search

jkroepke / openvpn-auth-oauth2

openvpn-auth-oauth2 is a plugin/management interface client for OpenVPN server to handle an OIDC based single sign-on (SSO) auth flows
https://github.com/jkroepke/openvpn-auth-oauth2/wiki
MIT License
153 stars 24 forks source link

Client does not support SSO authentication #136

Closed fe80 closed 7 months ago

fe80 commented 7 months ago

Current Behavior

Hello,

It's more a question than a bug. I would like to use openvpn without a client certificate and Azure authentication but I success.

Feb 01 15:27:28 ip-10-30-2-190 openvpn-auth-oauth2[198416]: time=2024-02-01T15:27:28.391Z level=INFO msg="new client connection" cid=0 kid=1 common_name="" reason=CONNECT username=<my mail>
Feb 01 15:27:28 ip-10-30-2-190 openvpn-auth-oauth2[198416]: time=2024-02-01T15:27:28.391Z level=WARN msg="OpenVPN Client does not support SSO authentication via webauth" cid=0 kid=1 common_name="" reason=CONNECT username=<mail>
Feb 01 15:27:28 ip-10-30-2-190 openvpn-auth-oauth2[198416]: time=2024-02-01T15:27:28.391Z level=INFO msg="deny OpenVPN client cid 0, kid 1" cid=0 kid=1 common_name="" reason=CONNECT username=<mail>

Expected Behavior

No response

Steps To Reproduce

My server conf

dev tun0
verb 3
server 10.200.200.0 255.255.255.0
keepalive 10 120
persist-key
persist-tun
topology subnet
dh /etc/ssl/private/dhparam-server.pem
proto udp
ca /etc/letsencrypt/live/xxx/chain.pem
key /etc/letsencrypt/live/xxx/privkey.pem
cert /etc/letsencrypt/live/xxx/cert.pem
allow-pull-fqdn
verify-client-cert none
port 1194
management /run/openvpn/server.sock unix /etc/openvpn/password/server.txt
management-client-auth
cipher AES-256-GCM

My client conf

 xxx 1194
auth-user-pass
dev tun0
allow-pull-fqdn
pull
tls-client
ca /etc/ssl/certs/ca-bundle.crt

Environment

Anything else?

The issue com from my client ? It's look like com from this function, but I don't understand why

jkroepke commented 7 months ago

OpenVPN 2 does not have built-in capabilities for OpenVPN web auth protocol. Additional OpenVN clients like OpenVPN GUI for Windows and Tunnelblick (MacOS OpenVPN client) can enrich the capabilities by set IV_SSO to webauth, parsing the OpenVPN client logs and if WEB_AUTH is detected, then the client will take care of open a browser. If IV_SSO is not set by an OpenVPN client, the connection is denied as recommend the reference.

Ref: https://github.com/OpenVPN/openvpn/blob/e1f8c599aeb840909f5ea8e9ae0bc4dab5bc7deb/doc/management-notes.txt#L649-L661

The network-manager plugin for OpenVPN could also take care of this, but they are not interested into it.

For Linux, you can switch to OpenVPN3 which has the builtin capability for web auth protocol. The OpenVPN 3 core library is sufficient, the proprietary client OpenVPN Connect is not required.

fe80 commented 7 months ago

Ty for your reply

That what I supposed but I think I was confused by the README (that talk about > 2.6 and > 3.0)

Regards,