search

NixOS / nixpkgs

Nix Packages collection & NixOS
MIT License
18k stars 14.02k forks source link

OpenVPN3 oauth2: failed to disconnect tunnel #348274

Open jestro opened 2 weeks ago

jestro commented 2 weeks ago

Describe the bug

Whenever running a config with oauth2 (microsoft) web-authentication:

openvpn3 session-start --config ~/VPN/some.ovpn && openvpn3 session-auth
Using configuration profile from file: /home/jestro/VPN/some.ovpn
Session path: /net/openvpn/v3/sessions/2581d7f4s1246s412esb9a0s8e2181ff3630
Auth User name: correctuser
Auth Password: correctpass
** Aborted **
** ERROR ** Failed to disconnect tunnel (object does not exist)

Steps To Reproduce

  1. Have openvpn3 enabled as a program within your NixOS build. 
    programs.openvpn3.enable = true;
  2. Have openvpn3 as a package in systemPackages.
  3. session-start a .ovpn config with oauth2 web authentication

Expected behavior

Normally running this command should give:

Using configuration profile from file: /home/debian/VPN/some.ovpn
Session path: /net/openvpn/v3/sessions/1be6f596sd7bas47e0saa43sb1b4f0245abc
Auth User name: correctuser
Auth Password: correctpass
Web based authentication required.
Could not open the URL automatically.
Open this URL to complete the connection: 
     auth url

Further manage this session using 'openvpn3 session-auth'
...

Note: this was done in a Debian VM.

Additional context

Notify maintainers

Metadata

[user@system:~]$ nix-shell -p nix-info --run "nix-info -m"
 - system: `"x86_64-linux"`
 - host os: `Linux 6.6.44, NixOS, 24.11 (Vicuna), 24.11.20240809.5e0ca22`
 - multi-user?: `yes`
 - sandbox: `yes`
 - version: `nix-env (Nix) 2.18.5`
 - nixpkgs: `/nix/store/0jr2kk95c34c0b6yxi75q4fqgb43kqkm-source`

Add a :+1: reaction to issues you find important.

KFearsoff commented 2 weeks ago

I'd like to be able to help, but the error message... is weird. And what's more unfortunate is that Nixpkgs uses openvpn3 version v20, which is quite outdated. The modern version is v23 with v24 landing soon-ish?

That makes it a little hard to diagnose what the issue is and if we can fix it. I've looked through the issues and changes between openvpn3 releases, but I found nothing related. The error message makes me think that the version is just too old to support OAuth, but I can't confirm it.

The PR that bumps the version is: #326623

Sorry for not being of much help!

jestro commented 2 weeks ago

No problem, I was aware that it is likely a version issue seeing as people with other distros had no issues. Do you think this could be fixed soon or do you have suggestions on how to run this .ovpn file through my host? I mostly want to avoid having to use a VM to VPN for my school project as it is quite a long way around. ^^"

KFearsoff commented 1 week ago

Do you think this could be fixed soon

I'm not sure. I try to help out with reviewing it, but we still need someone with a commit access to merge the PR.

or do you have suggestions on how to run this .ovpn file through my host?

Hmm. You could patch your copy of Nixpkgs to include the PR changes, but it's a little tough. There are several options how to do it:

  1. Overlays aren't a great idea in this case, because there are several pretty big changes made.
  2. If you run Flakes, you could make a local git clone of Nixpkgs, git switch to the branch you prefer, and git cherry-pick the PR commits; you would then change the Nixpkgs input in your Flake to point to this local copy. It is terribly inconvenient to update, though.
  3. Use IFD to patch Nixpkgs. This is an advanced and not well-documented technique, so I advice you to ask for help in Matrix space if you run into issues, but the basic idea is that you can use patchedNixpkgs = (import inputs.nixpkgs { system = "x86_64-linux"; }).applyPatches { .. }; and then import "${patchedNixpkgs}/nixos/lib/eval-config.nix" { .. }; to build a nixosSystem that works for flakes. My personal config this trick with some conveniences on top (one, two)

Hope that helps, at least a little!