search

OpenVPN / openvpn-gui

OpenVPN GUI is a graphical frontend for OpenVPN running on Windows 7 / 8 / 10. It creates an icon in the notification area from which you can control OpenVPN to start/stop your VPN tunnels, view the log and do other useful things.
Other
1.38k stars 397 forks source link

Does SAML work with using SBL/PLAP with OpenVPN GUI? #687

Closed bgironx15 closed 1 month ago

bgironx15 commented 2 months ago

Hello @selvanair @lstipakov ,

I tested OpenVPN GUI with SBL/PLAP using PAM, LOCAL, LDAP, and RADIUS as Authentication Methods, and worked fine, however, this didn't work with SAML

This is what I noticed:

2024-05-07T13:45:36-0500 [stdout#info] [OVPN 1] OUT: "2024-05-07 18:45:36 181.236.101.224:49953 PUSH: Received control message: 'PUSH_REQUEST'" 2024-05-07T13:45:44-0500 [stdout#info] [OVPN 1] OUT: "2024-05-07 18:45:44 181.236.101.224:49953 PUSH: Received control message: 'PUSH_REQUEST'" 2024-05-07T13:45:47-0500 [stdout#info] [OVPN 1] OUT: '2024-05-07 18:45:47 181.236.101.224:51189 peer info: IV_VER=2.6.10' 2024-05-07T13:45:47-0500 [stdout#info] [OVPN 1] OUT: '2024-05-07 18:45:47 181.236.101.224:51189 peer info: IV_PLAT=win' 2024-05-07T13:45:47-0500 [stdout#info] [OVPN 1] OUT: '2024-05-07 18:45:47 181.236.101.224:51189 peer info: IV_TCPNL=1' 2024-05-07T13:45:47-0500 [stdout#info] [OVPN 1] OUT: '2024-05-07 18:45:47 181.236.101.224:51189 peer info: IV_MTU=1600' 2024-05-07T13:45:47-0500 [stdout#info] [OVPN 1] OUT: '2024-05-07 18:45:47 181.236.101.224:51189 peer info: IV_NCP=2' 2024-05-07T13:45:47-0500 [stdout#info] [OVPN 1] OUT: '2024-05-07 18:45:47 181.236.101.224:51189 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM' 2024-05-07T13:45:47-0500 [stdout#info] [OVPN 1] OUT: '2024-05-07 18:45:47 181.236.101.224:51189 peer info: IV_PROTO=990' 2024-05-07T13:45:47-0500 [stdout#info] [OVPN 1] OUT: '2024-05-07 18:45:47 181.236.101.224:51189 peer info: IV_LZO_STUB=1' 2024-05-07T13:45:47-0500 [stdout#info] [OVPN 1] OUT: '2024-05-07 18:45:47 181.236.101.224:51189 peer info: IV_COMP_STUB=1' 2024-05-07T13:45:47-0500 [stdout#info] [OVPN 1] OUT: '2024-05-07 18:45:47 181.236.101.224:51189 peer info: IV_COMP_STUBv2=1' 2024-05-07T13:45:47-0500 [stdout#info] [OVPN 1] OUT: '2024-05-07 18:45:47 181.236.101.224:51189 peer info: IV_HWADDR=c0:3c:59:8d:ba:5d' 2024-05-07T13:45:47-0500 [stdout#info] [OVPN 1] OUT: '2024-05-07 18:45:47 181.236.101.224:51189 peer info: IV_SSL=OpenSSL_3.2.1_30_Jan_2024' 2024-05-07T13:45:47-0500 [stdout#info] [OVPN 1] OUT: '2024-05-07 18:45:47 181.236.101.224:51189 peer info: IV_PLAT_VER=10.0,_amd64_executable' 2024-05-07T13:45:47-0500 [stdout#info] [OVPN 1] OUT: '2024-05-07 18:45:47 181.236.101.224:51189 peer info: IV_GUI_VER=OpenVPN_GUI_11.48.0.0' 2024-05-07T13:45:47-0500 [stdout#info] [OVPN 1] OUT: '2024-05-07 18:45:47 181.236.101.224:51189 peer info: IV_SSO=openurl,webauth,crtext' 2024-05-07T13:45:47-0500 [stdout#info] [OVPN 1] OUT: "2024-05-07 18:45:47 181.236.101.224:51189 TLS: Username/Password authentication deferred for username 'brandon@test.net' "

management 127.0.0.1 12345 management-hold management-query-passwords

I see that the OpenVPN GUI do not send IV_SSO=openurl,webauth,crtext' to my VPN Server:

2024-05-07T13:46:09-0500 [stdout#info] [OVPN 1] OUT: '2024-05-07 18:46:09 181.236.101.224:52634 VERIFY OK: depth=0, CN=test1' 2024-05-07T13:46:09-0500 [stdout#info] [OVPN 1] OUT: '2024-05-07 18:46:09 181.236.101.224:52634 peer info: IV_VER=2.6.10' 2024-05-07T13:46:09-0500 [stdout#info] [OVPN 1] OUT: '2024-05-07 18:46:09 181.236.101.224:52634 peer info: IV_PLAT=win' 2024-05-07T13:46:09-0500 [stdout#info] [OVPN 1] OUT: '2024-05-07 18:46:09 181.236.101.224:52634 peer info: IV_TCPNL=1' 2024-05-07T13:46:09-0500 [stdout#info] [OVPN 1] OUT: '2024-05-07 18:46:09 181.236.101.224:52634 peer info: IV_MTU=1600' 2024-05-07T13:46:09-0500 [stdout#info] [OVPN 1] OUT: '2024-05-07 18:46:09 181.236.101.224:52634 peer info: IV_NCP=2' 2024-05-07T13:46:09-0500 [stdout#info] [OVPN 1] OUT: '2024-05-07 18:46:09 181.236.101.224:52634 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM' 2024-05-07T13:46:09-0500 [stdout#info] [OVPN 1] OUT: '2024-05-07 18:46:09 181.236.101.224:52634 peer info: IV_PROTO=990' 2024-05-07T13:46:09-0500 [stdout#info] [OVPN 1] OUT: '2024-05-07 18:46:09 181.236.101.224:52634 peer info: IV_HWADDR=c0:3c:59:8d:ba:5d' 2024-05-07T13:46:09-0500 [stdout#info] [OVPN 1] OUT: '2024-05-07 18:46:09 181.236.101.224:52634 peer info: IV_SSL=OpenSSL_3.2.1_30_Jan_2024' 2024-05-07T13:46:09-0500 [stdout#info] [OVPN 1] OUT: '2024-05-07 18:46:09 181.236.101.224:52634 peer info: IV_PLAT_VER=10.0,_amd64_executable' 2024-05-07T13:46:09-0500 [stdout#info] [OVPN 1] OUT: "2024-05-07 18:46:09 181.236.101.224:52634 TLS: Username/Password authentication deferred for username 'brandon@test.net' " 2024-05-07T13:46:09-0500 [stdout#info] [OVPN 1] OUT: '2024-05-07 18:46:09 181.236.101.224:52634 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1' 2024-05-07T13:46:09-0500 [stdout#info] [OVPN 1] OUT: '2024-05-07 18:46:09 181.236.101.224:52634 TLS: tls_multi_process: initial untrusted session promoted to semi-trusted' 2024-05-07T13:46:09-0500 [stdout#info] VPN Auth Failed: 'websso' ['This profile requires web based SAML authentication, please upgrade to a web-based login capable client (IV_SSO=webauth)'] 2024-05-07T13:46:09-0500 [stdout#info] [OVPN 1] OUT: '2024-05-07 18:46:09 MANAGEMENT: CMD \'client-deny 16 1 "AS auth failed" "This profile requires web based SAML authentication, please upgrade to a web-based login capable client (IV_SSO=webauth)"\'' 2024-05-07T13:46:09-0500 [stdout#info] [OVPN 1] OUT: '2024-05-07 18:46:09 MULTI: connection rejected: AS auth failed, CLI:This profile requires web based SAML authentication, please upgrade to a web-based login capable client (IV_SSO=webauth)' 2024-05-07T13:46:09-0500 [stdout#info] [OVPN 1] OUT: '2024-05-07 18:46:09 181.236.101.224:52634 Delayed exit in 5 seconds' 2024-05-07T13:46:09-0500 [stdout#info] [OVPN 1] OUT: "2024-05-07 18:46:09 181.236.101.224:52634 SENT CONTROL [UNDEF]: 'AUTH_FAILED,This profile requires web based SAML authentication, please upgrade to a web-based login capable client (IV_SSO=webauth)' (status=1)" 2024-05-07T13:46:09-0500 [stdout#info] [OVPN 1] OUT: "2024-05-07 18:46:09 181.236.101.224:52634 SENT CONTROL [test1]: 'AUTH_FAILED,This profile requires web based SAML authentication, please upgrade to a web-based login capable client (IV_SSO=webauth)' (status=1)"

Is this a bug?

schwabe commented 2 months ago

Apart from the fact that I am not sure if webauth/launching a browser works with PLAP/SBL, the UI normally starts OpenVPN with all the management-* options but also with --setenv IV_SSO openurl,webauth,crtext. If you start OpenVPN just with the management commands but not the setenv command, OpenVPN will not send that IV_SSO.

bgironx15 commented 2 months ago

I added the "setenv" directive to the Client Profile along with the management commands and same situation (OpenVPN GUI is not sending IV_SSO=openurl,webauth,crtext'

management 127.0.0.1 12345 management-hold management-query-passwords setenv IV_SSO openurl,webauth,crtext

selvanair commented 2 months ago

I added the "setenv" directive to the Client Profile along with the management commands and same situation (OpenVPN GUI is not sending IV_SSO=openurl,webauth,crtext'

I think what you are missing is restarting the process after the config has been edited with IV_SSO. To do this, restart the OpenVPNService.

sc stop OpenVPNService
sc start OpenVPNService

Here is why: PLAP instances are launched by OpenVPNService at boot, not by OpenVPN-GUI. The UI at PLAP screen or the GUI only allows you to control the already running openvpn.exe to put the tunnel on hold, reconnect etc., All required options should be in the config file when openvpn.exe is launched by the service. Currently there is no way for the GUI to amend setenv options of an already running process.

bgironx15 commented 2 months ago

Hey @selvanair thanks. Now, I'm not getting that error but the SAML Authentication gets stuck here because there is no External Web Browser redirection so we can continue the SAML Authentication via IdP Login Page:

image

How will that work if we're still before the Windows Login?

selvanair commented 2 months ago

Launching a browser is not supported from PLAP screen. CR_TEXT should work.

For prestarted connections, OPEN_URL will work only after the user logs in and the GUI attaches to the running process.

Edit: I started responding to this thread without reading the title or the initial question: No, SAML does not currently work from PLAP.

bgironx15 commented 2 months ago

@selvanair thanks for the clarification

Is there any plan to add SAML working with SBL/PLAP? or not possible at all?

selvanair commented 2 months ago

No plans at my end. Opening a web browser should be possible, but doesn't look safe to me as everything runs as SYSTEM on logon screen.