Closed Hans-kloss2 closed 5 months ago
NHAS
commented
5 months ago Just a heads up you have leaked your keycloak admin password and wireguard private keys. So I am removing both files, unfortunately I cant remove the git revision of the comment. So you will have to change both of them.
As for your issue, I havent used the oidc connector myself in quite a while.
You need to post your keycloak configuration, and also where your browser is getting redirected.
NHAS
commented
5 months ago Its also worth noting that I am trying to dial back on giving user support to folk unless there is a real bug involved due to time constraints :)
Hans-kloss2
commented
5 months ago Thanks for the fast reply,
Yes, indeed. This is only running on local machine via VM without port forwarding, only for development and for production there will be set up new keys and also a PostgreSQL for keycloak. So i should be fine...
Browser redirection: http://10.143.94.68:8080/authorise/oidc?state=****
keycloak logs: 2024-02-02 09:50:22,504 WARN [org.keycloak.events] (executor-thread-33) type=LOGIN_ERROR, realmId=***, clientId=wag, userId=null, ipAddress=10.0.2.2, error=invalid_redirect_uri, redirect_uri=http://10.143.94.68:8080/authorise/oidc
Ok, thats understandable. I hope its a quick fix, otherwise feel free to close this issue and i hope i get it working.
NHAS
commented
5 months ago invalid_redirect_uri from keycloak indicates you havent set up the instance correctly
NHAS
commented
5 months ago I expect you've either got an additional trailing slash in keycloak, or are missing one.
Hans-kloss2
commented
5 months ago My bad, this is an old one, now i run these settings:
This is how it looks inside the management ui, maybe its already working?
Hans-kloss2
commented
5 months ago They are just not registered with mfa:
NHAS
commented
5 months ago That means the registration process isn't marked as complete for some reason.
Are you able to log in with oidc?
Hans-kloss2
commented
5 months ago Yes, maybe i have set the endpoint wrong, because currently i am redirecting to 8080, which is the port for the API where also users get registered? And if i read it right there should be a VPN endpoint where 2fa is made?
web response: 404 not found
Hans-kloss2
commented
5 months ago I plan to address this issue throughout the week with the hope of resolving it. However, if it remains unresolved by Friday, I will close the issue...
Here's what's happening with the requests. Everything's fine until it tries to send the authenticated user flow to wag. Feel free to comment or not – I get that you're busy and your time is valuable.
NHAS
commented
5 months ago Yeah that looks vaguely right to me at the moment. Im just gonna give it a test on the unstable branch, which is most certainly not ready for use.
However, it should roughly share the same code base as what you're running on
NHAS
commented
5 months ago Yeah I just got a new cluster up and running and followed my own instructions. Seems to work fine for me.
{"IssuerURL":"http://10.1.0.11:8080/realms/test","ClientSecret":"","ClientID":"account","GroupsClaimName":"groups"}Can you give me your wag logs on startup until new user registration?
Its also worth noting you should add your user to at least one group in Keycloak
NHAS
commented
5 months ago For completeness, here is my wag config:
{
"Socket": "/tmp/wag.sock",
"NumberProxies": 0,
"Proxied": false,
"NAT": true,
"HelpMail": "help@example.com",
"Lockout": 5,
"MaxSessionLifetimeMinutes": 2,
"SessionInactivityTimeoutMinutes": 1,
"DownloadConfigFileName": "wg0.conf",
"ManagementUI": {
"ListenAddress": "127.0.0.1:4433",
"Enabled": true,
"Debug": true
},
"Webserver": {
"Public": {
"ListenAddress": ":8081"
},
"Tunnel": {
"Port": "8080"
}
},
"Authenticators": {
"DefaultMethod": "oidc",
"Issuer": "192.168.122.1:8080",
"Methods": [
"oidc"
],
"DomainURL": "http://192.168.122.1:8080",
"OIDC": {
"IssuerURL": "http://10.1.0.11:8080/realms/test",
"ClientSecret": "",
"ClientID": "account",
"GroupsClaimName": "groups"
},
"PAM": {
"ServiceName": ""
}
},
"Wireguard": {
"DevName": "wg1",
"ListenPort": 53230,
"PrivateKey": "",
"Address": "192.168.122.1/24",
"ServerPersistentKeepAlive": 0
},
"DatabaseLocation": "devices.db",
"Acls": {
"Groups": {
"group:administrators": [
"toaster",
"tester"
],
"group:nerds": [
"toaster",
"tester",
"abc"
]
},
"Policies": {
"*": {
"Mfa": [
"1.1.1.1",
"12.2.3.2",
"22.22.22.2",
"33.33.33.33",
"4.4.5.5",
"5.5.5.5"
],
"Allow": [
"7.7.7.7",
"google.com"
]
},
"group:administrators": {
"Mfa": [
"8.8.8.8"
]
},
"group:nerds": {
"Mfa": [
"192.168.3.4/32"
],
"Allow": [
"192.168.3.5/32"
]
},
"tester": {
"Mfa": [
"192.168.3.0/24",
"192.168.5.0/24"
],
"Allow": [
"4.3.3.3/32"
]
},
"toaster": {
"Allow": [
"1.1.1.1/32"
]
}
}
}
}Hello, thank you very much! It's working now. I'll be back soon with a quick rundown of what I had configured incorrectly and then close this issue, have a nice day :)
Hans-kloss2
commented
5 months ago There was a configuration error in which I mistakenly set the IP address to my laptop's IP instead of the WireGuard server IP. The correct configuration should have been the IP address to the WireGuard server.
Here's the screenshot illustrating the incorrect configuration:
In the config.json, I only needed to set the IssuerUrl to my laptop's IP address; all other settings should be directed to the internal WireGuard server.
Here's the screenshot demonstrating the necessary adjustments:
For completion, heres my config.json
{
"Socket": "/tmp/wag.sock",
"Proxied": false,
"NAT": true,
"HelpMail": "test@email.com",
"Lockout": 5,
"ExternalAddress": "10.8.0.1",
"MaxSessionLifetimeMinutes": 1440,
"SessionInactivityTimeoutMinutes": 60,
"DownloadConfigFileName": "wg0.conf",
"ManagementUI": {
"ListenAddress": ":4433",
"Enabled": true
},
"Webserver": {
"Public": {
"ListenAddress": ":80"
},
"Tunnel": {
"Port": "8080"
}
},
"Authenticators": {
"DefaultMethod": "oidc",
"Issuer": "wag",
"Methods": [
"oidc"
],
"DomainURL": "http://10.8.0.1:8080",
"OIDC": {
"IssuerURL": "http://10.143.94.68:86/realms/vpn",
"ClientSecret": "<redacted>",
"ClientID": "wag",
"GroupsClaimName": "groups"
},
"PAM": {
"ServiceName": ""
}
},
"Wireguard": {
"DevName": "wg0",
"ListenPort": 8009,
"PrivateKey": "<redacted>",
"Address": "10.8.0.1/24",
"MTU": 1420
},
"DatabaseLocation": "/data/devices.db",
"Acls": {
"Groups": {
"group:test": [
"erik"
]
},
"Policies": {
"*": {
"Allow": [
"0.0.0.0/24",
"0.0.0.0/32",
"10.8.0.0/24",
"10.8.0.0/32",
"10.0.0.0/24",
"10.143.94.0/24"
]
}
}
}
}
Now everything works and i can authenticate users via keycloak, thank you very much for your help :)
Hello,
i am currently struggling with registering oidc client. Ive set up keycloak and followed the guide on how to set it up. Everything runs on local host: https://nhas.github.io/wag-vpn.github.io/docs/guides/single_sign_on_with_keycloak/
It kinda works, when i connect via VPN and visit 10.8.0.1:82, i get redirected to keycloak and log in with my credentials. Then keyclaok is set to redirect to the servers port 8080, which should be the MFA, but it get a 404 response? wag logs then show the following: 2024/02/02 09:52:18 user 10.8.0.2 registering with oidc
Strangely oidc is shown in wag management UI, but not shown as active when logging in with keycloak.
I am very new to wag and maybe i have set something up incorrectly, for references i added the config files and docker-compose: