openvpn/pki/ca.crt
key /etc/openvpn/pki/private/server.key
cert /etc/openvpn/pki/issued/server.crt
dh none
keepalive 10 60
persist-key
persist-tun
explicit-exit-notify

tls-cert-profile preferred

topology subnet
proto udp
port 1194

fast-io
user nobody
group nogroup

#auth-gen-token
management 0.0.0.0 8081 /etc/openvpn/password.txt
#management 0.0.0.0 8081
management-hold
management-client-auth

#plugin /plugin/openvpn-auth-oauth2.so /plugin/config.yaml

reneg-sec 30
auth-user-pass-optional

That I use for local testing. Works with OpenVPN 2 based clients and OpenVPN 3 Connect. If you have auth-user-pass-optional or omit auth-user-pass on server, then nothing should ask for credentials.

from openvpn-auth-oauth2.

Pionerd avatar Pionerd commented on May 26, 2024

Thanks a lot for your quick action!

If you have auth-user-pass-optional or omit auth-user-pass on server, then nothing should ask for credentials.

Both those options, lead to a spinning connection wheel, but no browser being opened. Nothing seems wrong on the server side, except that the MANAGEMENT and SENT CONTROL logs are not there anymore.

Client logs:

[Jan 4, 2024, 02:16:30] OpenVPN core 3.8.1 mac arm64 64-bit built on Aug 23 2023 04:35:28
[Jan 4, 2024, 02:16:30] Frame=512/2112/512 mssfix-ctrl=1250
[Jan 4, 2024, 02:16:30] NOTE: This configuration contains options that were not used:
[Jan 4, 2024, 02:16:30] Ignored by option 'ignore-unknown-option'
[Jan 4, 2024, 02:16:30] 18 [block-outside-dns]
[Jan 4, 2024, 02:16:30] Unsupported option (ignored)
[Jan 4, 2024, 02:16:30] 2 [explicit-exit-notify]
[Jan 4, 2024, 02:16:30] 5 [resolv-retry] [infinite]
[Jan 4, 2024, 02:16:30] 7 [persist-key]
[Jan 4, 2024, 02:16:30] 8 [persist-tun]
[Jan 4, 2024, 02:16:30] 12 [auth-nocache]
[Jan 4, 2024, 02:16:30] EVENT: RESOLVE 
[Jan 4, 2024, 02:16:30] Contacting <server_ip>:1194 via UDP
[Jan 4, 2024, 02:16:30] EVENT: WAIT 
[Jan 4, 2024, 02:16:30] UnixCommandAgent: transmitting bypass route to /var/run/agent_ovpnconnect.sock
{
	"host" : "<server_ip>",
	"ipv6" : false,
	"pid" : 95527
}

[Jan 4, 2024, 02:16:30] Connecting to [<domain>]:1194 (<server_ip>) via UDP
[Jan 4, 2024, 02:16:30] EVENT: CONNECTING 
[Jan 4, 2024, 02:16:30] Tunnel Options:V4,dev-type tun,link-mtu 1521,tun-mtu 1500,proto UDPv4,cipher AES-128-GCM,auth [null-digest],keysize 128,key-method 2,tls-client
[Jan 4, 2024, 02:16:30] Creds: UsernameEmpty/PasswordEmpty
[Jan 4, 2024, 02:16:30] Peer Info:
IV_VER=3.8.1
IV_PLAT=mac
IV_NCP=2
IV_TCPNL=1
IV_PROTO=990
IV_MTU=1600
IV_CIPHERS=AES-128-CBC:AES-192-CBC:AES-256-CBC:AES-128-GCM:AES-192-GCM:AES-256-GCM:CHACHA20-POLY1305
IV_AUTO_SESS=1
IV_GUI_VER=OCmacOS_3.4.4-4629
IV_SSO=webauth,openurl,crtext

[Jan 4, 2024, 02:16:31] SSL Handshake: peer certificate: CN=server_2gxU7CObCpLBg6IL, 256 bit EC, group:prime256v1, cipher: TLS_AES_256_GCM_SHA384         TLSv1.3 Kx=any      Au=any   Enc=AESGCM(256)            Mac=AEAD

[Jan 4, 2024, 02:16:31] Session is ACTIVE
[Jan 4, 2024, 02:16:31] EVENT: GET_CONFIG 
[Jan 4, 2024, 02:16:31] Sending PUSH_REQUEST to server...
[Jan 4, 2024, 02:16:32] Sending PUSH_REQUEST to server...
[Jan 4, 2024, 02:16:34] Sending PUSH_REQUEST to server...
[Jan 4, 2024, 02:16:35] Raw stats on disconnect:
 BYTES_IN : 2449
 BYTES_OUT : 3059
 PACKETS_IN : 8
 PACKETS_OUT : 11

[Jan 4, 2024, 02:16:35] Performance stats on disconnect:
  CPU usage (microseconds): 65867289
  Network bytes per CPU second: 83
  Tunnel bytes per CPU second: 0
[Jan 4, 2024, 02:16:35] EVENT: DISCONNECTED

from openvpn-auth-oauth2.

RichardSufliarsky avatar RichardSufliarsky commented on May 26, 2024

Sorry that I comment on the closed issue, but I am experiencing same with chrome browser.
Logs from openvpn-auth-oauth2 (version 1.13.2 - binary used, no package install) and OpenVPN 2.6.5 server:

time=2024-01-05T23:15:28.522Z level=INFO msg="new client connection" cid=3 kid=1 common_name="" reason=CONNECT username=""
time=2024-01-05T23:15:28.523Z level=INFO msg="start pending auth" cid=3 kid=1 common_name="" reason=CONNECT username=""
time=2024-01-05T23:15:28.744Z level=INFO msg="initialize authorization via oauth2" cid=3 kid=1 common_name=""
time=2024-01-05T23:15:28.980Z level=WARN msg="Unauthorized: failed to get state: http: named cookie not present"
time=2024-01-05T23:15:28.980Z level=ERROR msg="http: superfluous response.WriteHeader call from github.com/jkroepke/openvpn-auth-oauth2/internal/oauth2.writeError (handler.go:244)"


2024-01-05 23:15:28 us=512342 Connection Attempt MULTI: multi_create_instance called
2024-01-05 23:15:28 us=513065 192.168.21.1:52369 Re-using SSL/TLS context
2024-01-05 23:15:28 us=513141 192.168.21.1:52369 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2024-01-05 23:15:28 us=513157 192.168.21.1:52369 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2024-01-05 23:15:28 us=513458 192.168.21.1:52369 Control Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1250 tun_max_mtu:0 headroom:126 payload:1600 tailroom:126 ET:0 ]
2024-01-05 23:15:28 us=513474 192.168.21.1:52369 Data Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1500 tun_max_mtu:1600 headroom:136 payload:1768 tailroom:562 ET:0 ]
2024-01-05 23:15:28 us=521467 192.168.21.1:52369 peer info: IV_VER=3.git::d3f8b18b
2024-01-05 23:15:28 us=521491 192.168.21.1:52369 peer info: IV_PLAT=win
2024-01-05 23:15:28 us=521517 192.168.21.1:52369 peer info: IV_NCP=2
2024-01-05 23:15:28 us=521524 192.168.21.1:52369 peer info: IV_TCPNL=1
2024-01-05 23:15:28 us=521531 192.168.21.1:52369 peer info: IV_PROTO=30
2024-01-05 23:15:28 us=521544 192.168.21.1:52369 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:BF-CBC
2024-01-05 23:15:28 us=521551 192.168.21.1:52369 peer info: IV_IPv6=0
2024-01-05 23:15:28 us=521558 192.168.21.1:52369 peer info: IV_AUTO_SESS=1
2024-01-05 23:15:28 us=521566 192.168.21.1:52369 peer info: IV_GUI_VER=OCWindows_3.3.6-2752
2024-01-05 23:15:28 us=521574 192.168.21.1:52369 peer info: IV_SSO=webauth,openurl,crtext
2024-01-05 23:15:28 us=521605 192.168.21.1:52369 peer info: IV_BS64DL=1
2024-01-05 23:15:28 us=521677 192.168.21.1:52369 TLS: Username/Password authentication deferred for username '' 
2024-01-05 23:15:28 us=521769 192.168.21.1:52369 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
2024-01-05 23:15:28 us=521824 192.168.21.1:52369 TLS: tls_multi_process: initial untrusted session promoted to semi-trusted
2024-01-05 23:15:28 us=523273 MANAGEMENT: CMD 'client-pending-auth 3 1 "WEB_AUTH::https://ovpn-auth.company.io/oauth2/start?state=MeVQ3HXRlmhx51g0T8hZVPrj7OvBGk1UPEWEnmQdZ8H0rhDuLv9BGi9ZFLZEeCnJ" 180'
2024-01-05 23:15:28 us=523428 SENT CONTROL []: 'AUTH_PENDING,timeout 180' (status=1)
2024-01-05 23:15:28 us=523443 SENT CONTROL []: 'INFO_PRE,WEB_AUTH::https://ovpn-auth.company.io/oauth2/start?state=MeVQ3HXRlmhx51g0T8hZVPrj7OvBGk1UPEWEnmQdZ8H0rhDuLv9BGi9ZFLZEeCnJ' (status=1)
2024-01-05 23:15:28 us=527422 192.168.21.1:52369 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384
2024-01-05 23:15:28 us=527493 192.168.21.1:52369 [] Peer Connection Initiated with [AF_INET]192.168.21.1:52369
2024-01-05 23:15:28 us=527806 192.168.21.1:52369 PUSH: Received control message: 'PUSH_REQUEST'

Related lines from server config:

verify-client-cert none
auth-user-pass-optional
management 127.0.0.1 5000 /etc/openvpn/password.txt
management-client-auth

These env variables are set:

  CONFIG_HTTP_BASEURL
  CONFIG_HTTP_LISTEN
  CONFIG_HTTP_SECRET
  CONFIG_OPENVPN_ADDR
  CONFIG_OPENVPN_PASSWORD
  CONFIG_OAUTH2_ISSUER
  CONFIG_OAUTH2_SCOPES
  CONFIG_OAUTH2_CLIENT_ID
  CONFIG_OAUTH2_CLIENT_SECRET
  CONFIG_OAUTH2_REFRESH_ENABLED
  CONFIG_OAUTH2_REFRESH_EXPIRES
  CONFIG_OAUTH2_REFRESH_SECRET

Screenshots from the browser:
image

from openvpn-auth-oauth2.

RichardSufliarsky avatar RichardSufliarsky commented on May 26, 2024

Could it be caused by wrong cookie path?
image

from openvpn-auth-oauth2.

RichardSufliarsky avatar RichardSufliarsky commented on May 26, 2024

Tried with 1.13.1 and it works :)

from openvpn-auth-oauth2.

jkroepke avatar jkroepke commented on May 26, 2024

@RichardSufliarsky the error you mention should fixed in #112. I implement some tests for cookie behavior and saw some additional errors. 1.13.3 should also works for you.

from openvpn-auth-oauth2.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.