Comments (6)
jkroepke
commented on May 26, 2024
@ncroese I guess there is an env mapping issue. Could you try --openvpn.auth-token-user ?
Please mention that this feature works only, if the OpenVPN username is not empty at connect. See: OpenVPN/openvpn#296 .
from openvpn-auth-oauth2.
ncroese
commented on May 26, 2024
Thanks for your quick response!
I've updated to 1.11.0 and changed the property name in my configuration to CONFIG_OPENVPN_AUTH__TOKEN__USER. I also tried running without the property. This did not have any effect. Then I tried running with --openvpn.auth-token-user:
openvpn+ 165390 0.0 1.5 1235716 14720 ? Ssl 12:11 0:00 /usr/bin/openvpn-auth-oauth2 --openvpn.auth-token-user
This also did not seem to have any effect. Note that the OpenVPN username is not empty this time, as I provided that during auth.
Here are the logs of the session:
openvpn-auth-oauth2[165390]: time=2023-11-20T12:14:01.424Z level=INFO msg="new client connection" cid=2 kid=1 reason=CONNECT common_name="VPN Client v1" username=x
openvpn-auth-oauth2[165390]: time=2023-11-20T12:14:01.424Z level=INFO msg="start pending auth" cid=2 kid=1 reason=CONNECT common_name="VPN Client v1" username=x
openvpn-auth-oauth2[165390]: time=2023-11-20T12:14:01.561Z level=INFO msg="initialize authorization via oauth2" common_name="VPN Client v1" cid=0 kid=1 common_name="VPN Client v1" cid=1 kid=1 common_name="VPN Client v1" cid=2 kid=1
openvpn-auth-oauth2[165390]: time=2023-11-20T12:14:02.872Z level=INFO msg="successful authorization via oauth2" idtoken.subject=xxx idtoken.preferred_username=user.name@domain common_name="VPN Client v1" cid=1 kid=1 user.subject=xxx user.preferred_username=user.name@domain idtoken.subject=xxx idtoken.preferred_username=user.name@domain common_name="VPN Client v1" cid=2 kid=1 user.subject=xxx user.preferred_username=user.name@domain
openvpn-auth-oauth2[165390]: time=2023-11-20T12:14:03.678Z level=INFO msg="client established" cid=2 reason=ESTABLISHED common_name="VPN Client v1" username=x
This is my application config:
CONFIG_OPENVPN_ADDR=unix:///run/openvpn/server.sock
CONFIG_OPENVPN_PASSWORD=xxx
#CONFIG_OPENVPN_AUTH__TOKEN__USER=true
CONFIG_OAUTH2_ISSUER=https://login.microsoftonline.com/xxx/v2.0
CONFIG_OAUTH2_CLIENT_ID=xxx
CONFIG_OAUTH2_CLIENT_SECRET=xxx
CONFIG_HTTP_LISTEN=:9000
CONFIG_HTTP_SECRET=xxx
CONFIG_HTTP_BASEURL=https://xxx:8443
Openvpn server config:
proto udp
ifconfig-pool-persist ipp.txt
keepalive 10 120
user nobody
group nogroup
persist-key
persist-tun
verb 6
mute 10
ca "ca.crt"
cert "server.crt"
key "server.key"
tls-crypt-v2 "server-tc2.key"
dh "dh.pem"
tls-version-min 1.2
data-ciphers AES-256-GCM
cipher AES-256-GCM
auth SHA256
remote-cert-tls client
port 1194
dev tun0
topology subnet
server 10.8.0.0 255.255.255.0
server-ipv6 2001:db8:0:123::/64
management /run/openvpn/server.sock unix password.txt
management-hold
management-client-auth
auth-user-pass-optional
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
push "redirect-gateway def1"
Openvpn client config:
dev tun
persist-tun
persist-key
auth SHA256
data-ciphers AES-256-GCM
tls-client
client
resolv-retry infinite
remote xxx 1194 udp4
setenv opt block-outside-dns
nobind
verify-x509-name "xxx" name
remote-cert-tls server
explicit-exit-notify
auth-user-pass
<ca>
</ca>
<cert>
</cert>
<key>
</key>
key-direction 1
<tls-crypt-v2>
</tls-crypt-v2>
from openvpn-auth-oauth2.
jkroepke
commented on May 26, 2024
If you see
openvpn[49636]: MANAGEMENT: CMD 'client-auth 0 1'
Then auth-token-user will be set
Otherwise
openvpn[49636]: MANAGEMENT: CMD 'client-auth-nt 0 1'
called.
Please mention that the OpenVPN logs always shows Common Name, not Username.
The Username is nearly invisible.
from openvpn-auth-oauth2.
ncroese
commented on May 26, 2024
Here is the log for the server:
openvpn[165384]: x.x.x.x:54249 peer info: IV_VER=2.5.9
openvpn[165384]: x.x.x.x:54249 peer info: IV_PLAT=mac
openvpn[165384]: x.x.x.x:54249 peer info: IV_PROTO=22
openvpn[165384]: x.x.x.x:54249 peer info: IV_CIPHERS=AES-256-GCM
openvpn[165384]: x.x.x.x:54249 peer info: IV_LZ4=1
openvpn[165384]: x.x.x.x:54249 peer info: IV_LZ4v2=1
openvpn[165384]: x.x.x.x:54249 peer info: IV_LZO=1
openvpn[165384]: x.x.x.x:54249 peer info: IV_COMP_STUB=1
openvpn[165384]: x.x.x.x:54249 peer info: IV_COMP_STUBv2=1
openvpn[165384]: x.x.x.x:54249 peer info: IV_TCPNL=1
openvpn[165384]: x.x.x.x:54249 peer info: IV_GUI_VER=Viscosity_1.10.8_1658
openvpn[165384]: x.x.x.x:54249 peer info: IV_SSO=webauth,openurl,crtext
openvpn[165384]: x.x.x.x:54249 TLS: Username/Password authentication deferred for username 'x'
openvpn[165384]: x.x.x.x:54249 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
openvpn[165384]: x.x.x.x:54249 TLS: tls_multi_process: initial untrusted session promoted to semi-trusted
openvpn[165384]: MANAGEMENT: CMD 'client-pending-auth 4 1 "WEB_AUTH::https://xxx/oauth2/start?state=xxx
openvpn[165384]: SENT CONTROL [VPN Client v1]: 'AUTH_PENDING,timeout 180' (status=1)
openvpn[165384]: SENT CONTROL [VPN Client v1]: 'INFO_PRE,WEB_AUTH::https://xxx/oauth2/start?state=xxx
openvpn[165384]: x.x.x.x:54249 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 256 bits ED25519, signature: RSA-SHA256, peer temporary key: 253 bits X25519
openvpn[165384]: x.x.x.x:54249 [VPN Client v1] Peer Connection Initiated with [AF_INET]x.x.x.x:54249
openvpn[165384]: MANAGEMENT: CMD 'client-auth 4 1'
openvpn[165384]: VPN Client v1/x.x.x.x:54249 MULTI_sva: pool returned IPv4=10.8.0.2, IPv6=2001:db8:0:123::1000
openvpn[165384]: VPN Client v1/x.x.x.x:54249 MULTI: Learn: 10.8.0.2 -> VPN Client v1/x.x.x.x:54249
openvpn[165384]: VPN Client v1/x.x.x.x:54249 MULTI: primary virtual IP for VPN Client v1/x.x.x.x:54249: 10.8.0.2
openvpn[165384]: VPN Client v1/x.x.x.x:54249 MULTI: Learn: 2001:db8:0:123::1000 -> VPN Client v1/x.x.x.x:54249
openvpn[165384]: VPN Client v1/x.x.x.x:54249 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
openvpn[165384]: VPN Client v1/x.x.x.x:54249 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
openvpn[165384]: VPN Client v1/x.x.x.x:54249 SENT CONTROL [VPN Client v1]: 'PUSH_REPLY,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,redirect-gateway def1,tun-ipv6,route-gateway >
openvpn[165384]: VPN Client v1/x.x.x.x:54249 UDPv4 WRITE [442] to [AF_INET]x.x.x.x:54249: P_CONTROL_V1 kid=0 [ 4197 1535058125 1121767494 1732648937 3453201362 1666626655 2387595520 142645412>
openvpn[165384]: TLS Error: could not determine wrapping from [AF_INET]y.y.y.y:5834
openvpn[165384]: TLS Error: could not determine wrapping from [AF_INET]y.y.y.y:5834
openvpn[165384]: Float requested for peer 0 to y.y.y.y:5834
openvpn[165384]: UDPv4 READ [100] from [AF_INET]x.x.x.x:54249: P_DATA_V2 kid=0 DATA len=99
openvpn[165384]: peer 0 (VPN Client v1) floated from x.x.x.x:54249 to [AF_INET]y.y.y.y:5834
openvpn[165384]: VPN Client v1/y.y.y.y:5834 Data Channel: cipher 'AES-256-GCM', peer-id: 0
openvpn[165384]: VPN Client v1/y.y.y.y:5834 Timers: ping 10, ping-restart 240
As you can see there is a CMD 'client-auth 0 1' there, so that seems good. According to what you say the push auth-token-user part is sadly not visible in the logs, but there should be some way to see if openvpn actually uses the pushed username. I don't see it in the logs and also not in the status file.
I tried configuring username-as-common-name, but then it will simply keep using the username I sent from the client. It is not changed after the client-auth pushes the new username:
openvpn[172008]: x.x.x.x:21245 TLS: Username/Password authentication deferred for username 'x' [CN SET]
openvpn[172008]: MANAGEMENT: CMD 'client-pending-auth 0 1 "WEB_AUTH::https://xxx/oauth2/start?state=xxx
openvpn[172008]: SENT CONTROL [x]: 'AUTH_PENDING,timeout 180' (status=1)
openvpn[172008]: SENT CONTROL [x]: 'INFO_PRE,WEB_AUTH::https://xxx/oauth2/start?state=xxx
openvpn[172008]: x.x.x.x:21245 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 256 bits ED25519, signature: RSA-SHA256, peer temporary key: 253 bits X25519
openvpn[172008]: x.x.x.x:21245 [x] Peer Connection Initiated with [AF_INET]x.x.x.x:21245
openvpn[172008]: MANAGEMENT: CMD 'client-auth 0 1'
openvpn[172008]: x/x.x.x.x:21245 MULTI_sva: pool returned IPv4=10.8.0.4, IPv6=2001:db8:0:123::1002
openvpn[172008]: x/x.x.x.x:21245 MULTI: Learn: 10.8.0.4 -> x/x.x.x.x:21245
openvpn[172008]: x/x.x.x.x:21245 MULTI: primary virtual IP for x/x.x.x.x:21245: 10.8.0.4
openvpn[172008]: x/x.x.x.x:21245 MULTI: Learn: 2001:db8:0:123::1002 -> x/x.x.x.x:21245
openvpn[172008]: x/x.x.x.x:21245 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
openvpn[172008]: x/x.x.x.x:21245 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
openvpn[172008]: x/x.x.x.x:21245 SENT CONTROL [x]: 'PUSH_REPLY,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,redirect-gateway def1,tun-ipv6,route-gateway 10.8.0.1,topology subn>
openvpn[172008]: x/x.x.x.x:21245 Data Channel: cipher 'AES-256-GCM', peer-id: 0
openvpn[172008]: x/x.x.x.x:21245 Timers: ping 10, ping-restart 240
from openvpn-auth-oauth2.
jkroepke
commented on May 26, 2024
but there should be some way to see if openvpn actually uses the pushed username.
Its visible in the client logs, because the client logs the push options.
Maybe it part of SENT CONTROL [x] line. There is a > at the end of the line which indicates more content, but screen is not large enough. But you can navigate with the arrow keys.
username-as-common-name
Not sure, if that work. Because the Common Name will be locked on session init.
I feel that you want something that I already described here: OpenVPN/openvpn#299
from openvpn-auth-oauth2.
ncroese
commented on May 26, 2024
Maybe it part of
SENT CONTROL [x]line. There is a>at the end of the line which indicates more content, but screen is not large enough. But you can navigate with the arrow keys.
Looks like it is there indeed, so the auth client is actually working as expected. I don't see it in my client logs for some reason, but I guess even if it was there it wouldn't solve my problem :).
username-as-common-name
Not sure, if that work. Because the Common Name will be locked on session init.
I feel that you want something that I already described here: OpenVPN/openvpn#299
Yes, that is indeed what I am looking for. Let's hope they make this possible in the future.
Thanks for your help!
from openvpn-auth-oauth2.
Related Issues (20)
- Please support/move to plugin HOT 1
- [Google] Refresh token HOT 4
- Status of Keycloak Support? HOT 1
- v1.16.0-rc.2: openvpn-auth-oauth2.service: Failed with result 'core-dump'. HOT 6
- v1.16.0-rc.2: provider `google` not recognised in client.yaml HOT 3
- Google oAuth not working HOT 1
- IOS OpenVPN Connect will disconnect after lock screen for about 20 seconds and can not auto re-connect after unlock HOT 35
- validate.common-name is is case-sensitive
- A possible chan deadlock with `commandResponseCh` HOT 9
- Refactor Google Teams sync HOT 3
- No information returned from Google oAuth HOT 6
- [HELP WANTED] Implement username override in OpenVPN [clang coding]
- When trying to use groups in plugin, having PANIC HOT 14
- openvpn gui still asks for username/password even with auth-user-pass-optional HOT 5
- Reverse proxy with apache HOT 3
- OpenVPN Service NOT start HOT 16
- Minor Issue with Makefile HOT 6
- Keycloak roles not work HOT 7
- Google Groups claim working for some users but not for others HOT 44
- Pass-Through : Send welcome message to client HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from openvpn-auth-oauth2.