Comments (35)
ihipop
commented on May 26, 2024
And I've tried the official https://openvpn.net/cloud-vpn/ it will disconnect after lock screen too
but it will auto-reconnect in the background without any manual operation when I turn the screen on. which is acceptable
from openvpn-auth-oauth2.
ihipop
commented on May 26, 2024
the Client LOG of the official OpenVPN cloud when IOS wakes up
[Feb 19, 2024, 12:45:53] OS Event: WAKEUP
[Feb 19, 2024, 12:45:56] RESUME TEST: Internet:ReachableViaWiFi/-R -------
[Feb 19, 2024, 12:45:56] STANDARD RESUME
[Feb 19, 2024, 12:45:56] EVENT: RESUME
[Feb 19, 2024, 12:45:56] EVENT: RECONNECTING
[Feb 19, 2024, 12:45:56] EVENT: RESOLVE
[Feb 19, 2024, 12:45:56] Contacting 67.220.180.197:1194 via UDP
[Feb 19, 2024, 12:45:56] EVENT: WAIT
[Feb 19, 2024, 12:45:57] Connecting to [us-lax.gw.openvpn.com]:1194 (67.220.180.197) via UDP
[Feb 19, 2024, 12:45:57] EVENT: CONNECTING
[Feb 19, 2024, 12:45:57] Tunnel Options:V4,dev-type tun,link-mtu 1569,tun-mtu 1500,proto UDPv4,keydir 1,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-client
[Feb 19, 2024, 12:45:57] Creds: Username/SessionID
[Feb 19, 2024, 12:45:57] Sending Peer Info:
IV_VER=3.8.3connect1
IV_PLAT=ios
IV_NCP=2
IV_TCPNL=1
IV_PROTO=990
IV_MTU=1600
IV_CIPHERS=AES-128-CBC:AES-192-CBC:AES-256-CBC:AES-128-GCM:AES-192-GCM:AES-256-GCM:CHACHA20-POLY1305
IV_AUTO_SESS=1
UV_UUID=**********************************
UV_PLAT_REL=15.8.1
UV_ASCLI_VER=3.4.1-5463
IV_GUI_VER=net.openvpn.connect.ios_3.4.1-5463
IV_SSO=webauth,openurl,crtext
IV_HWADDR=**********************************
IV_SSL=OpenSSL 3.0.8 7 Feb 2023
[Feb 19, 2024, 12:45:57] VERIFY OK: depth=1, /CN=CloudVPN Prod CA, signature: RSA-SHA256
[Feb 19, 2024, 12:45:57] VERIFY OK: depth=0, /CN=us-lax-dc1-g1.cloud.openvpn.net, signature: RSA-SHA256
[Feb 19, 2024, 12:45:57] SSL Handshake: peer certificate: CN=us-lax-dc1-g1.cloud.openvpn.net, 2048 bit RSA, cipher: TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD
[Feb 19, 2024, 12:45:57] Session is ACTIVE
[Feb 19, 2024, 12:45:57] EVENT: GET_CONFIG
[Feb 19, 2024, 12:45:57] Sending PUSH_REQUEST to server...
[Feb 19, 2024, 12:45:57] OPTIONS:
0 [route-gateway] [100.96.1.1]
1 [ifconfig] [100.96.1.4] [255.255.255.240]
2 [ifconfig-ipv6] [fd:0:0:8100::4/64] [fd:0:0:8100::1]
3 [client-ip] [*.*.*.*]
4 [ping] [8]
5 [ping-restart] [40]
6 [reneg-sec] [3600]
7 [cipher] [AES-256-GCM]
8 [peer-id] [14964]
9 [key-derivation] [tls-ekm]
10 [topology] [subnet]
11 [explicit-exit-notify]
12 [remote-cache-lifetime] [86400]
13 [block-outside-dns]
14 [route] [100.96.0.0] [255.224.0.0]
15 [route-ipv6] [fd:0:0:8000::/49]
16 [route] [100.80.0.0] [255.240.0.0]
17 [route-ipv6] [fd:0:0:4000::/50]
18 [dhcp-option] [DNS] [100.96.1.1]
19 [auth-token] ...
20 [auth-token-user] [aW********iNTdk]
[Feb 19, 2024, 12:45:57] Session user: ihipop/********/********
[Feb 19, 2024, 12:45:57] Session token: [redacted]
[Feb 19, 2024, 12:45:57] PROTOCOL OPTIONS:
cipher: AES-256-GCM
digest: NONE
key-derivation: TLS Keying Material Exporter [RFC5705]
compress: NONE
peer ID: 14964
control channel: tls-auth enabled
[Feb 19, 2024, 12:45:57] EVENT: ASSIGN_IP
[Feb 19, 2024, 12:45:57] NIP: preparing TUN network settings
[Feb 19, 2024, 12:45:57] NIP: init TUN network settings with endpoint: 67.220.180.197
[Feb 19, 2024, 12:45:57] NIP: adding IPv4 address to network settings 100.96.1.4/255.255.255.240
[Feb 19, 2024, 12:45:57] NIP: adding (included) IPv4 route 100.96.1.0/28
[Feb 19, 2024, 12:45:57] NIP: adding IPv6 address to network settings fd:0:0:8100::4/64
[Feb 19, 2024, 12:45:57] NIP: adding (included) IPv6 route fd:0:0:8100::/64
[Feb 19, 2024, 12:45:57] NIP: adding (included) IPv4 route 100.96.0.0/11
[Feb 19, 2024, 12:45:57] NIP: adding (included) IPv4 route 100.80.0.0/12
[Feb 19, 2024, 12:45:57] NIP: adding (included) IPv6 route fd:0:0:8000::/49
[Feb 19, 2024, 12:45:57] NIP: adding (included) IPv6 route fd:0:0:4000::/50
[Feb 19, 2024, 12:45:57] NIP: adding DNS 100.96.1.1
[Feb 19, 2024, 12:45:57] NIP: allowFamily(AF_INET, 1)
[Feb 19, 2024, 12:45:57] NIP: allowFamily(AF_INET6, 1)
[Feb 19, 2024, 12:45:57] NIP: adding match domain ALL
[Feb 19, 2024, 12:45:57] NIP: adding DNS specific routes:
[Feb 19, 2024, 12:45:57] NIP: adding (included) IPv4 route 100.96.1.1/32
[Feb 19, 2024, 12:45:57] Connected via NetworkExtensionTUN
[Feb 19, 2024, 12:45:57] EVENT: CONNECTED ihipop/********/********@us-lax.gw.openvpn.com:1194 (67.220.180.197) via *.*.*.*/UDP on NetworkExtensionTUN/100.96.1.4/fd:0:0:8100::4 gw=[/] mtu=(default)
[Feb 19, 2024, 12:45:58] EVENT: INFO ACL_ID:1
Client log with openvpn-auth-oauth2
[Feb 19, 2024, 12:39:52] OS Event: WAKEUP
[Feb 19, 2024, 12:39:55] RESUME TEST: Internet:ReachableViaWiFi/-R -------
[Feb 19, 2024, 12:39:55] STANDARD RESUME
[Feb 19, 2024, 12:39:55] EVENT: RESUME
[Feb 19, 2024, 12:39:55] EVENT: RECONNECTING
[Feb 19, 2024, 12:39:55] EVENT: RESOLVE
[Feb 19, 2024, 12:39:55] Contacting 172.18.0.88:1988 via UDP
[Feb 19, 2024, 12:39:55] EVENT: WAIT
[Feb 19, 2024, 12:39:55] Connecting to [172.18.0.88]:1988 (172.18.0.88) via UDP
[Feb 19, 2024, 12:39:55] EVENT: CONNECTING
[Feb 19, 2024, 12:39:55] Tunnel Options:V4,dev-type tun,link-mtu 1541,tun-mtu 1500,proto UDPv4,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client
[Feb 19, 2024, 12:39:55] Creds: UsernameEmpty/PasswordEmpty
[Feb 19, 2024, 12:39:55] Sending Peer Info:
IV_VER=3.8.3connect1
IV_PLAT=ios
IV_NCP=2
IV_TCPNL=1
IV_PROTO=990
IV_MTU=1600
IV_CIPHERS=AES-128-CBC:AES-192-CBC:AES-256-CBC:AES-128-GCM:AES-192-GCM:AES-256-GCM:CHACHA20-POLY1305
IV_AUTO_SESS=1
IV_GUI_VER=net.openvpn.connect.ios_3.4.1-5463
IV_SSO=webauth,openurl,crtext
IV_BS64DL=1
[Feb 19, 2024, 12:39:55] VERIFY OK: depth=1, /CN=ACCESS SERVER CA, signature: ecdsa-with-SHA256
[Feb 19, 2024, 12:39:55] VERIFY OK: depth=0, /CN=server, signature: ecdsa-with-SHA256
[Feb 19, 2024, 12:39:55] SSL Handshake: peer certificate: CN=server, 384 bit EC, group:secp384r1, cipher: TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD
[Feb 19, 2024, 12:39:55] Session is ACTIVE
[Feb 19, 2024, 12:39:55] EVENT: GET_CONFIG
[Feb 19, 2024, 12:39:55] Sending PUSH_REQUEST to server...
[Feb 19, 2024, 12:39:55] Extending connection timeout from 59 to 180 for pending authentification
[Feb 19, 2024, 12:39:55] EVENT: AUTH_PENDING timeout 180
[Feb 19, 2024, 12:39:55] EVENT: INFO WEB_AUTH::https://**************/oauth2/start?state=UqAi2aVZog48w0ovuYPo9MFB_zhn5tphrviSE3pf7sb72_qRhLpSOoZGJVMXejSeuBH1zjrMC_og5Ce5xJlJXf0
[Feb 19, 2024, 12:39:56] Sending PUSH_REQUEST to server...
[Feb 19, 2024, 12:39:56] OPTIONS:
0 [explicit-exit-notify] [3]
1 [persist-tun]
2 [route-gateway] [10.172.18.1]
3 [topology] [subnet]
4 [ping] [10]
5 [ping-restart] [30]
6 [auth-token-user] [b25fYTBjYjk1Y2MwYTc5ZDFkNzJkMTEwNTBkODU1YWMxYzU=]
7 [ifconfig] [10.172.18.2] [255.255.255.0]
8 [peer-id] [0]
9 [cipher] [CHACHA20-POLY1305]
10 [protocol-flags] [cc-exit] [tls-ekm] [dyn-tls-crypt]
11 [tun-mtu] [1500]
[Feb 19, 2024, 12:39:56] PROTOCOL OPTIONS:
cipher: CHACHA20-POLY1305
digest: NONE
key-derivation: TLS Keying Material Exporter [RFC5705]
compress: NONE
peer ID: 0
control channel: tls-crypt enabled
[Feb 19, 2024, 12:39:56] EVENT: ASSIGN_IP
[Feb 19, 2024, 12:39:56] NIP: preparing TUN network settings
[Feb 19, 2024, 12:39:56] NIP: init TUN network settings with endpoint: 172.18.0.88
[Feb 19, 2024, 12:39:56] NIP: adding IPv4 address to network settings 10.172.18.2/255.255.255.0
[Feb 19, 2024, 12:39:56] NIP: adding (included) IPv4 route 10.172.18.0/24
[Feb 19, 2024, 12:39:56] NIP: allowFamily(AF_INET, 1)
[Feb 19, 2024, 12:39:56] NIP: allowFamily(AF_INET6, 1)
[Feb 19, 2024, 12:39:56] NIP: setting MTU to 1500
[Feb 19, 2024, 12:39:56] Connected via NetworkExtensionTUN
[Feb 19, 2024, 12:39:56] EVENT: CONNECTED 172.18.0.88:1988 (172.18.0.88) via /UDP on NetworkExtensionTUN/10.172.18.2/ gw=[/] mtu=(default)
have a notice about the different about Creds:
from openvpn-auth-oauth2.
ihipop
commented on May 26, 2024
Related: OpenVPN/openvpn#296
from openvpn-auth-oauth2.
jkroepke
commented on May 26, 2024
If you are using the official OpenVPN cloud, then OpenVPN will use username/password authentication. While openvpn-auth-oauth2 fully depends on WEBAUTH. WEBAUTH the required here to ensure that admins can additional layers of authentication, e.g. MFA.
The openvpn.refresh.enabled=true works only, if the client get not disconnected. There is currently no chance, to detect an user between 2 connections.
A possible workaround cloud be, that you are define some dummy username/password on the OpenVPN client profile. openvpn-auth-oauth2 will not take care about them, and will open the browser anyways.
Then, configure auth-token-gen on OpenVPN server. Please note that there will be no re-authentication on the SSO provider, because OpenVPN will handle the REAUTH alone.
It could be possible that the OpenVPN Cloud applies a non public fix to solve that.
from openvpn-auth-oauth2.
ihipop
commented on May 26, 2024
the official OpenVPN cloud doesn't require any password authentication, they just use webauth too
you can try it for free https://openvpn.net/cloud-vpn/
and I can confirm that there is not any PASSWORD in their config file
from openvpn-auth-oauth2.
ihipop
commented on May 26, 2024
configure
auth-token-genon OpenVPN server.
I've already tried, it just failed directly . when ios wakeup
the server log just said : TLS: Username/auth-token authentication failed for username ''
the client side log: AUTH_FAILED
[Feb 19, 2024, 16:30:29] OS Event: SLEEP
[Feb 19, 2024, 16:30:29] EVENT: PAUSE
[Feb 19, 2024, 16:30:41] OS Event: WAKEUP
[Feb 19, 2024, 16:30:44] RESUME TEST: Internet:ReachableViaWiFi/-R -------
[Feb 19, 2024, 16:30:44] STANDARD RESUME
[Feb 19, 2024, 16:30:44] EVENT: RESUME
[Feb 19, 2024, 16:30:44] EVENT: RECONNECTING
[Feb 19, 2024, 16:30:44] EVENT: RESOLVE
[Feb 19, 2024, 16:30:44] Contacting 172.18.0.88:1988 via UDP
[Feb 19, 2024, 16:30:44] EVENT: WAIT
[Feb 19, 2024, 16:30:44] Connecting to [172.18.0.88]:1988 (172.18.0.88) via UDP
[Feb 19, 2024, 16:30:44] EVENT: CONNECTING
[Feb 19, 2024, 16:30:44] Tunnel Options:V4,dev-type tun,link-mtu 1541,tun-mtu 1500,proto UDPv4,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client
[Feb 19, 2024, 16:30:44] Creds: Username/SessionID
[Feb 19, 2024, 16:30:44] Sending Peer Info:
IV_VER=3.8.3connect1
IV_PLAT=ios
IV_NCP=2
IV_TCPNL=1
IV_PROTO=990
IV_MTU=1600
IV_CIPHERS=AES-128-CBC:AES-192-CBC:AES-256-CBC:AES-128-GCM:AES-192-GCM:AES-256-GCM:CHACHA20-POLY1305
IV_AUTO_SESS=1
IV_GUI_VER=net.openvpn.connect.ios_3.4.1-5463
IV_SSO=webauth,openurl,crtext
IV_BS64DL=1
[Feb 19, 2024, 16:30:44] VERIFY OK: depth=1, /CN=ACCESS SERVER CA, signature: ecdsa-with-SHA256
[Feb 19, 2024, 16:30:44] VERIFY OK: depth=0, /CN=server, signature: ecdsa-with-SHA256
[Feb 19, 2024, 16:30:44] SSL Handshake: peer certificate: CN=server, 384 bit EC, group:secp384r1, cipher: TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD
[Feb 19, 2024, 16:30:44] Session is ACTIVE
[Feb 19, 2024, 16:30:44] EVENT: GET_CONFIG
[Feb 19, 2024, 16:30:44] Sending PUSH_REQUEST to server...
[Feb 19, 2024, 16:30:44] AUTH_FAILED
[Feb 19, 2024, 16:30:44] EVENT: AUTH_FAILED [ERR]
[Feb 19, 2024, 16:30:44] EVENT: DISCONNECTED
[Feb 19, 2024, 16:31:19] Stop tunnel requested with reason: 1
[Feb 19, 2024, 16:31:19] EVENT: CORE_THREAD_DONE
[Feb 19, 2024, 16:31:19] EVENT: DISCONNECT_PENDING
[Feb 19, 2024, 16:31:19] Raw stats on disconnect:
BYTES_IN : 5997
BYTES_OUT : 6201
PACKETS_IN : 20
PACKETS_OUT : 23
TUN_BYTES_OUT : 48
TUN_PACKETS_OUT : 1
AUTH_FAILED : 1
N_PAUSE : 1
N_RECONNECT : 1
[Feb 19, 2024, 16:31:19] Performance stats on disconnect:
CPU usage (microseconds): 149797
Tunnel compression ratio (uplink): inf
Network bytes per CPU second: 81430
Tunnel bytes per CPU second: 320
from openvpn-auth-oauth2.
jkroepke
commented on May 26, 2024
Then we may have to expect that OpenVPN cloud running a non public OpenVPN server version with additional patches.
As you already mention, auth-token requires an username to be set first.
And there is currently no implementation to set/override the username from server-side:
You can upvote them, maybe it helps.
If auth-token-gen is configured, remove auth-user-pass-optional to ensure that each client has defined a username via auth-user-pass.
from openvpn-auth-oauth2.
ihipop
commented on May 26, 2024
remove auth-user-pass-optional will make WEBAUTH hang and then lead to fail
https://forums.openvpn.net/viewtopic.php?t=31835
this bug was reported in 2021
I've dived into the OPENVPN code base and found out that
even if there is any error when verifying the auth token, should any error message be reported
but actually not
and I can see in the code that an empty username is also ok when verifying the auth token
so this is weird!
from openvpn-auth-oauth2.
jkroepke
commented on May 26, 2024
remove
auth-user-pass-optionalwill make WEBAUTH hang and then lead to fail
forums.openvpn.net/viewtopic.php?t=31835
this bug was reported in 2021
But the bug was fixed?
from openvpn-auth-oauth2.
ihipop
commented on May 26, 2024
after dived into the OPENVPN codebase
I makde a guess about how they've made this work
I will test it and if it works, I will open a PR against DOC/CODE to "fix/archive" this mode
I can confirm that even the username is empty, the session id is still sent
from openvpn-auth-oauth2.
jkroepke
commented on May 26, 2024
@ihipop are you using client certificates for OpenVPN Cloud/openvpn-auth-oauth2?
from openvpn-auth-oauth2.
jkroepke
commented on May 26, 2024
https://www.mail-archive.com/[email protected]/msg18819.html
Seems like
auth-token-gen 3600 external-auth
enables this behaivor
from openvpn-auth-oauth2.
ihipop
commented on May 26, 2024
https://www.mail-archive.com/[email protected]/msg18819.html
Seems like
auth-token-gen 3600 external-authenables this behaivor
yes, it is, and external-auth still needs some work on the openvpn-auth-oauth2 side, which I'm working on
from openvpn-auth-oauth2.
ihipop
commented on May 26, 2024
https://www.mail-archive.com/[email protected]/msg18819.html
Seems like
auth-token-gen 3600 external-authenables this behaivor
The actual situation is that even I enable external auth,the OpenVPN server still returns a AUTH failure to the client
this is wired, I think it might be a bug
And we can't control how to gen session-id or validate it
so we must do it on the openvpn-auth-oauth2 side
I have roughly done and confirmed this works without enabling auth-token-gen
I will submit a PR when the polish is done
from openvpn-auth-oauth2.
jkroepke
commented on May 26, 2024
And we can't control how to gen session-id or validate it so we must do it on the openvpn-auth-oauth2 side
I would disagree here.
Reading https://openvpn.net/community-resources/reference-manual-for-openvpn-2-6/#server-options
When the external-auth keyword is present the normal authentication method will always be called even if auth-token succeeds. Normally other authentications method are skipped if auth-token verification succeeds or fails.
This option postpones this decision to the external authentication methods and checks the validity of the account and do other checks.
In this mode the environment will have a session_id variable that holds the session id from auth-gen-token. Also an environment variable session_state is present. This variable indicates whether the auth-token has succeeded or not. It can have the following values:
- Initial
No token from client.- Authenticated
Token is valid and not expired.- Expired
Token is valid but has expired.- Invalid
Token is invalid (failed HMAC or wrong length)- AuthenticatedEmptyUser / ExpiredEmptyUser
The token is not valid with the username sent from the client but would be valid (or expired) if we assume an empty username was used instead. These two cases are a workaround for behaviour in OpenVPN 3. If this workaround is not needed these two cases should be handled in the same way as Invalid.
session_id and auth-token will be still validated by OpenVPN server, but the validation result will be stored into session_state environment variable. Then OpenVPN is calling openvpn-auth-oauth2.
There is also a special AuthenticatedEmptyUser state which works, if client has an empty username.
Instead generate an own auth-token, I would prefer that OpenVPN does this for me, and i would like to have an focus on session_state exclusively.
What did you think about #189?
I added an additional flag which enabled the Session ID handling. If enabled, the refresh token will be bound to the users session_id.
This has the benefit, if a users gets validation via auth-token openvpn-auth-oauth2 will ask the OAUTH2 provider, if the user is still enabled.
from openvpn-auth-oauth2.
ihipop
commented on May 26, 2024
just try it
when username is empty, enabled auth-token-gen even with external-auth, the server will give the client an "AUTH_FAIL" directly and does not talk to management interface
from openvpn-auth-oauth2.
jkroepke
commented on May 26, 2024
the server will give the client an "AUTH_FAIL" directly and does not talk to management interface
I tested this locally with an OpenVPN 3 client and I did not had the behavior.
from openvpn-auth-oauth2.
ihipop
commented on May 26, 2024
the server will give the client an "AUTH_FAIL" directly and does not talk to management interface
I tested this locally with an OpenVPN 3 client and I did not had the behavior.
what's your openvpn server version?
from openvpn-auth-oauth2.
ihipop
commented on May 26, 2024
The error message will occur on the second auto-reconnect when wakeup from sleep
which is described on the first floor
the first connect will works
it's what auth-token used for (not for the first connection)
from openvpn-auth-oauth2.
jkroepke
commented on May 26, 2024
what's your openvpn server version?
2.6.9
it's what auth-token used for (not for the first connection)
I read the log from
and it uses SessionID/Auth-token after wake-up to authenticate here.
from openvpn-auth-oauth2.
ihipop
commented on May 26, 2024
what's your openvpn server version?
2.6.9
it's what auth-token used for (not for the first connection)
I read the log from
and it uses SessionID/Auth-token after wake-up to authenticate here.
Yes,this is a second re-connect log to the OpenVPN cloud, they send a auth-token to the client after webauth is success
the second auto re-connect will use auth-token instead of webauth
on my self openvpn server if I enable auth-token-gen , it will fail when auto re-connect from wakeup
Instead generate an own auth-token, I would prefer that OpenVPN does this for me, and i would like to have an focus on session_state exclusively.
if this is working,there is no need for us to care about the session-state, openvpn server will auto-auth the auto re-connect / re-auth with auth-token
but unfortunately, this doesn't work on my server auto re-connect from wakeup,management interface got nothing,
only an errorlog like this
TLS: Username/Password authentication failed for username ''
external-auth or not changes nothing
from openvpn-auth-oauth2.
jkroepke
commented on May 26, 2024
if this is working,there is no need for us to care about the session-state
While I was testing, OpenVPN also passes sessions_state with Expired. I thought, OpenVPN is calling external-auth, even token failure.
Please mention that restarting the OpenVPN server makes all tokens invalid.
from openvpn-auth-oauth2.
ihipop
commented on May 26, 2024
Please mention that restarting the OpenVPN server makes all tokens invalid.
Iknow about that ,and there is an option to make the auth-token persistent after OpenVPN restart
While I was testing, OpenVPN also passes sessions_state with Expired. I thought, OpenVPN is calling external-auth, even token failure.
IMO, If the server itself can verify auth-token,I don't think it‘s a good idea to have external-auth to interpose
I will try again to test why auth-gen-token not working on my machine
from openvpn-auth-oauth2.
jkroepke
commented on May 26, 2024
I don't think it‘s a good idea to have external-auth to interpose
I feel it is. openvpn-auth-oauth2 has the capability to ask to OIDC provider, if the user is still enabled or expired. So it can performs additional checks without user-interaction.
from openvpn-auth-oauth2.
ihipop
commented on May 26, 2024
I will tried again still this error
without external-auth
TLS: Username/Password authentication failed for username ''
with external-auth
>CLIENT:ENV,session_state=Initial
this value always be Initial which expected to AuthenticatedEmptyUser or other value instead when re-auth/auto-reconnect
and the session-id keeps change
[Feb 20, 2024, 17:49:40] OS Event: SLEEP
[Feb 20, 2024, 17:49:40] EVENT: PAUSE
[Feb 20, 2024, 17:49:46] OS Event: WAKEUP
[Feb 20, 2024, 17:49:49] RESUME TEST: Internet:ReachableViaWiFi/-R -------
[Feb 20, 2024, 17:49:49] STANDARD RESUME
[Feb 20, 2024, 17:49:49] EVENT: RESUME
[Feb 20, 2024, 17:49:49] EVENT: RECONNECTING
[Feb 20, 2024, 17:49:49] Contacting 172.18.0.88:1988 via UDP
[Feb 20, 2024, 17:49:49] EVENT: WAIT
[Feb 20, 2024, 17:49:49] Connecting to [172.18.0.88]:1988 (172.18.0.88) via UDP
[Feb 20, 2024, 17:49:49] EVENT: CONNECTING
[Feb 20, 2024, 17:49:49] Tunnel Options:V4,dev-type tun,link-mtu 1541,tun-mtu 1500,proto UDPv4,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client
[Feb 20, 2024, 17:49:49] Creds: UsernameEmpty/SessionID
[Feb 20, 2024, 17:49:49] Sending Peer Info:
IV_VER=3.8.3connect1
IV_PLAT=ios
IV_NCP=2
IV_TCPNL=1
IV_PROTO=990
IV_MTU=1600
IV_CIPHERS=AES-128-CBC:AES-192-CBC:AES-256-CBC:AES-128-GCM:AES-192-GCM:AES-256-GCM:CHACHA20-POLY1305
IV_AUTO_SESS=1
UV_UUID=2BB779C3-7765-46AA-9EB2-8E9BFC0500D8
UV_PLAT_REL=15.8.1
UV_ASCLI_VER=3.4.1-5463
IV_GUI_VER=net.openvpn.connect.ios_3.4.1-5463
IV_SSO=webauth,openurl,crtext
IV_HWADDR=2BB779C3-7765-46AA-9EB2-8E9BFC0500D8
IV_SSL=OpenSSL 3.0.8 7 Feb 2023
IV_BS64DL=1
[Feb 20, 2024, 17:49:49] VERIFY OK: depth=1, /CN=ACCESS SERVER CA, signature: ecdsa-with-SHA256
[Feb 20, 2024, 17:49:49] VERIFY OK: depth=0, /CN=server, signature: ecdsa-with-SHA256
[Feb 20, 2024, 17:49:49] SSL Handshake: peer certificate: CN=server, 384 bit EC, group:secp384r1, cipher: TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD
[Feb 20, 2024, 17:49:49] Session is ACTIVE
[Feb 20, 2024, 17:49:49] EVENT: GET_CONFIG
[Feb 20, 2024, 17:49:49] Sending PUSH_REQUEST to server...
[Feb 20, 2024, 17:49:50] Sending PUSH_REQUEST to server...
[Feb 20, 2024, 17:49:52] Sending PUSH_REQUEST to server...
[Feb 20, 2024, 17:49:55] Sending PUSH_REQUEST to server...
[Feb 20, 2024, 17:49:58] Sending PUSH_REQUEST to server...
[Feb 20, 2024, 17:50:01] Sending PUSH_REQUEST to server...
[Feb 20, 2024, 17:50:01] OPTIONS:
0 [explicit-exit-notify] [3]
1 [persist-tun]
2 [route-gateway] [10.172.18.1]
3 [topology] [subnet]
4 [ping] [10]
5 [ping-restart] [30]
6 [ifconfig] [10.172.18.2] [255.255.255.0]
7 [peer-id] [0]
8 [auth-token] ...
9 [cipher] [CHACHA20-POLY1305]
10 [protocol-flags] [cc-exit] [tls-ekm] [dyn-tls-crypt]
11 [tun-mtu] [1500]
[Feb 20, 2024, 17:50:01] Session token: [redacted]
[Feb 20, 2024, 17:50:01] PROTOCOL OPTIONS:
cipher: CHACHA20-POLY1305
digest: NONE
key-derivation: TLS Keying Material Exporter [RFC5705]
compress: NONE
peer ID: 0
control channel: tls-crypt enabled
[Feb 20, 2024, 17:50:01] EVENT: ASSIGN_IP
[Feb 20, 2024, 17:50:01] NIP: preparing TUN network settings
[Feb 20, 2024, 17:50:01] NIP: init TUN network settings with endpoint: 172.18.0.88
[Feb 20, 2024, 17:50:01] NIP: adding IPv4 address to network settings 10.172.18.2/255.255.255.0
[Feb 20, 2024, 17:50:01] NIP: adding (included) IPv4 route 10.172.18.0/24
[Feb 20, 2024, 17:50:01] NIP: allowFamily(AF_INET, 1)
[Feb 20, 2024, 17:50:01] NIP: allowFamily(AF_INET6, 1)
[Feb 20, 2024, 17:50:01] NIP: setting MTU to 1500
[Feb 20, 2024, 17:50:01] Connected via NetworkExtensionTUN
[Feb 20, 2024, 17:50:01] EVENT: CONNECTED 172.18.0.88:1988 (172.18.0.88) via /UDP on NetworkExtensionTUN/10.172.18.2/ gw=[/] mtu=(default)
from openvpn-auth-oauth2.
ihipop
commented on May 26, 2024
I find out why
The client will not send auth-token when username is empty we need a username hint in the client config
setenv USERNAME "[email protected]"
then the server will get the correct session-state
from openvpn-auth-oauth2.
jkroepke
commented on May 26, 2024
setenv USERNAME "[email protected]"
thats an funny hack.
from openvpn-auth-oauth2.
ihipop
commented on May 26, 2024
setenv USERNAME "[email protected]"
thats an funny hack.
picked from OpenVPN cloud
you really should try it
it's free
from openvpn-auth-oauth2.
ihipop
commented on May 26, 2024
close since we've found a solution
from openvpn-auth-oauth2.
jkroepke
commented on May 26, 2024
Sorry, for me isn't it clear now. I may need a summarize here.
Does the PR #189 work or not?
I guess
setenv USERNAME "[email protected]"
is mandatory then here. Is OpenVPN cloud also using [email protected]?
from openvpn-auth-oauth2.
ihipop
commented on May 26, 2024
I write some test to confirm that this is not mandatory
the server pushed auth-token-user works too
openvpn cloud write this directive with the common name
whether you set it or not,via set env or via auth-token-user,if you let
openvpn server to validate the auth-token it will always fail with empty
username(which is wired)
only when external-auth is enabled,and username hint is set(via set env or
pushed auth-token-user ),the management interface will receive correct
session state
I’ve not test #189, but I Think it should work
…On Tue, Feb 20, 2024, 7:31 PM Jan-Otto Kröpke ***@***.***> wrote:
@ihipop <https://github.com/ihipop>
Sorry, for me isn't it clear now. I may need a summarize here.
Does the PR #189
<#189> work or not?
I guess
setenv USERNAME ***@***.***"
is mandatory then here. Is OpenVPN cloud also using ***@***.***?
—
Reply to this email directly, view it on GitHub
<#184 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AADHJJPBSJ55I35MLWSZ4A3YUSCSRAVCNFSM6AAAAABDOTTW76VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSNJUGAZDENBVGU>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
from openvpn-auth-oauth2.
jkroepke
commented on May 26, 2024
I installed OVPN on my iPhone and it works. But it seems like auth-tokens are not getting refreshed.
from openvpn-auth-oauth2.
ihipop
commented on May 26, 2024
I've made a roughly fork of #189,keep the main logic of the using of
session-id,but make the session-id option mandatory, it works fine,you can find
it in the branch of my fork repo
Why I'm doing this?
Because CID always changes between re-connect, it only keep the same
during re-auth,which will obviously miss the token cache
And the session-id is keep the same between re-connect and re-auth,and it's
validation is fast than none interactive oauth refresh,this is the meaning
of the using of auth-token
I don't know what's your configuration, but my auth-token renew normally
I will introduce my configuration and explain why
1. I set the life-time of auth-token to 0
2. I set the reneg-sec interval to 120 for testing purpose
3. Also,external-auth is enabled
4. a fixed auth-token-secret is set to make the auth-token survive server
restart
this configuration makes the life-time of auth token is only relative with
reneg-sec
when it combinations with my fork of #189
if the client keeps online ,the auth-token get re-newed every re-auth for
ever,only auth-token validation is used,which is very quick and efficient
when it comes to the re-connect:
- if the client reconect during 2*reneg-sec,the token keeps valid,all goes
the same
- if the client reconnect interval > 2*reneg-sec
the session-id remains the same, so none
interactive oauth refresh will be working normally against session-id
… <DEL>
the token will always Expired
this is the side effect of using gen-auth-token of OpenVPN server,I will consider
a fork to write an auth-token push and validation impleation on management
interface side (which you don't agree,so in my fork only),to re-push/re-new
auth-token if none interactive oauth2 refresh is successful
</DEL>
from openvpn-auth-oauth2.
jkroepke
commented on May 26, 2024
Why I'm doing this?
Because CID always changes between re-connect, it only keep the same
during re-auth,which will obviously miss the token cache
I do it, too. If oauth2.refresh.use-session-id is set to true, then session_id will be used instead CID.
- I set the life-time of auth-token to 0
Thats the difference. I may raise an question on OpenVPN.
from openvpn-auth-oauth2.
ihipop
commented on May 26, 2024
I do it, too. If
oauth2.refresh.use-session-idis set totrue, thensession_idwill be used instead CID.
That's different, in your #189, when session-state is valid you still initiate an none interactive oauth2 refresh, just as the code review I've commented
In my fork of force session-ID, if auth-token is valid I will skip the none interactive oath2 refresh
- I set the life-time of auth-token to 0
Thats the difference. I may raise an question on OpenVPN.
This is explained in the document, the lifetime of auth-token is the minimum between life-time or 2*reneg-sec and could only be renewed during renew interval, this means that if you set the life-time parameter to zero ,the lifetime of auth-token could be only have relation with token renew
from openvpn-auth-oauth2.
Related Issues (20)
- No auth after openvpn SIGHUP HOT 8
- Layout changed HOT 1
- validate.common-name fails with "openvpn client is empty" HOT 2
- Please support/move to plugin HOT 1
- [Google] Refresh token HOT 4
- Status of Keycloak Support? HOT 1
- v1.16.0-rc.2: openvpn-auth-oauth2.service: Failed with result 'core-dump'. HOT 6
- v1.16.0-rc.2: provider `google` not recognised in client.yaml HOT 3
- Google oAuth not working HOT 1
- validate.common-name is is case-sensitive
- A possible chan deadlock with `commandResponseCh` HOT 9
- Refactor Google Teams sync HOT 3
- No information returned from Google oAuth HOT 6
- [HELP WANTED] Implement username override in OpenVPN [clang coding]
- When trying to use groups in plugin, having PANIC HOT 14
- openvpn gui still asks for username/password even with auth-user-pass-optional HOT 5
- Reverse proxy with apache HOT 3
- OpenVPN Service NOT start HOT 16
- Minor Issue with Makefile HOT 6
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from openvpn-auth-oauth2.