Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

validate.common-name fails with "openvpn client is empty" #163

Closed
andreas-p opened this issue Feb 12, 2024 · 2 comments · Fixed by #171
Closed

validate.common-name fails with "openvpn client is empty" #163

andreas-p opened this issue Feb 12, 2024 · 2 comments · Fixed by #171
Labels
🐞 bug Something isn't working keep

Comments

@andreas-p
Copy link

Current Behavior

Testing with V1.15.0 on openvpn 2.6.3 (Debian Bookworm):

msg="start pending auth" cid=1 kid=1 common_name="" reason=CONNECT username=myself
msg="initialize authorization via oauth2" cid=1 kid=1 common_name=""
msg="deny OpenVPN client cid 1, kid 1" cid=1 kid=1 common_name="" idtoken.preferred_username=MySelf (..) 
msg="user validation: common_name mismatch: openvpn client is empty" cid=1 kid=1 common_name="" (..)

My setup is with username-as-common-name; verify-client-cert none. When connecting, the management interface will receive

>CLIENT:CONNECT,3,1
>CLIENT:ENV,n_clients=0
>CLIENT:ENV,password=password,of_course
>CLIENT:ENV,untrusted_port=53732
>CLIENT:ENV,untrusted_ip=11.22.33.44
>CLIENT:ENV,username=myself
>CLIENT:ENV,IV_SSO=openurl,webauth,crtext
>CLIENT:ENV,IV_GUI_VER=OpenVPN3/Linux/v21
>CLIENT:ENV,IV_CIPHERS=AES-128-GCM:AES-192-GCM:AES-256-GCM:CHACHA20-POLY1305
>CLIENT:ENV,IV_MTU=1600
>CLIENT:ENV,IV_PROTO=990
>CLIENT:ENV,IV_TCPNL=1
>CLIENT:ENV,IV_NCP=2
>CLIENT:ENV,IV_PLAT=linux
>CLIENT:ENV,IV_VER=v3.8.2
>CLIENT:ENV,remote_port_1=1194
>CLIENT:ENV,local_port_1=1194
>CLIENT:ENV,proto_1=udp
>CLIENT:ENV,daemon_pid=44361
>CLIENT:ENV,daemon_start_time=1707741604
>CLIENT:ENV,daemon_log_redirect=1
>CLIENT:ENV,daemon=1
>CLIENT:ENV,verb=4
>CLIENT:ENV,config=/etc/openvpn/server.conf
>CLIENT:ENV,ifconfig_local=192.168.1.1
>CLIENT:ENV,ifconfig_netmask=255.255.255.0
>CLIENT:ENV,script_context=init
>CLIENT:ENV,tun_mtu=1500
>CLIENT:ENV,dev=tun0
>CLIENT:ENV,dev_type=tun
>CLIENT:ENV,redirect_gateway=0
>CLIENT:ENV,END

So in case cn is empty (since no certs were used), the common_name should be obtained from CLIENT:ENV,username.
Please compare case-insensitive...

Expected Behavior

No response

Steps To Reproduce

No response

Environment

No response

openvpn-auth-oauth2 logs

No response

openvpn server logs

No response

Anything else?

No response
@andreas-p andreas-p added the 🐞 bug Something isn't working label Feb 12, 2024
@jkroepke jkroepke mentioned this issue Feb 12, 2024
Closed
@andreas-p andreas-p changed the title validate.commonname fails with "openvpn client is empty" Auth fails with "openvpn client is empty" Feb 12, 2024
@andreas-p andreas-p changed the title Auth fails with "openvpn client is empty" validate.common-name fails with "openvpn client is empty" Feb 12, 2024
@jkroepke jkroepke mentioned this issue Feb 12, 2024
Closed
@jkroepke
Copy link
Owner

I created an upstream issue for that.

OpenVPN/openvpn#498

@jkroepke jkroepke pinned this issue Feb 12, 2024
@jkroepke jkroepke added the keep label Feb 12, 2024
@andreas-p
Copy link
Author

OpenVPN server runs happily without Certs, and thus without common-name (ipp.txt is maintained as expected from username), so I guess the service needs to be enabled to use cn or username.

@jkroepke jkroepke mentioned this issue Feb 13, 2024
Merged
3 tasks
@jkroepke jkroepke unpinned this issue Feb 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
🐞 bug Something isn't working keep
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add openvpn.common-name.environment-variable-name jkroepke/openvpn-auth-oauth2
2 participants
@jkroepke @andreas-p