search

jkroepke / openvpn-auth-oauth2

openvpn-auth-oauth2 is a plugin/management interface client for OpenVPN server to handle an OIDC based single sign-on (SSO) auth flows
https://github.com/jkroepke/openvpn-auth-oauth2/wiki
MIT License
158 stars 24 forks source link

OpenVPN Server Two Connection Links #318

Open KodakMaciel opened 4 days ago

KodakMaciel commented 4 days ago

Problem Statement

I currently have an OpenVPN server with two integrated links and different IPs for the connection. How do I configure OpenVPN with other links?

Could you give an example?

NAME="AlmaLinux"
VERSION="9.4 (Seafoam Ocelot)"
ID="almalinux"
ID_LIKE="rhel centos fedora"
VERSION_ID="9.4"
PLATFORM_ID="platform:el9"
PRETTY_NAME="AlmaLinux 9.4 (Seafoam Ocelot)"
ANSI_COLOR="0;34"
LOGO="fedora-logo-icon"
CPE_NAME="cpe:/o:almalinux:almalinux:9::baseos"
HOME_URL="https://almalinux.org/"
DOCUMENTATION_URL="https://wiki.almalinux.org/"
BUG_REPORT_URL="https://bugs.almalinux.org/"

ALMALINUX_MANTISBT_PROJECT="AlmaLinux-9"
ALMALINUX_MANTISBT_PROJECT_VERSION="9.4"
REDHAT_SUPPORT_PRODUCT="AlmaLinux"
REDHAT_SUPPORT_PRODUCT_VERSION="9.4"
SUPPORT_END=2032-06-01

openvpn-auth-oauth2 logs

Not have.

Environment

jkroepke commented 4 days ago

is it one server OpenVPN instance?

KodakMaciel commented 4 days ago

is it one server OpenVPN instance?

Yes! Its one server published to the internet, using two ISPs.

jkroepke commented 4 days ago

If I understand it correctly, nothing special must be considered. Just follow the normal docs.

KodakMaciel commented 4 days ago

If I understand it correctly, nothing special must be considered. Just follow the normal docs.

There are two .ovpn configuration files redirecting to two ISPs, but on the same server, what would the openvpn-auth-oauth2 file look like?

image

Client Config_1

dev tun
proto udp
remote 192.168.xxx.90 1194
resolv-retry 60
ca caT.crt
cert clientT.crt
key clientT.key
verb 5
remote-cert-tls server
auth-nocache
cipher AES-256-CBC

Client Config_2

client
dev tun
proto udp
remote 192.168.xxx.60 1194
resolv-retry 60
ca caT.crt
cert clientT.crt
key clientT.key
verb 5
remote-cert-tls server
auth-nocache
cipher AES-256-CBC
jkroepke commented 3 days ago

openvpn-auth-oauth2 does only work on server. The management interface on the server must enabled. openvpn-auth-oauth2 will connect to the server instance.

KodakMaciel commented 3 days ago

openvpn-auth-oauth2 does only work on server. The management interface on the server must enabled. openvpn-auth-oauth2 will connect to the server instance.

I use two connection links for different ISPs. How do I specify this in the openvpn-auth-oauth2 configuration file?


CONFIG_HTTP_BASEURL="https://ISP_1:9000"

CONFIG_HTTP_BASEURL="https://ISP_2:9000"
jkroepke commented 3 days ago

Would a single domain with both ISP IP (2 A Records) a solution?

KodakMaciel commented 3 days ago

Would a single domain with both ISP IP (2 A Records) a solution?

It’s not ideal because it will attempt to send information to both ISPs, and if one is down, it may send to the ISP that is unavailable.

Is it possible to configure two services of openvpn-auth-oauth2? For example, indicating openvpn-auth-oauth2_config_1 and openvpn-auth-oauth2_config_2?

jkroepke commented 3 days ago

The underlaying library requires the information about the redirect URL (which based on Base URL) at initialization and the initialization step is done at program start.

It’s not ideal because it will attempt to send information to both ISPs, and if one is down, it may send to the ISP that is unavailable.

At leasts browsers are retry a different IP, if one is down.

https://serverfault.com/questions/101053/is-round-robin-dns-good-enough-for-load-balancing-static-content/868535#868535

The current workaround would 2 distinct OpenVPN servers.