OpenVPN-client doesn't open browser for auth with SSO via keycloak

[Elshirak]

Problem Statement

Now I'm facing a another issue: OpenVPN-client doesn't open browser for auth and URL generated by plugin(correct) is differ to URL I see in server's logs. Howhever, the logs of a client contain:

2024-10-14 11:15:30.840762 [LOG] [Core] Session is ACTIVE
2024-10-14 11:15:30.840866 [LOG] Retrieving configuration from server
2024-10-14 11:15:30.840937 [LOG] [Core] Sending PUSH_REQUEST to server...
2024-10-14 11:15:30.986467 [LOG] Auth pending request received, timeout: 120
  ########################
  ## WEB AUTHENTICATION ##
  ########################

  Web based authentication is required to establish the connection.
  A browser window should have been opened on your system.

2024-10-14 11:15:31.840627 [LOG] [Core] Sending PUSH_REQUEST to server...

The link to Keycloak is being created on a penvpn-auth-oauth2 side, I can see it in logs, it's correct. Howhever, in OpenVPN-server logs there is different URL, simular to base URL in plugin config. Maybe I need to specify client-pending-auth in server config? Can you give an example of using thise parameter, please? I don't understand from documentation which variables I should use.

Another reason - misconfigured openvpn-auth-oauth2 plugin. Have a look at my configs:

cat /etc/openvpn/server/server.conf

keepalive 10 120
user openvpn
group openvpn
status openvpn-status.log
verb 6
mute 10
topology subnet
server 10.8.0.0 255.255.255.0
auth-token-user b3BlbnZwbi1wYXNzCg==
log /var/log/openvpn-server.log
ca "ca.crt"
cert "server.crt"
key "server.key"
dh none 
data-ciphers AES-256-GCM
cipher AES-256-GCM
auth SHA256
port 1194
dev tun
proto udp4
verify-client-cert none
username-as-common-name
auth-user-pass-optional

# client-pending-auth WEB_AUTH:external:url 120

auth-user-pass-verify "/usr/bin/echo" via-env
script-security 2

management /run/ovpn-server.sock unix
management-client-auth

cat /etc/openvpn-auth-oauth2/config.yaml

debug:
  listen: ":9001"
http:
  baseurl: "http://myhost.com:9000"
  listen: ":9000"
  secret: "8888888888888888"
log:
  format: console
  level: DEBUG
oauth2:
  auth-style: "AuthStyleInParams"
  validate:
    roles:
      - "admin"
    ipaddr: false
    issuer: true
  client:
    id: "openvpn-auth-oauth2"
    secret: "my-secret"
  issuer: "https://keycloak/realms/my-realm"
openvpn:
  addr: "unix:///run/ovpn-server.sock"
  auth-token-user: true
  auth-pending-timeout: 2m
  common-name:
    environment-variable-name: "username"
    mode: plain

cat /etc/openvpn/client.conf

remote IP 1194 udp4
verb 6
client
dev tun
persist-tun
proto udp
nobind
resolv-retry infinite
auth-nocache

setenv IV_SSO webauth

<auth-user-pass>
openvpn-login
openvpn-pass
</auth-user-pass>

<ca>
-----BEGIN CERTIFICATE-----
--------------------------
-----END CERTIFICATE-----
</ca>
data-ciphers AES-256-GCM
cipher AES-256-GCM
auth SHA256

openvpn-auth-oauth2 logs

Oct 14 10:49:04 openvpn-auth-oauth2[1047867]: time=2024-10-14T10:49:04.235Z level=INFO msg="start HTTP server listener on [::]:9000"
Oct 14 10:49:04 openvpn-auth-oauth2[1047867]: time=2024-10-14T10:49:04.235Z level=INFO msg="connect to openvpn management interface unix:///run/ovpn-server.sock"
Oct 14 10:49:04 openvpn-auth-oauth2[1047867]: time=2024-10-14T10:49:04.237Z level=INFO msg="openvpn-auth-oauth2 started with base url http://IP:9000"
Oct 14 10:49:04 openvpn-auth-oauth2[1047867]: time=2024-10-14T10:49:04.237Z level=DEBUG msg="password probe: >INFO:OpenVPN M"
Oct 14 10:49:04 openvpn-auth-oauth2[1047867]: time=2024-10-14T10:49:04.237Z level=INFO msg="connection to OpenVPN management interface established."
Oct 14 10:49:04 openvpn-auth-oauth2[1047867]: time=2024-10-14T10:49:04.237Z level=DEBUG msg=version
Oct 14 10:49:04 openvpn-auth-oauth2[1047867]: time=2024-10-14T10:49:04.237Z level=INFO msg="OpenVPN Version: OpenVPN 2.6.12 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] [DCO] - Management Version: 5"
Oct 14 10:49:16 openvpn-auth-oauth2[1047867]: time=2024-10-14T10:49:16.884Z level=DEBUG msg=">CLIENT:CONNECT,0,1\r\n>CLIENT:ENV,n_clients=0\r\n>CLIENT:ENV,password=openvpn-pass\r\n>CLIENT:ENV,untrusted_port=45157\r\n>CLIENT:ENV,untrusted_ip=10.109.8.218\r\n>CLIENT:ENV,username=openvpn-login\r\n>CLIENT:ENV,IV_SSO=openurl,webauth,crtext\r\n>CLIENT:ENV,IV_GUI_VER=OpenVPN3/Linux/v23\r\n>CLIENT:ENV,IV_AUTO_SESS=1\r\n>CLIENT:ENV,IV_CIPHERS=AES-128-GCM:AES-192-GCM:AES-256-GCM:CHACHA20-POLY1305\r\n>CLIENT:ENV,IV_MTU=1600\r\n>CLIENT:ENV,IV_PROTO=2974\r\n>CLIENT:ENV,IV_TCPNL=1\r\n>CLIENT:ENV,IV_NCP=2\r\n>CLIENT:ENV,IV_PLAT=linux\r\n>CLIENT:ENV,IV_VER=v3.10.1\r\n>CLIENT:ENV,remote_port_1=1194\r\n>CLIENT:ENV,local_port_1=1194\r\n>CLIENT:ENV,proto_1=udp4\r\n>CLIENT:ENV,daemon_pid=1047872\r\n>CLIENT:ENV,daemon_start_time=1728902944\r\n>CLIENT:ENV,daemon_log_redirect=1\r\n>CLIENT:ENV,daemon=0\r\n>CLIENT:ENV,verb=6\r\n>CLIENT:ENV,config=server.conf\r\n>CLIENT:ENV,ifconfig_local=10.8.0.1\r\n>CLIENT:ENV,ifconfig_netmask=255.255.255.0\r\n>CLIENT:ENV,script_context=init\r\n>CLIENT:ENV,tun_mtu=1500\r\n>CLIENT:ENV,dev=tun0\r\n>CLIENT:ENV,dev_type=tun\r\n>CLIENT:ENV,redirect_gateway=0\r\n>CLIENT:ENV,END\r\n"
Oct 14 10:49:16 openvpn-auth-oauth2[1047867]: time=2024-10-14T10:49:16.884Z level=INFO msg="new client connection" ip=IP:PORT cid=0 kid=1 common_name=openvpn-login reason=CONNECT session_id="" session_state=""
Oct 14 10:49:16 openvpn-auth-oauth2[1047867]: time=2024-10-14T10:49:16.884Z level=INFO msg="start pending auth" ip=IP:PORT cid=0 kid=1 common_name=openvpn-login reason=CONNECT session_id="" session_state=""
Oct 14 10:49:16 openvpn-auth-oauth2[1047867]: time=2024-10-14T10:49:16.884Z level=DEBUG msg="client-pending-auth 0 1 \"WEB_AUTH::http://IP:9000/oauth2/start?state=aJw5kNMvZWnbMHosmxVjetQOWiQ7vPqoqkySBU3YWsVLBu-5DXncpwQawRkC9ZLNr4zxJnaJzpdQ6zchj-eWL2_fn-1eNhBcMg\" 120"

Environment

• openvpn-auth-oauth2 Version: openvpn-auth-oauth2.x86_64 1.22.1-1
• OpenVPN Server Version:

  OpenVPN 2.6.12 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] [DCO]
  library versions: OpenSSL 3.0.8 7 Feb 2023, LZO 2.10

• Server OS: Amazon Linux release 2023.5.20241001 (Amazon Linux)
• OpenVPN Client (flavor, OS): using openvpn2 --config /etc/openvpn/client.conf to start session

openvpn3 version
OpenVPN3/Linux v23 (openvpn3)
OpenVPN core v3.10.1 linux x86_64 64-bit
Copyright (C) 2012-2022 OpenVPN Inc. All rights reserved.

[jkroepke]

Everything looks good at openvpn-auth-oauth2 side.

Just OpenVPN3 has issues to open a browser.

How you start OpenVPN3? Via Command Line? Could you also try to run this command on you command like?

python -m webbrowser "https://example.com"

Please mention that the issue must be somewhere at OpenVPN3 and I would recommend to use the official OpenVPN Connect client rather than the open source CLI client.

---

Howhever, in OpenVPN-server logs there is different URL, simular to base URL in plugin config.

The openvpn-auth-oauth2 will always generate a URL to openvpn-auth-oauth2 itself for some pre-flight checks. Additional, openvpn-auth-oauth2 initiate the session login flow and will redirect to keycloak. But openvpn-auth-oauth2 must be reachable outside of the VPN.