Closed luk-kop closed 1 month ago
jkroepke
commented
3 months ago Hi, yes.
for each VPN instance, openvpn-auth-oauth2 must run as dedicated instance, too.
As I know, a OpenVPN server instance can also listen on UDP and TCP at the same time
luk-kop
commented
3 months ago Correct, it is possible, I am currently running two OpenVPN server instances (TCP and UDP) on the same AWS EC2 instance. So, for every OpenVPN server - dedicated openvpn-auth-oauth2 must run and expose dedicated base URL for /oauth2/callback endpoint? I plan to use MS Entra ID provider, is it necessary to register two Azure applications in my case as well?
jkroepke
commented
3 months ago openvpn-auth-oauth2 supports running on a sub-path, e.g. vpn.example.com/tcp/oauth2/callback and vpn.example.com/udp/oauth2/callback
MS Entra ID Applications supporting multiple callback urls. You can have one Entra ID Applications for multiple openvpn-auth-oauth2.
Thats what we use (but just for an other application)
luk-kop
commented
3 months ago Hi, I finally had a moment to test and some more questions/issues came up :):
/health or /healthz? In front of OpenVPN server I have set up Load Balancer and it performs some health-checks. At this point, I check connection to TCP:9000 on OpenVPN server, but this approach produce a lot of log warnings (openvpn-auth-oauth2 service):
Jul 01 10:00:12 openvpn-server openvpn-auth-oauth2[4309]: {"time":"2024-07-01T10:00:12.167106597Z","level":"WARN","msg":"Bad Request: state is empty","error_id":"b440151e4729eb1a0865b36fd53196fa62104c9b98cb61c7827f69f5606d6ea4"}
Jul 01 10:00:22 openvpn-server openvpn-auth-oauth2[4309]: {"time":"2024-07-01T10:00:22.167681427Z","level":"WARN","msg":"Bad Request: state is empty","error_id":"a01bd8aa43f46ce9cabdf0f7993b1ef041252b4dadb2d4bd71dabd6dc9e4be78"}
Jul 01 10:00:32openvpn-server openvpn-auth-oauth2[4309]: {"time":"2024-07-01T10:00:32.167121857Z","level":"WARN","msg":"Bad Request: state is empty","error_id":"d49a3c89fe60661e13846d3e0264f041992048c319db5e99adc829063a8c7caf"}
Jul 01 10:00:42 openvpn-server openvpn-auth-oauth2[4309]: {"time":"2024-07-01T10:00:42.167490337Z","level":"WARN","msg":"Bad Request: state is empty","error_id":"403237110bae1d56a7e340f66b670517ed79d8bf5e7db73d34e3358d4ed730ac"}
openvpn-auth-oauth2.service - OpenVPN authenticator
Loaded: loaded (/lib/systemd/system/openvpn-auth-oauth2.service; enabled; vendor preset: enabled)
Active: inactive (dead) since Mon 2024-07-01 10:05:12 UTC; 25s ago
Docs: https://github.com/jkroepke/openvpn-auth-oauth2
Process: 4309 ExecStart=/usr/bin/openvpn-auth-oauth2 --config ${CONFIG_FILE} (code=exited, status=0/SUCCESS)
Main PID: 4309 (code=exited, status=0/SUCCESS)
CPU: 22.608sJul 01 10:04:42 openvpn-server openvpn-auth-oauth2[4309]: {"time":"2024-07-01T10:04:42.168265638Z","level":"WARN","msg":"Bad Request: state is empty","error_id":"e52491584e133973d9f886dd6102cdccd433ed1cffb6be6f33f1ddb9a1a4862b"} Jul 01 10:04:52 openvpn-server openvpn-auth-oauth2[4309]: {"time":"2024-07-01T10:04:52.167513488Z","level":"WARN","msg":"Bad Request: state is empty","error_id":"cebcab0f16b46e8b5da69667d732d0305baf652b72e9bfd745a7a57fd8b57280"} Jul 01 10:05:02 openvpn-server openvpn-auth-oauth2[4309]: {"time":"2024-07-01T10:05:02.167547323Z","level":"WARN","msg":"Bad Request: state is empty","error_id":"0804f2d57c4b049a0981ff8db370731c5afb59f69b111947774ebf4622d81fcc"} Jul 01 10:05:12 openvpn-server openvpn-auth-oauth2[4309]: {"time":"2024-07-01T10:05:12.167068847Z","level":"WARN","msg":"Bad Request: state is empty","error_id":"0126aafc6a7e37f0428714658bc56fc0fbee0972ed90d80949c4315cc31f3450"} Jul 01 10:05:12 openvpn-server openvpn-auth-oauth2[4309]: {"time":"2024-07-01T10:05:12.323694455Z","level":"WARN","msg":"OpenVPN management interface connection terminated"} Jul 01 10:05:12 openvpn-server openvpn-auth-oauth2[4309]: {"time":"2024-07-01T10:05:12.323737076Z","level":"INFO","msg":"shutdown OpenVPN management connection"} Jul 01 10:05:12 openvpn-server openvpn-auth-oauth2[4309]: {"time":"2024-07-01T10:05:12.323793247Z","level":"INFO","msg":"start graceful shutdown of http server listener"} Jul 01 10:05:12 openvpn-server openvpn-auth-oauth2[4309]: {"time":"2024-07-01T10:05:12.324084821Z","level":"INFO","msg":"http server listener successfully terminated"} Jul 01 10:05:12 openvpn-server systemd[1]: openvpn-auth-oauth2.service: Deactivated successfully. Jul 01 10:05:12 openvpn-server systemd[1]: openvpn-auth-oauth2.service: Consumed 22.608s CPU time.
- In my case all traffic to the Internet will be proxied, does openvpn-auth-oauth2 support traffic proxying?
No, not yet. But it seems to be possible to implement http proxy via HTTP_PROXY environment variable.
Does openvpn-auth-oauth2 expose any healt-check endpoint
No, not yet.
- I also noticed that after restarting OpenVPN server service (management interface connection terminated), the openvpn-auth-oauth2 service (deb package) is deactivated
I guess Restart=always should help here in the Service section of the unit file. Could you validate this?
Edit: https://github.com/jkroepke/openvpn-auth-oauth2/releases/tag/v1.21.4 now includes a /ready endpoint and proxy is now supported via HTTP_PROXY environment variable
github-actions[bot]
commented
2 months ago This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.
Problem Statement
Hi, I am wondering what is the best solution to use openvpn-auth-oauth2 plugin when running several OpenVPN services on the same VM. In my case, there are separate services for TCP and UDP mode (e.g. config files -
/etc/openvpn/server/tcp.conf&/etc/openvpn/server/udp.conf). At this point, we are using openvpn-auth-ldap plugin for user authentication for both OpenVPN services and want to move to OIDC. Is it necessary to run two openvpn-auth-oauth2 daemons separately for both OpenVPN services in my situation?openvpn-auth-oauth2 logs
Environment