jkroepke / openvpn-auth-oauth2

openvpn-auth-oauth2 is a plugin/management interface client for OpenVPN server to handle an OIDC based single sign-on (SSO) auth flows
https://github.com/jkroepke/openvpn-auth-oauth2/wiki
MIT License
178 stars 27 forks source link

Deny OpenVPN client Log #322

Closed KodakMaciel closed 2 weeks ago

KodakMaciel commented 1 month ago

Problem Statement

Hello! I'm getting "deny OpenVPN client cid", what could it be?

Below are my settings.

Ubuntu

root@openvpn:/etc/openvpn# cat /etc/os-release
PRETTY_NAME="Ubuntu 22.04.4 LTS"
NAME="Ubuntu"
VERSION_ID="22.04"
VERSION="22.04.4 LTS (Jammy Jellyfish)"
VERSION_CODENAME=jammy
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=jammy

log oauth(syslog)

Sep 24 08:52:36 openvpn openvpn-auth-oauth2[378859]: time=2024-09-24T08:52:36.923-03:00 level=INFO msg="start pending auth" ip=xxx.xx.xxxx.x:63564 cid=0 kid=1 common_name=dvasconcelos reason=CONNECT session_id="" session_state=""
Sep 24 08:52:36 openvpn openvpn-auth-oauth2[378859]: time=2024-09-24T08:52:36.923-03:00 level=DEBUG msg="client-pending-auth 0 1 \"WEB_AUTH::https://xxxx.xxxx.com.br:9000/oauth2/start?state=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxUr6m\" 180"
Sep 24 08:52:37 openvpn openvpn-auth-oauth2[378859]: time=2024-09-24T08:52:37.297-03:00 level=INFO msg="initialize authorization via oauth2" ip=xxx.xx.xxx.x:63564 cid=0 kid=1 common_name=dvasconcelos
Sep 24 08:52:40 openvpn openvpn-auth-oauth2[378859]: time=2024-09-24T08:52:40.562-03:00 level=INFO msg="initialize authorization via oauth2" ip=xxx.xx.xxx.x:63564 cid=0 kid=1 common_name=dvasconcelos

Sep 24 08:53:17 openvpn openvpn-auth-oauth2[378859]: time=2024-09-24T08:53:17.341-03:00 level=INFO msg="deny OpenVPN client cid 0, kid 1" ip=201.47.211.5:63564 cid=0 kid=1 common_name=dvasconcelos
Sep 24 08:53:17 openvpn openvpn-auth-oauth2[378859]: time=2024-09-24T08:53:17.342-03:00 level=DEBUG msg="client-deny 0 1 \"client rejected\""
Sep 24 08:53:17 openvpn openvpn-auth-oauth2[378859]: time=2024-09-24T08:53:17.343-03:00 level=WARN msg="Unauthorized: failed to exchange token: oauth2: \"Not found\"" ip=xxxx.xx.xxxx.5:63564 cid=0 kid=1 common_name=dvasconcelos error_id=exxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx52d8
Sep 24 08:53:17 openvpn kernel: [409929.993932] audit: type=1400 audit(1727178797.430:73): apparmor="DENIED" operation="open" profile="/usr/bin/openvpn-auth-oauth2" name="/usr/share/mime/globs2" pid=378859 comm="openvpn-auth-oa" requested_mask="r" denied_mask="r" fsuid=64428 ouid=0
Sep 24 08:53:17 openvpn kernel: [409929.994214] audit: type=1400 audit(1727178797.430:74): apparmor="DENIED" operation="open" profile="/usr/bin/openvpn-auth-oauth2" name="/etc/mime.types" pid=378859 comm="openvpn-auth-oa" requested_mask="r" denied_mask="r" fsuid=64428 ouid=0

Server Config

port 1195
proto udp
dev tun
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/server.crt
key /etc/openvpn/server/server.key
dh /etc/openvpn/server/dh.pem
auth SHA512
tls-crypt /etc/openvpn/server/tc.key
topology subnet
server 10.x.x.x 255.xxx.xxx.0
#push "redirect-gateway def1 bypass-dhcp"
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS Xxxxxxxxxx"
push "dhcp-option DOMAIN xxxxxx"
push "dhcp-option DOMAIN xxxxxx"
push "dhcp-option DOMAIN xxxxxx"
push "dhcp-option DOMAIN xxxxxx"
client-config-dir /etc/openvpn/ccd
push "block-outside-dns"
keepalive 10 120
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
crl-verify /etc/openvpn/server/crl.pem
explicit-exit-notify
mute-replay-warnings
management localhost 7505
status-version 2
status /var/log/openvpn/status.log
log-append /var/log/openvpn/openvpn.log
verb 3
#plugin /usr/lib/openvpn/openvpn-auth-ldap.so /etc/openvpn/auth/auth-ldap.conf
auth-user-pass-optional
#OAuth2.0
management-client-auth
management /run/openvpn-server/server.sock unix /etc/openvpn/password.txt

Client Config

client
dev tun
proto udp
remote xxxxxx.com.br 1195
resolv-retry infinite
nobind
persist-key
persist-tun
#auth-user-pass
remote-cert-tls server
auth SHA512
cipher AES-256-CBC
#ignore-unknown-option block-outside-dns
#pull-filter ignore 'block-outside-dns'
verb 3
<ca>
-----BEGIN CERTIFICATE-----
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
</ca>
<cert>
-----BEGIN CERTIFICATE-----
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
-----END PRIVATE KEY-----
</key>
<tls-crypt>
-----BEGIN OpenVPN Static key V1-----
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
-----END OpenVPN Static key V1-----
</tls-crypt>

OpenVPN Version

root@openvpn:~# openvpn --version
OpenVPN 2.6.12 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO]
library versions: OpenSSL 3.0.2 15 Mar 2022, LZO 2.10
DCO version: N/A
Originally developed by James Yonan
Copyright (C) 2002-2024 OpenVPN Inc <sales@openvpn.net>
Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto_ofb_cfb=yes enable_dco=auto enable_dco_arg=auto enable_debug=yes enable_dependency_tracking=no enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=needless enable_fragment=yes enable_iproute2=no enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_maintainer_mode=no enable_management=yes enable_option_checking=no enable_pam_dlopen=no enable_pedantic=no enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_shared=yes enable_shared_with_static_runtimes=no enable_silent_rules=no enable_small=no enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=yes enable_werror=no enable_win32_dll=yes enable_wolfssl_options_h=yes enable_x509_alt_username=yes with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_openssl_engine=auto with_sysroot=no```

### openvpn-auth-oauth2 logs

```shell
Sep 24 08:52:36 openvpn openvpn-auth-oauth2[378859]: time=2024-09-24T08:52:36.923-03:00 level=INFO msg="new client connection" ip=201.47.211.5:63564 cid=0 kid=1 common_name=dvasconcelos reason=CONNECT session_id="" session_state=""
Sep 24 08:52:36 openvpn openvpn-auth-oauth2[378859]: time=2024-09-24T08:52:36.923-03:00 level=INFO msg="start pending auth" ip=201.47.211.5:63564 cid=0 kid=1 common_name=dvasconcelos reason=CONNECT session_id="" session_state=""
Sep 24 08:52:36 openvpn openvpn-auth-oauth2[378859]: time=2024-09-24T08:52:36.923-03:00 level=DEBUG msg="client-pending-auth 0 1 \"WEB_AUTH::https://vpnmga.objective.com.br:9000/oauth2/start?state=rHkZ39gcYdMp8jrO_D8MtlCVb-NB4tKIqOe4Z6Om2H1UYG6tlFclt73i6x7Cz0h2ubUhF8uVou26V0DhnTOIp9rG-APVUr6m\" 180"
Sep 24 08:52:37 openvpn openvpn-auth-oauth2[378859]: time=2024-09-24T08:52:37.297-03:00 level=INFO msg="initialize authorization via oauth2" ip=201.47.211.5:63564 cid=0 kid=1 common_name=dvasconcelos
Sep 24 08:52:40 openvpn openvpn-auth-oauth2[378859]: time=2024-09-24T08:52:40.562-03:00 level=INFO msg="initialize authorization via oauth2" ip=201.47.211.5:63564 cid=0 kid=1 common_name=dvasconcelos

Sep 24 08:53:17 openvpn openvpn-auth-oauth2[378859]: time=2024-09-24T08:53:17.341-03:00 level=INFO msg="deny OpenVPN client cid 0, kid 1" ip=201.47.211.5:63564 cid=0 kid=1 common_name=dvasconcelos
Sep 24 08:53:17 openvpn openvpn-auth-oauth2[378859]: time=2024-09-24T08:53:17.342-03:00 level=DEBUG msg="client-deny 0 1 \"client rejected\""
Sep 24 08:53:17 openvpn openvpn-auth-oauth2[378859]: time=2024-09-24T08:53:17.343-03:00 level=WARN msg="Unauthorized: failed to exchange token: oauth2: \"Not found\"" ip=201.47.211.5:63564 cid=0 kid=1 common_name=dvasconcelos error_id=ec49aeac0f5d3800f2648ae9e3c80d282c8e3409f99c40e8bef727623e2c52d8
Sep 24 08:53:17 openvpn kernel: [409929.993932] audit: type=1400 audit(1727178797.430:73): apparmor="DENIED" operation="open" profile="/usr/bin/openvpn-auth-oauth2" name="/usr/share/mime/globs2" pid=378859 comm="openvpn-auth-oa" requested_mask="r" denied_mask="r" fsuid=64428 ouid=0
Sep 24 08:53:17 openvpn kernel: [409929.994214] audit: type=1400 audit(1727178797.430:74): apparmor="DENIED" operation="open" profile="/usr/bin/openvpn-auth-oauth2" name="/etc/mime.types" pid=378859 comm="openvpn-auth-oa" requested_mask="r" denied_mask="r" fsuid=64428 ouid=0

Environment

jkroepke commented 1 month ago

Sounds like the token exchange URL of your IDP returns 404 not found.

KodakMaciel commented 1 month ago

Sep 24 08:53:17 openvpn openvpn-auth-oauth2[378859]: time=2024-09-24T08:53:17.343-03:00 level=WARN msg="Unauthorized: failed to exchange token: oauth2: \"Not found\"" ip=201.47.211.5:63564 cid=0 kid=1 common_name=dvasconcelos error_id=ec49aeac0f5d3800f2648ae9e3c80d282c8e3409f99c40e8bef727623e2c52d8

how can i resolve the log below?

Sep 24 08:53:17 openvpn openvpn-auth-oauth2[378859]: time=2024-09-24T08:53:17.343-03:00 level=WARN msg="Unauthorized: failed to exchange token: oauth2: \"Not found\"" ip=201.47.211.5:63564 cid=0 kid=1 common_name=dvasconcelos error_id=ec49aeac0f5d3800f2648ae9e3c80d282c8e3409f99c40e8bef727623e2c52d8

jkroepke commented 1 month ago

Unauthorized: failed to exchange token: oauth2: \"Not found\""

After you logged into into IDP, openvpn-auth-oauth2 do a token exchange. It using the auth code returned by the user login and calls the OIDC compatible token endpoint and exchange the auth code with an access token.

oauth2: \"Not found\" mean that the error is coming from golang standard library oauth2 which simply returns Not found.

Since a HTTP call is done in that context, the error "Not found" returns, because the HTTP call return 404 not found.

This error can happen, if you configure a wrong oauth2.endpoint.token OR the auto discovery returns a incorrect endpoint.

github-actions[bot] commented 3 weeks ago

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.