Closed D0wn3r closed 2 days ago
For this usecase, the option
--openvpn.bypass.common-names
You can add the common names of your services, in that case, openvpn-auth-oauth2 will always return authenticated for that common names. Authentication can be done via OpenVPN client certificates.
With same client certificate and authenticate with username/password is not possible ?
If you enable username-as-common-name in OpenVPN, it should be possible, together with auth-user-pass-verify.
I will share you my config maybe it gonna be more easy and it could help the community too
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
server ********
ifconfig-pool-persist ipp.txt
client-to-client
keepalive 10 120
tls-auth ta.key 0 # This file is secret
key-direction 0
cipher AES-128-CBC # AES
auth SHA256
comp-lzo
user root
group nogroup
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn.log
verb 9
crl-verify /etc/openvpn/server/crl.pem
# Script part
auth-user-pass-verify "/etc/openvpn/server/auth.sh" via-file
script-security 2
duplicate-cn
username-as-common-name
# Microsoft Entra ID part
management /run/openvpn/server.sock unix /etc/openvpn/server/password.txt
management-client-auth
auth-user-pass-optional
auth-gen-token 28800 external-auth
here is the log of penvpn-auth-oauth2:
Sep 26 07:44:30 vpn openvpn-auth-oauth2[1224]: time=2024-09-26T07:44:30.592Z level=INFO msg="new client connection" ip=ip:19358 cid=15 kid=1 common_name="" reason=CONNECT session_id=7FfB9fPfDXkllfiX session_state=Initial
Sep 26 07:44:30 vpn openvpn-auth-oauth2[1224]: time=2024-09-26T07:44:30.593Z level=INFO msg="start pending auth" ip=ip:19358 cid=15 kid=1 common_name="" reason=CONNECT session_id=7FfB9fPfDXkllfiX session_state=Initial
Sep 26 07:44:31 vpn openvpn-auth-oauth2[1224]: time=2024-09-26T07:44:31.746Z level=INFO msg="client disconnected" ip=: cid=13 common_name="" reason=DISCONNECT session_id="" session_state=""
Sep 26 07:44:31 vpn openvpn-auth-oauth2[1224]: time=2024-09-26T07:44:31.746Z level=WARN msg="error from token store: value does not exist" ip=: cid=13 common_name="" reason=DISCONNECT session_id="" session_state=""
Sep 26 07:44:32 vpn openvpn-auth-oauth2[1224]: time=2024-09-26T07:44:32.482Z level=INFO msg="new client connection" ip=ip:19380 cid=16 kid=1 common_name="" reason=CONNECT session_id=z+VgcwDkuugqV04C session_state=Initial
Sep 26 07:44:32 vpn openvpn-auth-oauth2[1224]: time=2024-09-26T07:44:32.482Z level=INFO msg="start pending auth" ip=ip:19380 cid=16 kid=1 common_name="" reason=CONNECT session_id=z+VgcwDkuugqV04C session_state=Initial
Sep 26 07:44:33 vpn openvpn-auth-oauth2[1224]: time=2024-09-26T07:44:33.800Z level=INFO msg="client disconnected" ip=: cid=14 common_name="" reason=DISCONNECT session_id="" session_state=""
Sep 26 07:44:33 vpn openvpn-auth-oauth2[1224]: time=2024-09-26T07:44:33.800Z level=WARN msg="error from token store: value does not exist" ip=: cid=14 common_name="" reason=DISCONNECT session_id="" session_state=""
Sep 26 07:44:34 vpn openvpn-auth-oauth2[1224]: time=2024-09-26T07:44:34.370Z level=INFO msg="new client connection" ip=ip:19477 cid=17 kid=1 common_name="" reason=CONNECT session_id=bUlUINGj4WnMqiOR session_state=Initial
Sep 26 07:44:34 vpn openvpn-auth-oauth2[1224]: time=2024-09-26T07:44:34.370Z level=INFO msg="start pending auth" ip=ip:19477 cid=17 kid=1 common_name="" reason=CONNECT session_id=bUlUINGj4WnMqiOR session_state=Initial
Sep 26 07:44:35 vpn openvpn-auth-oauth2[1224]: time=2024-09-26T07:44:35.834Z level=INFO msg="client disconnected" ip=: cid=15 common_name="" reason=DISCONNECT session_id="" session_state=""
Thanks for your help
I guess I forget to mention this:
--openvpn.common-name.environment-variable-name string Name of the environment variable in the OpenVPN management interface which contains the common name. If username-as-common-name is enabled, this should be set to 'username' to use the username as common name. Other values like 'X509_0_emailAddress' are supported. See https://openvpn.net/community-resources/reference-manual-for-openvpn-2-6/#environmental-variables for more information. (env: CONFIG_OPENVPN_COMMON__NAME_ENVIRONMENTVARIABLENAME) (default "common_name")
Thanks ! Ok I think we are very near. My server is able to connect with script (bypass openvpn-auth-oauth2) but my human client (Microsoft Entra ID) doesn't work with same log mentionned before in openvpn-auth-oauth2
auth-user-pass-verify "/etc/openvpn/server/auth.sh" via-file
I guess, if you have to implement a bypass for human client as well. Because all authentication methods must be return OK
Hmm how to do that ? Because if I use --openvpn.bypass.common-names
, I don't have common-names with Microsoft Entra ID
auth-user-pass-verify "/etc/openvpn/server/auth.sh" via-file
I guess, if you have to implement a bypass for human client as well. Because all authentication methods must be return OK
Oh you mean I must to implement a bypass in my script.
Like exclude servers in openvpn-auth-oauth2
And exclude humans in auth.sh
?
Hmmm let's think how to do that
Ok it works ! Thank you ! I have another question (more simple), but I will open a new issue to make it more clear.
Problem Statement
Hi again!
Is it possible to have two authentication systems? In my case, they would be:
Can I achieve this with OpenVPN and the openvpn-auth-oauth2 plugin?
openvpn-auth-oauth2 logs
Environment
No response