search

jkroepke / openvpn-auth-oauth2

openvpn-auth-oauth2 is a plugin/management interface client for OpenVPN server to handle an OIDC based single sign-on (SSO) auth flows
https://github.com/jkroepke/openvpn-auth-oauth2/wiki
MIT License
170 stars 27 forks source link

Minor Issue with Makefile #211

Closed ForbiddenEra closed 7 months ago

ForbiddenEra commented 7 months ago

Current Behavior

root@freebsd:~/openvpn-auth-oauth2-1.19.1 # make build
make: "/root/openvpn-auth-oauth2-1.19.1/Makefile" line 40: Invalid line type
make: "/root/openvpn-auth-oauth2-1.19.1/Makefile" line 42: Invalid line type
make: "/root/openvpn-auth-oauth2-1.19.1/Makefile" line 44: Invalid line type
make: Fatal errors encountered -- cannot continue
make: stopped in /root/openvpn-auth-oauth2-1.19.1

Expected Behavior

Should build..

Steps To Reproduce

Try to build on FreeBSD 14.0

Environment

openvpn-auth-oauth2 logs

No response

openvpn server logs

No response

Anything else?

Just wrong line endings on those lines I guess? I was able to build removing the branch and just leaving the build statement in the else

Not really a huge issue, but I thought I'd point it out. Attempting to maybe try this out with pfSense.

jkroepke commented 7 months ago

Just wrong line endings on those lines I guess?

does dos2unix Makefile resolve your issue?

I'm far away from a BSD based system. Even MacOS - which uses a lot of BSD user space tools - is using GNU make

ForbiddenEra commented 7 months ago

Just wrong line endings on those lines I guess?

does dos2unix Makefile resolve your issue?

I'm far away from a BSD based system. Even MacOS - which uses a lot of BSD user space tools - is using GNU make

Not sure; was quicker to just drop the extra lines but yeah... and same goes for myself, only FreeBSD for TrueNAS and pfSense anymore which both usually require little messing with.

Seems you've fixed it, awesome, just wanted to let you know. Haven't finished testing this w/pfSense yet but I can report back if you're interested at all, my only concern is that pfSense itself also makes use of the socket but I think it might only use it for monitoring.

jkroepke commented 7 months ago

I'm interrest, if it works on pfSense.

I guess it make sense to provide pre-build BSD artifacts?

ForbiddenEra commented 7 months ago

I'm interrest, if it works on pfSense.

I guess it make sense to provide pre-build BSD artifacts?

Hopefully I'll be able to test sometime this week; if it does work, that would be great or even perhaps providing it as a pfSense module or at least a pkg or something, people on OPNsense might be interested as well but I haven't played with it much.

pfSense, while great for a lot of things, doesn't have a a lot of options for OpenVPN auth stuff; you can only use an internal users database managed by the pfSense UI, a RADIUS server or an LDAP server and only when using it's FreeRADIUS server is there any options for 2FA which is just TOTP like Google Authenticator.

Off topic a bit, but giving some background as to why I'm interested.. The closest I was able to get to a reasonable solution for now was using Keycloak to act as an LDAP provider with users created/sync'd into the LDAP from a SSO/OIDC/oAuth provider, but this is still far from ideal as it's still user/pass based and users would have to login separately via Keycloak and either access the Keycloak auser profile UI to set a password and/or setup Keycloak to require them to set a password on initial login.

But it still doesn't really solve the login process itself, still requires a user/pass on login and also doesn't allow revocation of active tokens. If I can get your module working that helps a lot, even if I continue using Keycloak for some of the peculiarities of our setup. I want to keep it easy for management to be able to manage access (devs mostly would SSO w/our dev system but occasional non-devs might need access) and having OIDC/oAuth2 would be a big step in the right direction, I'd still probably have to use Keycloak to forward devs to upstream SSO but allow for alternatives or set it up to auth through some page I setup myself providing multiple options.

I am also partly concerned about stuff related to #202 affecting part of what I'm trying to do but this whole thing is one of those weird setups where you kind of have to try everything in-situ to know if it'll be suitable. I did look into some of the docs for web auth and it's not as clear as I'd hoped, so good job on getting this far even.

Anyhow, I'll report back if I get your module up and running on pfSense regardless of whether it ends up being suitable for my setup as I definitely feel like it could be useful for many pfSense users; if anything, I feel like there's a large amount of people using pfSense w/OpenVPN or even mainly for OpenVPN and as I said the in-built stuff is definitely lacking.

Admittedly though, FreeBSD is less popular than it once was which was never that popular so outside of appliance/firewalls like pfSense/OPNsense I don't think it'd be worth your time to provide such artifacts; of course that's your choice but if it doesn't work with pfSense, I'm sure anyone who does need it on FreeBSD otherwise wouldn't have much issue compiling, other than the makefile issue I had zero problems compiling, just deployed a fresh FreeBSD 14 VM (since pfSense is limited in it's packages and doesn't like having anything but their own pkg repos added for security/appliance reasons) and ran the make, easy - but definitely, if it works, then having it at least as a pkg if not available from pfSense's addons UI would be killer, plus would probably bring a lot of pfSense users if it was available there and worked/integrated well, though I'll see if it works and if so how much effort it takes.

Cheers and thanks for making and sharing the module either way!

jkroepke commented 7 months ago

Hi,

thanks for you words. I'm a system administrator and I know such firewall like pfSense, OPNsense and IPFire. I just doesn't had them in mind, but in mean time, I provide FreeBSD and OpenBSD artifacts directly. They are easy to build, just had to enable additional targets. The go compiler takes the rest. With go, I'm able to compile BSD builds from linux systems. Feel free to test them.

I had the same situation like you where I had an OpenLDAP and had to move to an OIDC/SSO provider.

In terms of pkg addon support, I'm likely unable to handle this. The build tool support only linux packages + I had a deeper look into FreeBSD according to paths and more.

What might be helpful here would an doc for how to integrate openvpn-auth-oauth2 into pfSense.

ForbiddenEra commented 7 months ago

thanks for you words.

No worries, thanks for sharing your hard work, even if it's perhaps a bit niche, it's the closest I've found to a potential solution without having to fully roll my own stuff or pay for OpenVPN's commerical offering (or pay for other solutions).

I did spend a bit looking into the #202 issue and was hoping I'd see a workaround but it's definitely a tricky one; hopefully it can get solved at some point.

I had the same situation like you where I had an OpenLDAP and had to move to an OIDC/SSO provider.

Yeah; sorta does the job and Keycloak works to sync OIDC/SSO logins with OpenLDAP but it's not ideal.

In terms of pkg addon support, I'm likely unable to handle this. The build tool support only linux packages + I had a deeper look into FreeBSD according to paths and more.

Yeah; I think you'd definitely need to spin up a FreeBSD instance to do the whole pkg part of things, letalone making it pfSense friendly.

What might be helpful here would an doc for how to integrate openvpn-auth-oauth2 into pfSense.

If I get it working, I can perhaps provide at least a simple summary of steps; I'm unlikely to provide a detailed write-up but we'll see.

Still haven't had a chance to dig into it yet; been a busy week trying to finish up some other stuff before I can get to it, hopefully I can find time over the long weekend here.

Cheers