Mutliple authentication systems (Microsoft and script)

[D0wn3r]

Problem Statement

Hi again!

Is it possible to have two authentication systems? In my case, they would be:

• One using a script to authenticate my servers (allowing them to be assigned a static IP)
• One using Microsoft as the provider for human users. (no need static IP)

Can I achieve this with OpenVPN and the openvpn-auth-oauth2 plugin?

openvpn-auth-oauth2 logs

No need

Environment

No response

[jkroepke]

For this usecase, the option

--openvpn.bypass.common-names

You can add the common names of your services, in that case, openvpn-auth-oauth2 will always return authenticated for that common names. Authentication can be done via OpenVPN client certificates.

[D0wn3r]

With same client certificate and authenticate with username/password is not possible ?

[jkroepke]

If you enable username-as-common-name in OpenVPN, it should be possible, together with auth-user-pass-verify.

[D0wn3r]

I will share you my config maybe it gonna be more easy and it could help the community too

port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key 
dh dh2048.pem
server ********
ifconfig-pool-persist ipp.txt
client-to-client
keepalive 10 120
tls-auth ta.key 0 # This file is secret
key-direction 0
cipher AES-128-CBC   # AES
auth SHA256
comp-lzo
user root
group nogroup
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log-append  /var/log/openvpn/openvpn.log
verb 9
crl-verify /etc/openvpn/server/crl.pem

# Script part
auth-user-pass-verify "/etc/openvpn/server/auth.sh" via-file
script-security 2
duplicate-cn
username-as-common-name

# Microsoft Entra ID part
management /run/openvpn/server.sock unix /etc/openvpn/server/password.txt
management-client-auth
auth-user-pass-optional
auth-gen-token 28800 external-auth

here is the log of penvpn-auth-oauth2:

Sep 26 07:44:30 vpn openvpn-auth-oauth2[1224]: time=2024-09-26T07:44:30.592Z level=INFO msg="new client connection" ip=ip:19358 cid=15 kid=1 common_name="" reason=CONNECT session_id=7FfB9fPfDXkllfiX session_state=Initial
Sep 26 07:44:30 vpn openvpn-auth-oauth2[1224]: time=2024-09-26T07:44:30.593Z level=INFO msg="start pending auth" ip=ip:19358 cid=15 kid=1 common_name="" reason=CONNECT session_id=7FfB9fPfDXkllfiX session_state=Initial
Sep 26 07:44:31 vpn openvpn-auth-oauth2[1224]: time=2024-09-26T07:44:31.746Z level=INFO msg="client disconnected" ip=: cid=13 common_name="" reason=DISCONNECT session_id="" session_state=""
Sep 26 07:44:31 vpn openvpn-auth-oauth2[1224]: time=2024-09-26T07:44:31.746Z level=WARN msg="error from token store: value does not exist" ip=: cid=13 common_name="" reason=DISCONNECT session_id="" session_state=""
Sep 26 07:44:32 vpn openvpn-auth-oauth2[1224]: time=2024-09-26T07:44:32.482Z level=INFO msg="new client connection" ip=ip:19380 cid=16 kid=1 common_name="" reason=CONNECT session_id=z+VgcwDkuugqV04C session_state=Initial
Sep 26 07:44:32 vpn openvpn-auth-oauth2[1224]: time=2024-09-26T07:44:32.482Z level=INFO msg="start pending auth" ip=ip:19380 cid=16 kid=1 common_name="" reason=CONNECT session_id=z+VgcwDkuugqV04C session_state=Initial
Sep 26 07:44:33 vpn openvpn-auth-oauth2[1224]: time=2024-09-26T07:44:33.800Z level=INFO msg="client disconnected" ip=: cid=14 common_name="" reason=DISCONNECT session_id="" session_state=""
Sep 26 07:44:33 vpn openvpn-auth-oauth2[1224]: time=2024-09-26T07:44:33.800Z level=WARN msg="error from token store: value does not exist" ip=: cid=14 common_name="" reason=DISCONNECT session_id="" session_state=""
Sep 26 07:44:34 vpn openvpn-auth-oauth2[1224]: time=2024-09-26T07:44:34.370Z level=INFO msg="new client connection" ip=ip:19477 cid=17 kid=1 common_name="" reason=CONNECT session_id=bUlUINGj4WnMqiOR session_state=Initial
Sep 26 07:44:34 vpn openvpn-auth-oauth2[1224]: time=2024-09-26T07:44:34.370Z level=INFO msg="start pending auth" ip=ip:19477 cid=17 kid=1 common_name="" reason=CONNECT session_id=bUlUINGj4WnMqiOR session_state=Initial
Sep 26 07:44:35 vpn openvpn-auth-oauth2[1224]: time=2024-09-26T07:44:35.834Z level=INFO msg="client disconnected" ip=: cid=15 common_name="" reason=DISCONNECT session_id="" session_state=""

Thanks for your help

[jkroepke]

I guess I forget to mention this:

--openvpn.common-name.environment-variable-name string
Name of the environment variable in the OpenVPN management interface which contains the common name. If username-as-common-name is enabled, this should be set to 'username' to use the username as common name. Other values like 'X509_0_emailAddress' are supported. See https://openvpn.net/community-resources/reference-manual-for-openvpn-2-6/#environmental-variables for more information. (env: CONFIG_OPENVPN_COMMON__NAME_ENVIRONMENT__VARIABLE__NAME) (default "common_name")

[D0wn3r]

Thanks ! Ok I think we are very near. My server is able to connect with script (bypass openvpn-auth-oauth2) but my human client (Microsoft Entra ID) doesn't work with same log mentionned before in openvpn-auth-oauth2

[jkroepke]

auth-user-pass-verify "/etc/openvpn/server/auth.sh" via-file

I guess, if you have to implement a bypass for human client as well. Because all authentication methods must be return OK

[D0wn3r]

Hmm how to do that ? Because if I use --openvpn.bypass.common-names, I don't have common-names with Microsoft Entra ID

[D0wn3r]

auth-user-pass-verify "/etc/openvpn/server/auth.sh" via-file

I guess, if you have to implement a bypass for human client as well. Because all authentication methods must be return OK

Oh you mean I must to implement a bypass in my script.
Like exclude servers in openvpn-auth-oauth2
And exclude humans in auth.sh
?

Hmmm let's think how to do that

[D0wn3r]

Ok it works ! Thank you ! I have another question (more simple), but I will open a new issue to make it more clear.

[Elshirak]

Hello @D0wn3r @jkroepke
Hope you're doing well :)

@D0wn3r Could you please share your auth.sh script? Looks like I have the same issue: error from token store. However, in my case I want to use keycloak as IdP and Google for SSO.

@jkroepke Is it possible to avoid any authentication process(certs, login/pass, whatever) from Openvpn Client to OpenVPN Server and fully delegate it to openvpn-auth-oauth2 which would redirect human client to keycloak -> Google SSO in browser? I want user to authenticate only via Google, it will be much easier to manage human clients

[jkroepke]

No.

See: OpenVPN/openvpn#501 add a 👍

You have to add some inline user/pass credentials as workaround, but they can be the same for all users.

Whats the reason for Keycloak?

[D0wn3r]

Hello @D0wn3r @jkroepke Hope you're doing well :)

@D0wn3r Could you please share your auth.sh script? Looks like I have the same issue: error from token store. However, in my case I want to use keycloak as IdP and Google for SSO.

@jkroepke Is it possible to avoid any authentication process(certs, login/pass, whatever) from Openvpn Client to OpenVPN Server and fully delegate it to openvpn-auth-oauth2 which would redirect human client to keycloak -> Google SSO in browser? I want user to authenticate only via Google, it will be much easier to manage human clients

Hi @Elshirak

My auth.sh is a simple script that will check password for 'usernames' that are bypass in openvpn-auth-oauth2. I will have to improve it with hash in a near future

#!/bin/bash

declare -A ids=(
        [username]="password"
)

readarray -t lines < $1
username=${lines[0]}
password=${lines[1]}
for i in "${!ids[@]}"
do
        if [[ "$i" == "$username" ]]
        then
                echo "Username found"
                if [[ "${ids[$i]}" == "$password" ]]
                then
                        echo "ok"
                        exit 0
                fi
        fi
done
echo "Not found"
exit 1

[Elshirak]

Hello @jkroepke @D0wn3r
Thank you for quick replies!

@D0wn3r Get it, thanks for sharing)

@jkroepke There is no specific reason for using Keycloak, it just works fine and solves my issues :)
Also, I've tried to implement your advice, it worked, many thanks!

Now I'm facing another issue, #331 not to spam here