Viscosity WebAuth connection failed

[heycarl]

Current Behavior

When I try to connect to the OpenVPN server using openvpn-auth-oauth2 on macOS using the Viscosity client, OAuth promt is not displayed, but an error appears:

2024-05-19 00:11:54: Viscosity Mac 1.10.3 (1600)
2024-05-19 00:11:54: Viscosity OpenVPN Engine Started
2024-05-19 00:11:54: Running on macOS 14.4.1
2024-05-19 00:11:54: OpenVPN 2.5.7 arm-apple-darwin20.1.0 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] built on Jun 22 2022
2024-05-19 00:11:54: library versions: OpenSSL 1.1.1p  21 Jun 2022, LZO 2.10
2024-05-19 00:11:54: Resolving address: xxx.xxx
2024-05-19 00:11:55: Valid endpoint found: xxx.xxx.xxx.xxx:1194:udp
2024-05-19 00:11:55: Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2024-05-19 00:11:55: Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2024-05-19 00:11:55: Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2024-05-19 00:11:55: Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2024-05-19 00:11:55: TCP/UDP: Preserving recently used remote address: [AF_INET]xxx.xxx.xxx.xxx:1194
2024-05-19 00:11:55: Socket Buffers: R=[786896->786896] S=[9216->9216]
2024-05-19 00:11:55: UDP link local: (not bound)
2024-05-19 00:11:55: UDP link remote: [AF_INET]xxx.xxx.xxx.xxx:1194
2024-05-19 00:11:55: State changed to Authenticating
2024-05-19 00:11:55: TLS: Initial packet from [AF_INET]xxx.xxx.xxx.xxx:1194, sid=af76b25e b1f7731a
2024-05-19 00:11:55: VERIFY OK: depth=1, CN=Mutex CA
2024-05-19 00:11:55: VERIFY KU OK
2024-05-19 00:11:55: Validating certificate extended key usage
2024-05-19 00:11:55: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2024-05-19 00:11:55: VERIFY EKU OK
2024-05-19 00:11:55: VERIFY OK: depth=0, CN=Mutex OpenVPN Server
2024-05-19 00:11:55: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
2024-05-19 00:11:55: [Mutex OpenVPN Server] Peer Connection Initiated with [AF_INET]xxx.xxx.xxx.xxx:1194
2024-05-19 00:11:55: SENT CONTROL [Mutex OpenVPN Server]: 'PUSH_REQUEST' (status=1)
2024-05-19 00:11:55: AUTH: Received control message: AUTH_FAILED
2024-05-19 00:11:59: SIGUSR1[soft,auth-failure] received, process restarting

Expected Behavior

Authentication prompt.

Steps To Reproduce

No response

Environment

• openvpn-auth-oauth2 Version: 1.19.0
• OpenVPN Server Version: 2.6.9
• Server OS: CentOS Stream 9
• OpenVPN Client (flavor, OS): Viscosity 1.10.3 / MacOS
• OIDC Provider: Authentik

openvpn-auth-oauth2 logs

May 18 21:11:55 gate-grvt-cloud openvpn-auth-oauth2[1188432]: time=2024-05-18T21:11:55.275Z level=INFO msg="new client connection" ip=yyy.yyy.yyy.yyy:50331 cid=58 kid=1 common_name="Mutex OpenVPN Client" reason=CONNECT session_id=RHq1L9DD3Ky7wqJS session_state=Initial
May 18 21:11:55 gate-grvt-cloud openvpn-auth-oauth2[1188432]: time=2024-05-18T21:11:55.277Z level=WARN msg="OpenVPN Client does not support SSO authentication via webauth" ip=yyy.yyy.yyy.yyy:50331 cid=58 kid=1 common_name="Mutex OpenVPN Client" reason=CONNECT session_id=RHq1L9DD3Ky7wqJS session_state=Initial
May 18 21:11:55 gate-grvt-cloud openvpn-auth-oauth2[1188432]: time=2024-05-18T21:11:55.277Z level=INFO msg="deny OpenVPN client cid 58, kid 1" ip=yyy.yyy.yyy.yyy:50331 cid=58 kid=1 common_name="Mutex OpenVPN Client" reason=CONNECT session_id=RHq1L9DD3Ky7wqJS session_state=Initial
May 18 21:12:00 gate-grvt-cloud openvpn-auth-oauth2[1188432]: time=2024-05-18T21:12:00.257Z level=INFO msg="client disconnected" ip=: cid=58 common_name="" reason=DISCONNECT session_id="" session_state=""

### openvpn server logs

_No response_

### Anything else?

_No response_

[jkroepke]

May 18 21:11:55 gate-grvt-cloud openvpn-auth-oauth2[1188432]: time=2024-05-18T21:11:55.277Z level=WARN msg="OpenVPN Client does not support SSO authentication via webauth" ip=yyy.yyy.yyy.yyy:50331 cid=58 kid=1 common_name="Mutex OpenVPN Client" reason=CONNECT session_id=RHq1L9DD3Ky7wqJS session_state=Initial

The error is: OpenVPN Client does not support SSO authentication via webauth. OpenVPN client must advertise that they support web authentication. If the flag IV_SSO is not present, is connection deny.

Normally Viscosity fully supports WebAuth, no clue whats going wrong here.

You could try to set verb 3 on your OpenVPN server config.

If you observe a line with peer info: IV_SSO=openurl,webauth , then the error is inside openvpn-auth-oauth2. If the line is not present, there is an issue with that client.

[heycarl]

Hi! I had updated my Viscosity client to 1.11.1 (1683) and got an new error message:

2024-05-28 03:00:52: SENT CONTROL [Mutex OpenVPN Server]: 'PUSH_REQUEST' (status=1)
2024-05-28 03:00:52: AUTH_PENDING received, extending handshake timeout from 60s to 180s
2024-05-28 03:00:52: Info command was pushed by server ('WEB_AUTH::http://my_idm')
2024-05-28 03:00:52: Error: Invalid URL in information request received from server.
2024-05-28 03:00:52: State changed to Disconnecting (Web Auth URL Error)

I'm a bit disappointed about this error, maybe someone has fixed this issue?

[jkroepke]

Sure just share your settings

[sergiogiuffrida]

Hi, I tested with: Viscosity 1.11.1 (1683) and it works fine.

Environment

• openvpn-auth-oauth2 Version: 1.21.0
• OpenVPN 2.6.3 x86_64-pc-linux-gnu
• OIDC Provider: Microsoft Entra ID

[jbekkema]

2024-05-28 03:00:52: Info command was pushed by server ('WEB_AUTH::http://my_idm')

Viscosity only accepts HTTPS URLs, a plain HTTP URL will be rejected, which is likely what is going on here. Keep in mind the Web Auth traffic takes place outside of the VPN connection, so plain HTTP traffic could be intercepted.

[jkroepke]

Thanks for the info, I added this to the notes.

[heycarl]

Thanks you! I will try to make connection secured