search

jkroepke / openvpn-auth-oauth2

openvpn-auth-oauth2 is a plugin/management interface client for OpenVPN server to handle an OIDC based single sign-on (SSO) auth flows
https://github.com/jkroepke/openvpn-auth-oauth2/wiki
MIT License
174 stars 27 forks source link

unable to make it work for google oauth #95

Closed vadirajks closed 10 months ago

vadirajks commented 10 months ago

Current Behavior

getting below error:

Dec 23 14:02:16 vaditest-openvpn-google systemd[1]: openvpn-auth-oauth2.service: Service RestartSec=5s expired, scheduling restart.
Dec 23 14:02:16 vaditest-openvpn-google systemd[1]: openvpn-auth-oauth2.service: Scheduled restart job, restart counter is at 321.
Dec 23 14:02:16 vaditest-openvpn-google systemd[1]: Stopped OpenVPN authenticator.
Dec 23 14:02:16 vaditest-openvpn-google systemd[1]: Started OpenVPN authenticator.
Dec 23 14:02:16 vaditest-openvpn-google openvpn-auth-oauth2[324571]: time=2023-12-23T14:02:16.037Z level=INFO msg="discover oidc auto configuration with provider generic for issuer https://accounts.google.com/.well-known/openid-configuration"
Dec 23 14:02:16 vaditest-openvpn-google openvpn-auth-oauth2[324571]: time=2023-12-23T14:02:16.171Z level=ERROR msg="newProviderWithDiscovery: http status not ok: 404 Not Found <html lang=en><meta charset=utf-8><meta name=viewport content=\"initial-scale=1, minimum-scale=1, width=device-width\"><title>Error 404 (Not Found)!!1</title><style nonce=\"c7w3kzaxeA31SLc-q1Va-w\">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px;}* > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}pre{white-space:pre-wrap;}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) 0}}@media only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:150px}</style><main id=\"af-error-container\" role=\"main\"><a href=//www.google.com><span id=logo aria-label=Google role=img></span></a><p><b>404.</b> <ins>That’s an error.</ins><p>The requested URL was not found on this server. <ins>That’s all we know.</ins></main>"
Dec 23 14:02:16 vaditest-openvpn-google systemd[1]: openvpn-auth-oauth2.service: Main process exited, code=exited, status=1/FAILURE
Dec 23 14:02:16 vaditest-openvpn-google systemd[1]: openvpn-auth-oauth2.service: Failed with result 'exit-code'.

Expected Behavior

No response

Steps To Reproduce

below configuration is from : /etc/sysconfig/openvpn-auth-oauth2
CONFIG_OPENVPN_ADDR=unix:///run/openvpn/server.sock
CONFIG_OPENVPN_PASSWORD=XXXXXX
CONFIG_OAUTH2_ISSUER=https://accounts.google.com/.well-known/openid-configuration
CONFIG_OAUTH2_CLIENT_ID=162738495-xxxxx.apps.googleusercontent.com (it is not correct-ID)
CONFIG_OAUTH2_CLIENT_SECRET=GOCSPX-xxxxxxxx (it is not correct-SECRET)
# Define a random value with 16 or 24 characters
CONFIG_HTTP_SECRET=cFL3QzfPJUqdsdsdsds
# Define the public http endpoint here.
CONFIG_HTTP_LISTEN=:9000
CONFIG_HTTP_BASE_URL=https://login.example.com (it is not correct-domain name)

1> referring to document, it has mentioned either of this 2 in different place:
CONFIG_HTTP_BASEURL
CONFIG_HTTP_BASE_URL 
not sure which one is correct.
2>i have setup reverse proxy to make use tls for 9000 PORT and i am not sure what PORT i need to use in CONFIG_HTTP_LISTEN

upstream app {
    server 127.0.0.1:9000;
}

server {
    if ($host = login.example.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot
    listen 80 default_server;
    server_name login.example.com;
    return 404; # managed by Certbot

}

server {
    listen 443 ssl; # managed by Certbot
    server_name login.example.com;
    ssl_certificate /etc/letsencrypt/live/login.example.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/login.example.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
    location / {
      proxy_pass http://app;
      proxy_set_header X-Real-IP  $remote_addr;
      proxy_set_header X-Forwarded-For $remote_addr;
      proxy_set_header Host $host;
      proxy_set_header X-Real-Port $server_port;
      proxy_set_header X-Real-Scheme $scheme;
    }
}


### Environment

- openvpn-auth-oauth2 Version:openvpn-auth-oauth2-1.12.2-1.x86_64
- OpenVPN Server Version:openvpn-2.6.8-1.el8.x86_64
- Server OS:Rocky Linux release 8.9 (Green Obsidian)
- OpenVPN Client (flavor, OS):  openvpn3       21-1+jammy   amd64        OpenVPN 3 Linux client

### Anything else?

please help me to fix this. Thanks
jkroepke commented 10 months ago

Hi,

CONFIG_HTTP_BASEURL is correct.

CONFIG_OAUTH2_ISSUER=https://accounts.google.com/.well-known/openid-configuration

I guess there is an issue in the documentation. Sorry for this. Could you pls try to use this?

CONFIG_OAUTH2_ISSUER=https://accounts.google.com
vadirajks commented 10 months ago

That's great!!. Thank you very much for pretty fast response and helping us :). It's fixed and now i have different errors:

Dec 23 18:16:10 vaditest-openvpn-google systemd[1]: openvpn-auth-oauth2.service: Service RestartSec=5s expired, scheduling restart.
Dec 23 18:16:10 vaditest-openvpn-google systemd[1]: openvpn-auth-oauth2.service: Scheduled restart job, restart counter is at 33.
Dec 23 18:16:10 vaditest-openvpn-google systemd[1]: Stopped OpenVPN authenticator.
Dec 23 18:16:10 vaditest-openvpn-google systemd[1]: Started OpenVPN authenticator.
Dec 23 18:16:10 vaditest-openvpn-google openvpn-auth-oauth2[343955]: time=2023-12-23T18:16:10.787Z level=INFO msg="discover oidc auto configuration with provider generic for issuer https://accounts.google.com"
Dec 23 18:16:10 vaditest-openvpn-google openvpn-auth-oauth2[343955]: time=2023-12-23T18:16:10.812Z level=INFO msg="start HTTP server listener on 9000 with base url https://openvpnvadi.atomex.net"
Dec 23 18:16:10 vaditest-openvpn-google openvpn-auth-oauth2[343955]: time=2023-12-23T18:16:10.812Z level=ERROR msg="error http listener: ListenAndServeTLS: listen tcp: address 9000: missing port in address"
Dec 23 18:16:10 vaditest-openvpn-google openvpn-auth-oauth2[343955]: time=2023-12-23T18:16:10.812Z level=INFO msg="connect to openvpn management interface unix:///run/openvpn/server.sock"
Dec 23 18:16:10 vaditest-openvpn-google openvpn[322404]: MANAGEMENT: Client connected from /run/openvpn/server.sock
Dec 23 18:16:10 vaditest-openvpn-google openvpn-auth-oauth2[343955]: time=2023-12-23T18:16:10.813Z level=INFO msg="shutdown OpenVPN management connection"
Dec 23 18:16:10 vaditest-openvpn-google openvpn-auth-oauth2[343955]: time=2023-12-23T18:16:10.813Z level=INFO msg="start graceful shutdown of http listener"
Dec 23 18:16:10 vaditest-openvpn-google openvpn-auth-oauth2[343955]: time=2023-12-23T18:16:10.813Z level=INFO msg="http listener successfully terminated"
Dec 23 18:16:10 vaditest-openvpn-google openvpn[322404]: MANAGEMENT: TCP recv error: Connection reset by peer
Dec 23 18:16:10 vaditest-openvpn-google openvpn[322404]: MANAGEMENT: Client disconnected
Dec 23 18:16:10 vaditest-openvpn-google systemd[1]: openvpn-auth-oauth2.service: Main process exited, code=exited, status=1/FAILURE
Dec 23 18:16:10 vaditest-openvpn-google systemd[1]: openvpn-auth-oauth2.service: Failed with result 'exit-code'.

/etc/openvpn/server/server.conf:

management /run/openvpn/server.sock unix /etc/openvpn/password.txt
#management /run/openvpn/server.sock unix
#management 127.0.0.1 8081 /etc/openvpn/password.txt
#management-hold
management-client-auth

If i enable management-hold, systemctl restart openvpn-server@server is not coming out. Thanks,

jkroepke commented 10 months ago

Could you please double check, if you set CONFIG_HTTP_LISTEN=:9000 and not CONFIG_HTTP_LISTEN=9000? You can also try CONFIG_HTTP_LISTEN=127.0.0.1:9000 to keep the listener local

vadirajks commented 10 months ago

Thanks, it worked. what suppose to be my client configuration *.ovpn suppose to be[where it needs to be pointing]. Can you please provide me sample configuration file for both openvpn server /etc/openvpn/server/server.conf and there corresponding client configuration if you don't mind. I am bit confused with what to do next. here is my server configuration for testing:

[root@vaditest-openvpn-google ~]# cat  /etc/openvpn/server/server.conf 
#local openvpnvadi.atomex.net
local x.x.x.x
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA256
tls-crypt tc.key
topology subnet
server x.x.x.x x.x.x.x
push "block-ipv6"
#push "ifconfig-ipv6 fddd:1194:1194:1194::2/64 fddd:1194:1194:1194::1"
#push "redirect-gateway def1 ipv6 bypass-dhcp"
push "route x.x.x.x x.x.x.x"
pull-filter ignore "route-ipv6"
pull-filter ignore "ifconfig-ipv6"
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 1.1.1.1"
push "dhcp-option DNS 1.0.0.1"
push "block-outside-dns"
keepalive 10 120
cipher AES-128-GCM
tun-mtu 1200
#mssfix 1200
user nobody
group nobody
persist-key
persist-tun
verb 3
crl-verify crl.pem
explicit-exit-notify
status /var/log/openvpn-status.log
management /run/openvpn/server.sock unix /etc/openvpn/password.txt
#management /run/openvpn/server.sock unix
#management 127.0.0.1 8081 /etc/openvpn/password.txt
#management-hold
management-client-auth
[root@vaditest-openvpn-google ~]#

my client configuration :

> cat  vadi1.ovpn
client
dev tun
proto udp
remote openvpnvadi.example.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
auth SHA256
cipher AES-128-GCM
ignore-unknown-option block-outside-dns block-ipv6
verb 3
<ca>
-----BEGIN CERTIFICATE-----
MIIDSzCCAjOgAwIBAgIUGIvP2R0f1Pwy059WbLdDz5veKEIwDQYJKoZIhvcNAQEL
ruUw3K0IebXB7eZFRIKbX9p1z8xODqViEWHlwvxjSw==
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
MIIDUjCCAjqgAwIBAgIQBqCtBsuloFqeuPiZGLdwbTANBgkqhkiG9w0BAQsFADAW
+IdcFU5IHMKgpUFmmLgu1R9WBowgEKp4kSSuPTLYJkbj+h+KymU=
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDGy0dxoOwIZaBl
9FEEvbMtbN/xEQI5Mr1SZA==
-----END PRIVATE KEY-----
</key>
<tls-crypt>
-----BEGIN OpenVPN Static key V1-----
bbbbe6d946248e629837b2c5f5cefb32
1d42ddd4ce88a11722a7eec378f4a83e
-----END OpenVPN Static key V1-----
</tls-crypt>

unable to connect and google oauth flow is not happening :

> openvpn3 session-start --config /custom-scripts/vpn_test/vadi.ovpn

Using configuration profile from file: /custom-scripts/vpn_test/vadi.ovpn
Session path: /net/openvpn/v3/sessions/bf968ed2s4c22s4a52s99dfsff5eed05b64e
^C!!

session-start: ** ERROR ** Session stopped
vadirajks commented 10 months ago

even from widows client i am not able to connect: browser error:

https://openvpnvadi.example.com/oauth2/start?state=muz66ZCeYrzHSKz8-H-nWyxAcHWsmhHS-aDsUs5IKWrZJhIMVquLHKmlPOkijAcwsENgsUcY
502 Bad Gateway
nginx/1.14.1

logs : 

2023/12/25 10:46:03 [crit] 427176#0: *18 connect() to 127.0.0.1:9000 failed (13: Permission denied) while connecting to upstream, client: 18.234.55.242, server: openvpnvadi.example.com, request: "GET /oauth2/start?state=mE-2pvEUHSrl9-9OwMxcwKBEGfgc02tuX4B7nZ2dieSgxlVa7wj-9lFFUbHBAhm0-AbQxB4B HTTP/1.1", upstream: "http://127.0.0.1:9000/oauth2/start?state=mE-2pvEUHSrl9-9OwMxcwKBEGfgc02tuX4B7nZ2dieSgxlVa7wj-9lFFUbHBAhm0-AbQxB4B", host: "openvpnvadi.example.com"

==> /var/log/nginx/access.log <==
18.234.55.242 - - [25/Dec/2023:10:46:03 +0000] "GET /oauth2/start?state=mE-2pvEUHSrl9-9OwMxcwKBEGfgc02tuX4B7nZ2dieSgxlVa7wj-9lFFUbHBAhm0-AbQxB4B HTTP/1.1" 502 575 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36" "-"

==> /var/log/messages <==
Dec 25 10:46:03 vaditest-openvpn-google openvpn[426812]: 18.234.55.242:52590 VERIFY OK: depth=1, CN=Easy-RSA CA
Dec 25 10:46:03 vaditest-openvpn-google openvpn[426812]: 18.234.55.242:52590 VERIFY OK: depth=0, CN=vadi
Dec 25 10:46:03 vaditest-openvpn-google openvpn[426812]: 18.234.55.242:52590 peer info: IV_VER=3.8.2connect3
Dec 25 10:46:03 vaditest-openvpn-google openvpn[426812]: 18.234.55.242:52590 peer info: IV_PLAT=win
Dec 25 10:46:03 vaditest-openvpn-google openvpn[426812]: 18.234.55.242:52590 peer info: IV_NCP=2
Dec 25 10:46:03 vaditest-openvpn-google openvpn[426812]: 18.234.55.242:52590 peer info: IV_TCPNL=1
Dec 25 10:46:03 vaditest-openvpn-google openvpn[426812]: 18.234.55.242:52590 peer info: IV_PROTO=990
Dec 25 10:46:03 vaditest-openvpn-google openvpn[426812]: 18.234.55.242:52590 peer info: IV_MTU=1600
Dec 25 10:46:03 vaditest-openvpn-google openvpn[426812]: 18.234.55.242:52590 peer info: IV_CIPHERS=AES-128-CBC:AES-192-CBC:AES-256-CBC:AES-128-GCM:AES-192-GCM:AES-256-GCM:CHACHA20-POLY1305
Dec 25 10:46:03 vaditest-openvpn-google openvpn[426812]: 18.234.55.242:52590 peer info: IV_AUTO_SESS=1
Dec 25 10:46:03 vaditest-openvpn-google openvpn[426812]: 18.234.55.242:52590 peer info: IV_GUI_VER=OCWindows_3.4.3-3337
Dec 25 10:46:03 vaditest-openvpn-google openvpn[426812]: 18.234.55.242:52590 peer info: IV_SSO=webauth,crtext
Dec 25 10:46:03 vaditest-openvpn-google openvpn[426812]: 18.234.55.242:52590 TLS: Username/Password authentication deferred for username ''
Dec 25 10:46:03 vaditest-openvpn-google openvpn[426812]: 18.234.55.242:52590 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
Dec 25 10:46:03 vaditest-openvpn-google openvpn[426812]: 18.234.55.242:52590 TLS: tls_multi_process: initial untrusted session promoted to semi-trusted
Dec 25 10:46:03 vaditest-openvpn-google openvpn-auth-oauth2[427100]: {"time":"2023-12-25T10:46:03.242234774Z","level":"DEBUG","msg":">CLIENT:CONNECT,7,1\n>CLIENT:ENV,n_clients=0\n>CLIENT:ENV,password=\n>CLIENT:ENV,untrusted_port=52590\n>CLIENT:ENV,untrusted_ip=18.234.55.242\n>CLIENT:ENV,common_name=vadi\n>CLIENT:ENV,username=\n>CLIENT:ENV,IV_SSO=webauth,crtext\n>CLIENT:ENV,IV_GUI_VER=OCWindows_3.4.3-3337\n>CLIENT:ENV,IV_AUTO_SESS=1\n>CLIENT:ENV,IV_CIPHERS=AES-128-CBC:AES-192-CBC:AES-256-CBC:AES-128-GCM:AES-192-GCM:AES-256-GCM:CHACHA20-POLY1305\n>CLIENT:ENV,IV_MTU=1600\n>CLIENT:ENV,IV_PROTO=990\n>CLIENT:ENV,IV_TCPNL=1\n>CLIENT:ENV,IV_NCP=2\n>CLIENT:ENV,IV_PLAT=win\n>CLIENT:ENV,IV_VER=3.8.2connect3\n>CLIENT:ENV,tls_serial_hex_0=06:a0:ad:06:cb:a5:a0:5a:9e:b8:f8:99:18:b7:70:6d\n>CLIENT:ENV,tls_serial_0=8809644867331161486807943342280110189\n>CLIENT:ENV,tls_digest_sha256_0=47:37:b3:f3:bd:45:db:7b:62:87:10:c2:79:5a:9c:d3:c8:b0:6f:b5:d9:af:20:a0:82:02:0b:09:90:a3:91:0d\n>CLIENT:ENV,tls_digest_0=d2:93:86:6f:f4:90:63:f8:00:f2:39:fd:44:1b:59:12:92:7c:79:3e\n>CLIENT:ENV,tls_id_0=CN=vadi\n>CLIENT:ENV,X509_0_CN=vadi\n>CLIENT:ENV,tls_serial_hex_1=18:8b:cf:d9:1d:1f:d4:fc:32:d3:9f:56:6c:b7:43:cf:9b:de:28:42\n>CLIENT:ENV,tls_serial_1=140133688205542294345411494615504804262021310530\n>CLIENT:ENV,tls_digest_sha256_1=43:73:6a:98:ec:da:68:34:61:27:0a:6b:74:6a:44:31:d6:f8:7a:a5:dd:dc:78:61:c7:fc:b5:7b:15:a7:87:24\n>CLIENT:ENV,tls_digest_1=48:2e:06:aa:24:72:63:04:dd:0d:a9:75:f0:4d:da:96:70:62:65:b2\n>CLIENT:ENV,tls_id_1=CN=Easy-RSA CA\n>CLIENT:ENV,X509_1_CN=Easy-RSA CA\n>CLIENT:ENV,remote_port_1=1194\n>CLIENT:ENV,local_port_1=1194\n>CLIENT:ENV,local_1=10.125.71.228\n>CLIENT:ENV,proto_1=udp\n>CLIENT:ENV,daemon_pid=426812\n>CLIENT:ENV,daemon_start_time=1703497744\n>CLIENT:ENV,daemon_log_redirect=0\n>CLIENT:ENV,daemon=0\n>CLIENT:ENV,verb=3\n>CLIENT:ENV,config=server.conf\n>CLIENT:ENV,ifconfig_local=10.8.0.1\n>CLIENT:ENV,ifconfig_netmask=255.255.255.0\n>CLIENT:ENV,script_context=init\n>CLIENT:ENV,tun_mtu=1200\n>CLIENT:ENV,dev=tun0\n>CLIENT:ENV,dev_type=tun\n>CLIENT:ENV,redirect_gateway=0\n>CLIENT:ENV,END\n"}
Dec 25 10:46:03 vaditest-openvpn-google openvpn-auth-oauth2[427100]: {"time":"2023-12-25T10:46:03.242297754Z","level":"INFO","msg":"new client connection","cid":7,"kid":1,"reason":"CONNECT","common_name":"vadi","username":""}
Dec 25 10:46:03 vaditest-openvpn-google openvpn-auth-oauth2[427100]: {"time":"2023-12-25T10:46:03.24232653Z","level":"INFO","msg":"start pending auth","cid":7,"kid":1,"reason":"CONNECT","common_name":"vadi","username":""}
Dec 25 10:46:03 vaditest-openvpn-google openvpn-auth-oauth2[427100]: {"time":"2023-12-25T10:46:03.242343136Z","level":"DEBUG","msg":"client-pending-auth 7 1 \"WEB_AUTH::https://openvpnvadi.example.com/oauth2/start?state=mE-2pvEUHSrl9-9OwMxcwKBEGfgc02tuX4B7nZ2dieSgxlVa7wj-9lFFUbHBAhm0-AbQxB4B\" 180\n"}
Dec 25 10:46:03 vaditest-openvpn-google openvpn[426812]: MANAGEMENT: CMD 'client-pending-auth 7 1 "WEB_AUTH::https://openvpnvadi.example.com/oauth2/start?state=mE-2pvEUHSrl9-9OwMxcwKBEGfgc02tuX4B7nZ2dieSgxlVa7wj-9lFFUbHBAhm0-AbQxB4B" 180'
Dec 25 10:46:03 vaditest-openvpn-google openvpn[426812]: SENT CONTROL [vadi]: 'AUTH_PENDING,timeout 180' (status=1)
Dec 25 10:46:03 vaditest-openvpn-google openvpn[426812]: SENT CONTROL [vadi]: 'INFO_PRE,WEB_AUTH::https://openvpnvadi.example.com/oauth2/start?state=mE-2pvEUHSrl9-9OwMxcwKBEGfgc02tuX4B7nZ2dieSgxlVa7wj-9lFFUbHBAhm0-AbQxB4B' (status=1)
Dec 25 10:46:03 vaditest-openvpn-google openvpn-auth-oauth2[427100]: {"time":"2023-12-25T10:46:03.242898636Z","level":"DEBUG","msg":"SUCCESS: client-pending-auth command succeeded\n"}
Dec 25 10:46:03 vaditest-openvpn-google openvpn[426812]: 18.234.55.242:52590 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bits RSA, signature: RSA-SHA256, peer temporary key: 253 bits X25519
Dec 25 10:46:03 vaditest-openvpn-google openvpn[426812]: 18.234.55.242:52590 [vadi] Peer Connection Initiated with [AF_INET]18.234.55.242:52590
Dec 25 10:46:03 vaditest-openvpn-google openvpn[426812]: 18.234.55.242:52590 PUSH: Received control message: 'PUSH_REQUEST'

==> /var/log/nginx/error.log <==
2023/12/25 10:46:04 [crit] 427176#0: *18 connect() to 127.0.0.1:9000 failed (13: Permission denied) while connecting to upstream, client: 18.234.55.242, server: openvpnvadi.example.com, request: "GET /favicon.ico HTTP/1.1", upstream: "http://127.0.0.1:9000/favicon.ico", host: "openvpnvadi.example.com", referrer: "https://openvpnvadi.example.com/oauth2/start?state=mE-2pvEUHSrl9-9OwMxcwKBEGfgc02tuX4B7nZ2dieSgxlVa7wj-9lFFUbHBAhm0-AbQxB4B"

==> /var/log/nginx/access.log <==
18.234.55.242 - - [25/Dec/2023:10:46:04 +0000] "GET /favicon.ico HTTP/1.1" 502 575 "https://openvpnvadi.example.com/oauth2/start?state=mE-2pvEUHSrl9-9OwMxcwKBEGfgc02tuX4B7nZ2dieSgxlVa7wj-9lFFUbHBAhm0-AbQxB4B" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36" "-"

==> /var/log/messages <==
Dec 25 10:46:04 vaditest-openvpn-google openvpn[426812]: 18.234.55.242:52590 PUSH: Received control message: 'PUSH_REQUEST'
Dec 25 10:46:12 vaditest-openvpn-google openvpn[426812]: 18.234.55.242:52590 PUSH: Received control message: 'PUSH_REQUEST'
Dec 25 10:46:20 vaditest-openvpn-google openvpn[426812]: 18.234.55.242:52590 PUSH: Received control message: 'PUSH_REQUEST'

please let me know you need any details from me and thanks for taking your time helping for me :)

jkroepke commented 10 months ago

Hi,

sorry, but the error seems to be inside nginx

2023/12/25 10:46:04 [crit] 427176#0: *18 connect() to 127.0.0.1:9000 failed (13: Permission denied) while connecting to upstream, client: 18.234.55.242, server: openvpnvadi.example.com, request: "GET /favicon.ico HTTP/1.1", upstream: "http://127.0.0.1:9000/favicon.ico", host: "openvpnvadi.example.com", referrer: "https://openvpnvadi.example.com/oauth2/start?state=mE-2pvEUHSrl9-9OwMxcwKBEGfgc02tuX4B7nZ2dieSgxlVa7wj-9lFFUbHBAhm0-AbQxB4B"

Means that your nginx instance is not allow to connect to 127.0.0.1:9000 this is something outside of the control of openvpn-auth-oauth2

vadirajks commented 10 months ago

hey, thanks . i guess you are referring to " /favicon.ico" file and that should be okay.

jkroepke commented 10 months ago

2023/12/25 10:46:03 [crit] 427176#0: *18 connect() to 127.0.0.1:9000 failed (13: Permission denied) while connecting to upstream, client: 18.234.55.242, server: openvpnvadi.example.com, request: "GET /oauth2/start?state=mE-2pvEUHSrl9-9OwMxcwKBEGfgc02tuX4B7nZ2dieSgxlVa7wj-9lFFUbHBAhm0-AbQxB4B HTTP/1.1", upstream: "http://127.0.0.1:9000/oauth2/start?state=mE-2pvEUHSrl9-9OwMxcwKBEGfgc02tuX4B7nZ2dieSgxlVa7wj-9lFFUbHBAhm0-AbQxB4B", host: "openvpnvadi.example.com"

here is the same error for /oauth2/start

vadirajks commented 10 months ago

sorry, it has blocked due to selinux. first round I was able to connect and it worked. Later on i am not able to connect. server log:

Dec 26 09:42:12 vaditest-openvpn-google openvpn[2363]: 54.164.78.183:53754 VERIFY OK: depth=1, CN=Easy-RSA CA
Dec 26 09:42:12 vaditest-openvpn-google openvpn[2363]: 54.164.78.183:53754 VERIFY OK: depth=0, CN=vadi
Dec 26 09:42:12 vaditest-openvpn-google openvpn[2363]: 54.164.78.183:53754 peer info: IV_VER=3.8.2connect3
Dec 26 09:42:12 vaditest-openvpn-google openvpn[2363]: 54.164.78.183:53754 peer info: IV_PLAT=win
Dec 26 09:42:12 vaditest-openvpn-google openvpn[2363]: 54.164.78.183:53754 peer info: IV_NCP=2
Dec 26 09:42:12 vaditest-openvpn-google openvpn[2363]: 54.164.78.183:53754 peer info: IV_TCPNL=1
Dec 26 09:42:12 vaditest-openvpn-google openvpn[2363]: 54.164.78.183:53754 peer info: IV_PROTO=990
Dec 26 09:42:12 vaditest-openvpn-google openvpn[2363]: 54.164.78.183:53754 peer info: IV_MTU=1600
Dec 26 09:42:12 vaditest-openvpn-google openvpn[2363]: 54.164.78.183:53754 peer info: IV_CIPHERS=AES-128-CBC:AES-192-CBC:AES-256-CBC:AES-128-GCM:AES-192-GCM:AES-256-GCM:CHACHA20-POLY1305
Dec 26 09:42:12 vaditest-openvpn-google openvpn[2363]: 54.164.78.183:53754 peer info: IV_AUTO_SESS=1
Dec 26 09:42:12 vaditest-openvpn-google openvpn[2363]: 54.164.78.183:53754 peer info: IV_GUI_VER=OCWindows_3.4.3-3337
Dec 26 09:42:12 vaditest-openvpn-google openvpn[2363]: 54.164.78.183:53754 peer info: IV_SSO=webauth,crtext
Dec 26 09:42:12 vaditest-openvpn-google openvpn[2363]: 54.164.78.183:53754 TLS: Username/Password authentication deferred for username ''
Dec 26 09:42:12 vaditest-openvpn-google openvpn[2363]: 54.164.78.183:53754 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
Dec 26 09:42:12 vaditest-openvpn-google openvpn[2363]: 54.164.78.183:53754 TLS: tls_multi_process: initial untrusted session promoted to semi-trusted
Dec 26 09:42:12 vaditest-openvpn-google openvpn[2363]: 54.164.78.183:53754 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bits RSA, signature: RSA-SHA256, peer temporary key: 253 bits X25519
Dec 26 09:42:12 vaditest-openvpn-google openvpn[2363]: 54.164.78.183:53754 [vadi] Peer Connection Initiated with [AF_INET]54.164.78.183:53754
Dec 26 09:42:12 vaditest-openvpn-google openvpn[2363]: 54.164.78.183:53754 PUSH: Received control message: 'PUSH_REQUEST'
Dec 26 09:42:13 vaditest-openvpn-google openvpn[2363]: 54.164.78.183:53754 PUSH: Received control message: 'PUSH_REQUEST'
Dec 26 09:42:15 vaditest-openvpn-google openvpn[2363]: 54.164.78.183:53754 PUSH: Received control message: 'PUSH_REQUEST'
Dec 26 09:42:18 vaditest-openvpn-google openvpn[2363]: 54.164.78.183:53754 PUSH: Received control message: 'PUSH_REQUEST'
Dec 26 09:42:21 vaditest-openvpn-google openvpn[2363]: 54.164.78.183:53754 PUSH: Received control message: 'PUSH_REQUEST'
Dec 26 09:42:24 vaditest-openvpn-google openvpn[2363]: 54.164.78.183:53754 PUSH: Received control message: 'PUSH_REQUEST'
Dec 26 09:42:27 vaditest-openvpn-google openvpn[2363]: 54.164.78.183:53754 PUSH: Received control message: 'PUSH_REQUEST'
Dec 26 09:42:30 vaditest-openvpn-google openvpn[2363]: 54.164.78.183:53754 PUSH: Received control message: 'PUSH_REQUEST'
Dec 26 09:42:33 vaditest-openvpn-google openvpn[2363]: 54.164.78.183:53754 PUSH: Received control message: 'PUSH_REQUEST'
Dec 26 09:42:36 vaditest-openvpn-google openvpn[2363]: 54.164.78.183:53754 PUSH: Received control message: 'PUSH_REQUEST'
Dec 26 09:42:39 vaditest-openvpn-google openvpn[2363]: 54.164.78.183:53754 PUSH: Received control message: 'PUSH_REQUEST'
Dec 26 09:42:42 vaditest-openvpn-google openvpn[2363]: 54.164.78.183:53754 PUSH: Received control message: 'PUSH_REQUEST'
Dec 26 09:42:45 vaditest-openvpn-google openvpn[2363]: 54.164.78.183:53754 PUSH: Received control message: 'PUSH_REQUEST'
Dec 26 09:42:48 vaditest-openvpn-google openvpn[2363]: 54.164.78.183:53754 PUSH: Received control message: 'PUSH_REQUEST'
Dec 26 09:42:51 vaditest-openvpn-google openvpn[2363]: 54.164.78.183:53754 PUSH: Received control message: 'PUSH_REQUEST'
Dec 26 09:42:54 vaditest-openvpn-google openvpn[2363]: 54.164.78.183:53754 PUSH: Received control message: 'PUSH_REQUEST'
Dec 26 09:42:57 vaditest-openvpn-google openvpn[2363]: 54.164.78.183:53754 PUSH: Received control message: 'PUSH_REQUEST'
Dec 26 09:43:00 vaditest-openvpn-google openvpn[2363]: 54.164.78.183:53754 PUSH: Received control message: 'PUSH_REQUEST'
Dec 26 09:43:03 vaditest-openvpn-google openvpn[2363]: 54.164.78.183:53754 PUSH: Received control message: 'PUSH_REQUEST'
Dec 26 09:43:06 vaditest-openvpn-google openvpn[2363]: 54.164.78.183:53754 PUSH: Received control message: 'PUSH_REQUEST'
Dec 26 09:43:09 vaditest-openvpn-google openvpn[2363]: 54.164.78.183:53754 PUSH: Received control message: 'PUSH_REQUEST'

windows vpn client log:

⏎[Dec 26, 2023, 09:42:12] EVENT: CONNECTING ⏎[Dec 26, 2023, 09:42:12] Tunnel Options:V4,dev-type tun,link-mtu 1521,tun-mtu 1500,proto UDPv4,cipher AES-128-GCM,auth [null-digest],keysize 128,key-method 2,tls-client
⏎[Dec 26, 2023, 09:42:12] Creds: UsernameEmpty/PasswordEmpty
⏎[Dec 26, 2023, 09:42:12] Sending Peer Info:
IV_VER=3.8.2connect3
IV_PLAT=win
IV_NCP=2
IV_TCPNL=1
IV_PROTO=990
IV_MTU=1600
IV_CIPHERS=AES-128-CBC:AES-192-CBC:AES-256-CBC:AES-128-GCM:AES-192-GCM:AES-256-GCM:CHACHA20-POLY1305
IV_AUTO_SESS=1
IV_GUI_VER=OCWindows_3.4.3-3337
IV_SSO=webauth,crtext

⏎[Dec 26, 2023, 09:42:12] SSL Handshake: peer certificate: CN=server, 2048 bit RSA, cipher: TLS_AES_256_GCM_SHA384         TLSv1.3 Kx=any      Au=any   Enc=AESGCM(256)            Mac=AEAD

⏎[Dec 26, 2023, 09:42:12] Session is ACTIVE
⏎[Dec 26, 2023, 09:42:12] EVENT: GET_CONFIG ⏎[Dec 26, 2023, 09:42:12] Sending PUSH_REQUEST to server...
⏎[Dec 26, 2023, 09:42:13] Sending PUSH_REQUEST to server...
⏎[Dec 26, 2023, 09:42:15] Sending PUSH_REQUEST to server...
⏎[Dec 26, 2023, 09:42:18] Sending PUSH_REQUEST to server...
⏎[Dec 26, 2023, 09:42:21] Sending PUSH_REQUEST to server...
⏎[Dec 26, 2023, 09:42:24] Sending PUSH_REQUEST to server...
⏎[Dec 26, 2023, 09:42:27] Sending PUSH_REQUEST to server...
⏎[Dec 26, 2023, 09:42:30] Sending PUSH_REQUEST to server...
⏎[Dec 26, 2023, 09:42:33] Sending PUSH_REQUEST to server...
⏎[Dec 26, 2023, 09:42:36] Sending PUSH_REQUEST to server...
⏎[Dec 26, 2023, 09:42:39] Sending PUSH_REQUEST to server...
⏎[Dec 26, 2023, 09:42:42] Sending PUSH_REQUEST to server...
⏎[Dec 26, 2023, 09:42:45] Sending PUSH_REQUEST to server...
⏎[Dec 26, 2023, 09:42:48] Sending PUSH_REQUEST to server...
⏎[Dec 26, 2023, 09:42:51] Sending PUSH_REQUEST to server...
⏎[Dec 26, 2023, 09:42:54] Sending PUSH_REQUEST to server...
⏎[Dec 26, 2023, 09:42:57] Sending PUSH_REQUEST to server...
⏎[Dec 26, 2023, 09:43:00] Sending PUSH_REQUEST to server...
⏎[Dec 26, 2023, 09:43:03] Sending PUSH_REQUEST to server...
⏎[Dec 26, 2023, 09:43:06] Sending PUSH_REQUEST to server...
⏎[Dec 26, 2023, 09:43:09] Sending PUSH_REQUEST to server...
⏎[Dec 26, 2023, 09:43:11] EVENT: CONNECTION_TIMEOUT  BYTES_IN : 5120
 BYTES_OUT : 5920
 PACKETS_IN : 28
 PACKETS_OUT : 30
 CONNECTION_TIMEOUT : 1
⏎[Dec 26, 2023, 09:43:11] EVENT: DISCONNECTED ⏎

restarting all didn't help.

jkroepke commented 10 months ago

first round I was able to connect and it worked. Later on i am not able to connect.

Thats an known bug in OpenVPN 3 Connect Software (ref: https://github.com/OpenVPN/openvpn3/issues/282) - the next version will introduce a new parameter --oauth2.refresh.enabled=true to mitigate the issue.

vadirajks commented 10 months ago

great!!..thankyou i have below options in the config: CONFIG_OAUTH2_REFRESH_ENABLED=true CONFIG_OAUTH2_REFRESH_EXPIRES=24h with this it should work correct if we don't restart it.

jkroepke commented 10 months ago

with this it should work correct if we don't restart it.

Mention that this feature is not released yet. After next release, it should work.

vadirajks commented 10 months ago

sure, thanks. one more help , can you please let me know why it was not able connect from cli/command in Ubuntu. Is there anything i need to rebuild the package with the newer version?.

jkroepke commented 10 months ago

Are you using OpenVPN 2 or OpenVPN 3 connect on Ubuntu?

Do you have any Desktop environment on Ubuntu or pure CLI?

vadirajks commented 10 months ago

i have all 3 in my desktop and either of this didn't work. Just wanted to test this too to make sure it works for future use.

lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 23.10 Release: 23.10 Codename: mantic

jkroepke commented 10 months ago

You have to use OpenVPN 3 Connect for Linux, then it should work. Then builtin openvpn via apt install openvpn or the integrated OpenVPN inside Network Manager does not support modern auth.