Comments (15)
Forget about my last post. Just tested your latest release and it works without credentials, in Safari! I'm really happy, thanks again!
from openvpn-auth-oauth2.
@jkroepke thank you very much, 1.13.3 works for me.
from openvpn-auth-oauth2.
Could to be possible that your browser does not accept cookies?
I got an error that this value was missing, could not find it in the docs
Thanks, fixed in #108
from openvpn-auth-oauth2.
Thanks for your quick response. I wouldn't think my browser is the issue. I work with all kinds of OAuth/SAML/OIDC apps all day and they work fine. Anything I can do to further debug this issue? Or do you have a full reference config (server and client) for Azure that works on your end?
from openvpn-auth-oauth2.
Or do you have a full reference config
The OpenVPN configuration is not related to this error. The openvpn-auth-oauth2 configuration is close to mine including TLS, expect I'm running with debug log level on my local machine.
Error messages says that it a specific cookie is missing. The cookie will be set on /oauth2/start
then, redirect to Azure, and on callback URL, the cookie is requested again.
One error could be, if the hostname of /oauth2/start
is different after redirect from Azure.
Ref: zitadel/oidc#331
from openvpn-auth-oauth2.
Debugging this issue is a bit hard. At least here is a step by step guide to debug the cookie handling on the browser.
I assume, you are using a Chrome based Browser.
-
Before connect to OpenVPN server, open a browser locally. On the new tab page, do right click, inspect. The browser console appears. Important: click on Network tab and ensure that "preserve log" is enabled.
-
Ideally, you not logged on Azure with you main browser, otherwise you are not intercept the flow.
-
Ensure, you have access to OpenVPN server logs on real-time. Tip: If you are using journalctl, use the option
--no-pager
. This prevent that large links are truncated.
-
Initiate connection to OpenVPN server, close the browser opened by OpenVPN client.
-
Goto OpenVPN server logs, grab the line with
INFO_PRE,WEB_AUTH
and copy the link with the full state. -
Paste the link on the tab where the browser console in opened.
-
Continue the auth flow.
-
On the access denied screen, check the Browser Console for any errors.
-
Then goto the Network tab again. There is a request with
/oauth2/start
. Click on Cookies and check, if response cookie are present.
Example Screenshot: -
Then goto the Network tab again. There is a request with
/oauth2/callback
. Click on Cookies and check, if request cookie are present.
Example Screenshot:
from openvpn-auth-oauth2.
So the weirdest thing happened. I followed your procedure using Safari, but in step 6, I could not find the /oauth2/start
request, even though that was the original request. So, I tried Chrome. Which worked, straight away. Not a single issue.
I tried again in Safari multiple times, logging out from single Azure account, in incognito mode, Access Denied
every single time. Copying the same url from the logs, using it in Safari first: Access Denied
, same url in chrome: Access granted
.
As it turned out in Safari the request is hidden under authorize
. These are the cookies I see:
As for step 7: here there are no cookies at all...
==
Unrelated question: can you confirm auth-user-pass
is necessary? The credentials I enter there are not used (if I enter test:test
and use Chrome, the VPN connection gets created). But if I remove auth-user-pass
the browser screen is not coming up. I see you use auth-user-pass-optional
on the server side in one of your tests, is that related?
from openvpn-auth-oauth2.
As it turned out in Safari the request is hidden under authorize. These are the cookies I see:
It's not correct. authorize
is the OIDC endpoint of azure and of course, the openvpn-auth-oauth2 will be not sent to Azure.
And I'm able reproduce the issue with Safari browser.
Unrelated question
On my tests, I used auth-user-pass
and auth-user-pass-optional
to play with auth-token
features of OpenVPN which is replaced by builtin session refresh mechanism.
No, its not necessary and can be omit. Only
management /run/openvpn/server.sock unix /etc/openvpn/password.txt
management-client-auth
is mandatory and relates to openvpn-auth-oauth2.
from openvpn-auth-oauth2.
And I'm able reproduce the issue with Safari browser.
Do you expect this can be fixed in your module?
Unrelated question
What about the auth-user-pass
in the client config? Without it, my browser does not open. With it, OpenVPN Connect on Mac shows a popup to enter the (required) credentials but they are not actually used (anything works)
Time for bed :)
from openvpn-auth-oauth2.
Do you expect this can be fixed in your module?
Yeah, turns out that I set a invalid path on the cookies. Instead /oauth2
, I set oauth2
which is not conform, but interpreted correctly from Chrome browsers.
This is my client config connecting to a local OpenVPN server running inside docker:
client
dev tun
nobind
remote 127.0.0.1 1194 udp4
remote-cert-tls server
resolv-retry infinite
tls-cert-profile preferred
persist-tun
verb 9
reneg-sec 0
<key>
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
</key>
<cert>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</cert>
<ca>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</ca>
server
dev tun0
server 100.64.0.0 255.255.255.0
verb 3
ca /etc/openvpn/pki/ca.crt
key /etc/openvpn/pki/private/server.key
cert /etc/openvpn/pki/issued/server.crt
dh none
keepalive 10 60
persist-key
persist-tun
explicit-exit-notify
tls-cert-profile preferred
topology subnet
proto udp
port 1194
fast-io
user nobody
group nogroup
#auth-gen-token
management 0.0.0.0 8081 /etc/openvpn/password.txt
#management 0.0.0.0 8081
management-hold
management-client-auth
#plugin /plugin/openvpn-auth-oauth2.so /plugin/config.yaml
reneg-sec 30
auth-user-pass-optional
That I use for local testing. Works with OpenVPN 2 based clients and OpenVPN 3 Connect. If you have auth-user-pass-optional
or omit auth-user-pass
on server, then nothing should ask for credentials.
from openvpn-auth-oauth2.
Thanks a lot for your quick action!
If you have auth-user-pass-optional or omit auth-user-pass on server, then nothing should ask for credentials.
Both those options, lead to a spinning connection wheel, but no browser being opened. Nothing seems wrong on the server side, except that the MANAGEMENT
and SENT CONTROL
logs are not there anymore.
Client logs:
[Jan 4, 2024, 02:16:30] OpenVPN core 3.8.1 mac arm64 64-bit built on Aug 23 2023 04:35:28
[Jan 4, 2024, 02:16:30] Frame=512/2112/512 mssfix-ctrl=1250
[Jan 4, 2024, 02:16:30] NOTE: This configuration contains options that were not used:
[Jan 4, 2024, 02:16:30] Ignored by option 'ignore-unknown-option'
[Jan 4, 2024, 02:16:30] 18 [block-outside-dns]
[Jan 4, 2024, 02:16:30] Unsupported option (ignored)
[Jan 4, 2024, 02:16:30] 2 [explicit-exit-notify]
[Jan 4, 2024, 02:16:30] 5 [resolv-retry] [infinite]
[Jan 4, 2024, 02:16:30] 7 [persist-key]
[Jan 4, 2024, 02:16:30] 8 [persist-tun]
[Jan 4, 2024, 02:16:30] 12 [auth-nocache]
[Jan 4, 2024, 02:16:30] EVENT: RESOLVE
[Jan 4, 2024, 02:16:30] Contacting <server_ip>:1194 via UDP
[Jan 4, 2024, 02:16:30] EVENT: WAIT
[Jan 4, 2024, 02:16:30] UnixCommandAgent: transmitting bypass route to /var/run/agent_ovpnconnect.sock
{
"host" : "<server_ip>",
"ipv6" : false,
"pid" : 95527
}
[Jan 4, 2024, 02:16:30] Connecting to [<domain>]:1194 (<server_ip>) via UDP
[Jan 4, 2024, 02:16:30] EVENT: CONNECTING
[Jan 4, 2024, 02:16:30] Tunnel Options:V4,dev-type tun,link-mtu 1521,tun-mtu 1500,proto UDPv4,cipher AES-128-GCM,auth [null-digest],keysize 128,key-method 2,tls-client
[Jan 4, 2024, 02:16:30] Creds: UsernameEmpty/PasswordEmpty
[Jan 4, 2024, 02:16:30] Peer Info:
IV_VER=3.8.1
IV_PLAT=mac
IV_NCP=2
IV_TCPNL=1
IV_PROTO=990
IV_MTU=1600
IV_CIPHERS=AES-128-CBC:AES-192-CBC:AES-256-CBC:AES-128-GCM:AES-192-GCM:AES-256-GCM:CHACHA20-POLY1305
IV_AUTO_SESS=1
IV_GUI_VER=OCmacOS_3.4.4-4629
IV_SSO=webauth,openurl,crtext
[Jan 4, 2024, 02:16:31] SSL Handshake: peer certificate: CN=server_2gxU7CObCpLBg6IL, 256 bit EC, group:prime256v1, cipher: TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD
[Jan 4, 2024, 02:16:31] Session is ACTIVE
[Jan 4, 2024, 02:16:31] EVENT: GET_CONFIG
[Jan 4, 2024, 02:16:31] Sending PUSH_REQUEST to server...
[Jan 4, 2024, 02:16:32] Sending PUSH_REQUEST to server...
[Jan 4, 2024, 02:16:34] Sending PUSH_REQUEST to server...
[Jan 4, 2024, 02:16:35] Raw stats on disconnect:
BYTES_IN : 2449
BYTES_OUT : 3059
PACKETS_IN : 8
PACKETS_OUT : 11
[Jan 4, 2024, 02:16:35] Performance stats on disconnect:
CPU usage (microseconds): 65867289
Network bytes per CPU second: 83
Tunnel bytes per CPU second: 0
[Jan 4, 2024, 02:16:35] EVENT: DISCONNECTED
from openvpn-auth-oauth2.
Sorry that I comment on the closed issue, but I am experiencing same with chrome browser.
Logs from openvpn-auth-oauth2 (version 1.13.2 - binary used, no package install) and OpenVPN 2.6.5 server:
time=2024-01-05T23:15:28.522Z level=INFO msg="new client connection" cid=3 kid=1 common_name="" reason=CONNECT username=""
time=2024-01-05T23:15:28.523Z level=INFO msg="start pending auth" cid=3 kid=1 common_name="" reason=CONNECT username=""
time=2024-01-05T23:15:28.744Z level=INFO msg="initialize authorization via oauth2" cid=3 kid=1 common_name=""
time=2024-01-05T23:15:28.980Z level=WARN msg="Unauthorized: failed to get state: http: named cookie not present"
time=2024-01-05T23:15:28.980Z level=ERROR msg="http: superfluous response.WriteHeader call from github.com/jkroepke/openvpn-auth-oauth2/internal/oauth2.writeError (handler.go:244)"
2024-01-05 23:15:28 us=512342 Connection Attempt MULTI: multi_create_instance called
2024-01-05 23:15:28 us=513065 192.168.21.1:52369 Re-using SSL/TLS context
2024-01-05 23:15:28 us=513141 192.168.21.1:52369 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2024-01-05 23:15:28 us=513157 192.168.21.1:52369 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2024-01-05 23:15:28 us=513458 192.168.21.1:52369 Control Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1250 tun_max_mtu:0 headroom:126 payload:1600 tailroom:126 ET:0 ]
2024-01-05 23:15:28 us=513474 192.168.21.1:52369 Data Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1500 tun_max_mtu:1600 headroom:136 payload:1768 tailroom:562 ET:0 ]
2024-01-05 23:15:28 us=521467 192.168.21.1:52369 peer info: IV_VER=3.git::d3f8b18b
2024-01-05 23:15:28 us=521491 192.168.21.1:52369 peer info: IV_PLAT=win
2024-01-05 23:15:28 us=521517 192.168.21.1:52369 peer info: IV_NCP=2
2024-01-05 23:15:28 us=521524 192.168.21.1:52369 peer info: IV_TCPNL=1
2024-01-05 23:15:28 us=521531 192.168.21.1:52369 peer info: IV_PROTO=30
2024-01-05 23:15:28 us=521544 192.168.21.1:52369 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:BF-CBC
2024-01-05 23:15:28 us=521551 192.168.21.1:52369 peer info: IV_IPv6=0
2024-01-05 23:15:28 us=521558 192.168.21.1:52369 peer info: IV_AUTO_SESS=1
2024-01-05 23:15:28 us=521566 192.168.21.1:52369 peer info: IV_GUI_VER=OCWindows_3.3.6-2752
2024-01-05 23:15:28 us=521574 192.168.21.1:52369 peer info: IV_SSO=webauth,openurl,crtext
2024-01-05 23:15:28 us=521605 192.168.21.1:52369 peer info: IV_BS64DL=1
2024-01-05 23:15:28 us=521677 192.168.21.1:52369 TLS: Username/Password authentication deferred for username ''
2024-01-05 23:15:28 us=521769 192.168.21.1:52369 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
2024-01-05 23:15:28 us=521824 192.168.21.1:52369 TLS: tls_multi_process: initial untrusted session promoted to semi-trusted
2024-01-05 23:15:28 us=523273 MANAGEMENT: CMD 'client-pending-auth 3 1 "WEB_AUTH::https://ovpn-auth.company.io/oauth2/start?state=MeVQ3HXRlmhx51g0T8hZVPrj7OvBGk1UPEWEnmQdZ8H0rhDuLv9BGi9ZFLZEeCnJ" 180'
2024-01-05 23:15:28 us=523428 SENT CONTROL []: 'AUTH_PENDING,timeout 180' (status=1)
2024-01-05 23:15:28 us=523443 SENT CONTROL []: 'INFO_PRE,WEB_AUTH::https://ovpn-auth.company.io/oauth2/start?state=MeVQ3HXRlmhx51g0T8hZVPrj7OvBGk1UPEWEnmQdZ8H0rhDuLv9BGi9ZFLZEeCnJ' (status=1)
2024-01-05 23:15:28 us=527422 192.168.21.1:52369 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384
2024-01-05 23:15:28 us=527493 192.168.21.1:52369 [] Peer Connection Initiated with [AF_INET]192.168.21.1:52369
2024-01-05 23:15:28 us=527806 192.168.21.1:52369 PUSH: Received control message: 'PUSH_REQUEST'
Related lines from server config:
verify-client-cert none
auth-user-pass-optional
management 127.0.0.1 5000 /etc/openvpn/password.txt
management-client-auth
These env variables are set:
CONFIG_HTTP_BASEURL
CONFIG_HTTP_LISTEN
CONFIG_HTTP_SECRET
CONFIG_OPENVPN_ADDR
CONFIG_OPENVPN_PASSWORD
CONFIG_OAUTH2_ISSUER
CONFIG_OAUTH2_SCOPES
CONFIG_OAUTH2_CLIENT_ID
CONFIG_OAUTH2_CLIENT_SECRET
CONFIG_OAUTH2_REFRESH_ENABLED
CONFIG_OAUTH2_REFRESH_EXPIRES
CONFIG_OAUTH2_REFRESH_SECRET
from openvpn-auth-oauth2.
Could it be caused by wrong cookie path?
from openvpn-auth-oauth2.
Tried with 1.13.1 and it works :)
from openvpn-auth-oauth2.
@RichardSufliarsky the error you mention should fixed in #112. I implement some tests for cookie behavior and saw some additional errors. 1.13.3 should also works for you.
from openvpn-auth-oauth2.
Related Issues (20)
- validate.common-name is is case-sensitive
- A possible chan deadlock with `commandResponseCh` HOT 9
- Refactor Google Teams sync HOT 3
- No information returned from Google oAuth HOT 6
- [HELP WANTED] Implement username override in OpenVPN [clang coding]
- When trying to use groups in plugin, having PANIC HOT 14
- openvpn gui still asks for username/password even with auth-user-pass-optional HOT 5
- Reverse proxy with apache HOT 3
- OpenVPN Service NOT start HOT 16
- Minor Issue with Makefile HOT 6
- Keycloak roles not work HOT 7
- Google Groups claim working for some users but not for others HOT 44
- Pass-Through : Send welcome message to client HOT 2
- Permission denied after installing 1.19.3 HOT 12
- Login page languages HOT 1
- http listener not started after upgrade HOT 5
- With Azure AAD level=WARN msg="oauth2.refresh is enabled, but provider does not return refresh token" HOT 5
- Logs HOT 4
- Required Ports HOT 2
- FLAG CONFIG_OAUTH2_VALIDATE_COMMON__NAME HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from openvpn-auth-oauth2.