Auth-token-user setting does not seem to be working

[ncroese]

Current Behavior

According to the code and documentation it seems that the application should set the client username to the preferred_username claim by default. For some reason this does not seem to be happening for me. I don't see any difference in behavior when configuring CONFIG_OPENVPN_AUTH_TOKEN_USER to either true or false.

I see the following in the server logs (without configuring the property or when setting it to either true or false):

openvpn[49636]: MANAGEMENT: CMD 'client-auth 0 1'
openvpn[49636]: VPN Client v1/x.x.x.x:4242 MULTI_sva: pool returned IPv4=10.8.0.2, IPv6=2001:db8:0:123::1000

The corresponding logging from the application is this:

openvpn-auth-oauth2[49628]: time=2023-11-17T17:59:23.885Z level=INFO msg="successful authorization via oauth2" idtoken.subject=xxxxx idtoken.preferred_username=user.name@domain common_name="VPN Client v1" cid=0 kid=1 user.subject=xxxxx user.preferred_username=user.name@domain

Expected Behavior

When I look at the code in the OAUTH2 handler it seems to me that it should be sending the push auth-token-user command with the user.preferred_username value telling the server to use user.name@domain as client name.

Steps To Reproduce

No response

Environment

• openvpn-auth-oauth2 Version: 1.10.1
• OpenVPN Server Version: 2.6.7
• Server OS: Ubuntu
• OpenVPN Client (flavor, OS): Viscosity, MacOS

Anything else?

I think the issue could be with openvpn, but I'm not sure, so any suggestions would be appreciated.

[jkroepke]

@ncroese I guess there is an env mapping issue. Could you try --openvpn.auth-token-user ?

Please mention that this feature works only, if the OpenVPN username is not empty at connect. See: OpenVPN/openvpn#296 .

[ncroese]

Thanks for your quick response!

I've updated to 1.11.0 and changed the property name in my configuration to CONFIG_OPENVPN_AUTH__TOKEN__USER. I also tried running without the property. This did not have any effect. Then I tried running with --openvpn.auth-token-user:

openvpn+  165390  0.0  1.5 1235716 14720 ?       Ssl  12:11   0:00 /usr/bin/openvpn-auth-oauth2 --openvpn.auth-token-user

This also did not seem to have any effect. Note that the OpenVPN username is not empty this time, as I provided that during auth.

Here are the logs of the session:

openvpn-auth-oauth2[165390]: time=2023-11-20T12:14:01.424Z level=INFO msg="new client connection" cid=2 kid=1 reason=CONNECT common_name="VPN Client v1" username=x
openvpn-auth-oauth2[165390]: time=2023-11-20T12:14:01.424Z level=INFO msg="start pending auth" cid=2 kid=1 reason=CONNECT common_name="VPN Client v1" username=x
openvpn-auth-oauth2[165390]: time=2023-11-20T12:14:01.561Z level=INFO msg="initialize authorization via oauth2" common_name="VPN Client v1" cid=0 kid=1 common_name="VPN Client v1" cid=1 kid=1 common_name="VPN Client v1" cid=2 kid=1
openvpn-auth-oauth2[165390]: time=2023-11-20T12:14:02.872Z level=INFO msg="successful authorization via oauth2" idtoken.subject=xxx idtoken.preferred_username=user.name@domain common_name="VPN Client v1" cid=1 kid=1 user.subject=xxx user.preferred_username=user.name@domain idtoken.subject=xxx idtoken.preferred_username=user.name@domain common_name="VPN Client v1" cid=2 kid=1 user.subject=xxx user.preferred_username=user.name@domain
openvpn-auth-oauth2[165390]: time=2023-11-20T12:14:03.678Z level=INFO msg="client established" cid=2 reason=ESTABLISHED common_name="VPN Client v1" username=x

This is my application config:

CONFIG_OPENVPN_ADDR=unix:///run/openvpn/server.sock
CONFIG_OPENVPN_PASSWORD=xxx
#CONFIG_OPENVPN_AUTH__TOKEN__USER=true
CONFIG_OAUTH2_ISSUER=https://login.microsoftonline.com/xxx/v2.0
CONFIG_OAUTH2_CLIENT_ID=xxx
CONFIG_OAUTH2_CLIENT_SECRET=xxx
CONFIG_HTTP_LISTEN=:9000
CONFIG_HTTP_SECRET=xxx
CONFIG_HTTP_BASEURL=https://xxx:8443

Openvpn server config:

proto udp
ifconfig-pool-persist ipp.txt
keepalive 10 120
user nobody
group nogroup
persist-key
persist-tun
verb 6
mute 10
ca "ca.crt"
cert "server.crt"
key "server.key"
tls-crypt-v2 "server-tc2.key"
dh "dh.pem"
tls-version-min 1.2
data-ciphers AES-256-GCM
cipher AES-256-GCM
auth SHA256
remote-cert-tls client
port 1194
dev tun0
topology subnet
server 10.8.0.0 255.255.255.0
server-ipv6 2001:db8:0:123::/64
management /run/openvpn/server.sock unix password.txt
management-hold
management-client-auth
auth-user-pass-optional
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
push "redirect-gateway def1"

Openvpn client config:

dev tun
persist-tun
persist-key
auth SHA256
data-ciphers AES-256-GCM
tls-client
client
resolv-retry infinite
remote xxx 1194 udp4
setenv opt block-outside-dns
nobind
verify-x509-name "xxx" name
remote-cert-tls server
explicit-exit-notify
auth-user-pass
<ca>
</ca>
<cert>
</cert>
<key>
</key>
key-direction 1
<tls-crypt-v2>
</tls-crypt-v2>

[jkroepke]

If you see

openvpn[49636]: MANAGEMENT: CMD 'client-auth 0 1'

Then auth-token-user will be set

openvpn-auth-oauth2/internal/openvpn/callbacks.go

Line 17 in 2431feb

_, err := c.SendCommandf("client-auth %d %d\npush \"auth-token-user %s\"\nEND", client.Cid, client.Kid, username)

Otherwise

openvpn[49636]: MANAGEMENT: CMD 'client-auth-nt 0 1'

called.

Please mention that the OpenVPN logs always shows Common Name, not Username.

The Username is nearly invisible.

[ncroese]

Here is the log for the server:

openvpn[165384]: x.x.x.x:54249 peer info: IV_VER=2.5.9
openvpn[165384]: x.x.x.x:54249 peer info: IV_PLAT=mac
openvpn[165384]: x.x.x.x:54249 peer info: IV_PROTO=22
openvpn[165384]: x.x.x.x:54249 peer info: IV_CIPHERS=AES-256-GCM
openvpn[165384]: x.x.x.x:54249 peer info: IV_LZ4=1
openvpn[165384]: x.x.x.x:54249 peer info: IV_LZ4v2=1
openvpn[165384]: x.x.x.x:54249 peer info: IV_LZO=1
openvpn[165384]: x.x.x.x:54249 peer info: IV_COMP_STUB=1
openvpn[165384]: x.x.x.x:54249 peer info: IV_COMP_STUBv2=1
openvpn[165384]: x.x.x.x:54249 peer info: IV_TCPNL=1
openvpn[165384]: x.x.x.x:54249 peer info: IV_GUI_VER=Viscosity_1.10.8_1658
openvpn[165384]: x.x.x.x:54249 peer info: IV_SSO=webauth,openurl,crtext
openvpn[165384]: x.x.x.x:54249 TLS: Username/Password authentication deferred for username 'x'
openvpn[165384]: x.x.x.x:54249 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
openvpn[165384]: x.x.x.x:54249 TLS: tls_multi_process: initial untrusted session promoted to semi-trusted
openvpn[165384]: MANAGEMENT: CMD 'client-pending-auth 4 1 "WEB_AUTH::https://xxx/oauth2/start?state=xxx
openvpn[165384]: SENT CONTROL [VPN Client v1]: 'AUTH_PENDING,timeout 180' (status=1)
openvpn[165384]: SENT CONTROL [VPN Client v1]: 'INFO_PRE,WEB_AUTH::https://xxx/oauth2/start?state=xxx
openvpn[165384]: x.x.x.x:54249 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 256 bits ED25519, signature: RSA-SHA256, peer temporary key: 253 bits X25519
openvpn[165384]: x.x.x.x:54249 [VPN Client v1] Peer Connection Initiated with [AF_INET]x.x.x.x:54249
openvpn[165384]: MANAGEMENT: CMD 'client-auth 4 1'
openvpn[165384]: VPN Client v1/x.x.x.x:54249 MULTI_sva: pool returned IPv4=10.8.0.2, IPv6=2001:db8:0:123::1000
openvpn[165384]: VPN Client v1/x.x.x.x:54249 MULTI: Learn: 10.8.0.2 -> VPN Client v1/x.x.x.x:54249
openvpn[165384]: VPN Client v1/x.x.x.x:54249 MULTI: primary virtual IP for VPN Client v1/x.x.x.x:54249: 10.8.0.2
openvpn[165384]: VPN Client v1/x.x.x.x:54249 MULTI: Learn: 2001:db8:0:123::1000 -> VPN Client v1/x.x.x.x:54249
openvpn[165384]: VPN Client v1/x.x.x.x:54249 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
openvpn[165384]: VPN Client v1/x.x.x.x:54249 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
openvpn[165384]: VPN Client v1/x.x.x.x:54249 SENT CONTROL [VPN Client v1]: 'PUSH_REPLY,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,redirect-gateway def1,tun-ipv6,route-gateway >
openvpn[165384]: VPN Client v1/x.x.x.x:54249 UDPv4 WRITE [442] to [AF_INET]x.x.x.x:54249: P_CONTROL_V1 kid=0 [ 4197 1535058125 1121767494 1732648937 3453201362 1666626655 2387595520 142645412>
openvpn[165384]: TLS Error: could not determine wrapping from [AF_INET]y.y.y.y:5834
openvpn[165384]: TLS Error: could not determine wrapping from [AF_INET]y.y.y.y:5834
openvpn[165384]: Float requested for peer 0 to y.y.y.y:5834
openvpn[165384]: UDPv4 READ [100] from [AF_INET]x.x.x.x:54249: P_DATA_V2 kid=0 DATA len=99
openvpn[165384]: peer 0 (VPN Client v1) floated from x.x.x.x:54249 to [AF_INET]y.y.y.y:5834
openvpn[165384]: VPN Client v1/y.y.y.y:5834 Data Channel: cipher 'AES-256-GCM', peer-id: 0
openvpn[165384]: VPN Client v1/y.y.y.y:5834 Timers: ping 10, ping-restart 240

As you can see there is a CMD 'client-auth 0 1' there, so that seems good. According to what you say the push auth-token-user part is sadly not visible in the logs, but there should be some way to see if openvpn actually uses the pushed username. I don't see it in the logs and also not in the status file.

I tried configuring username-as-common-name, but then it will simply keep using the username I sent from the client. It is not changed after the client-auth pushes the new username:

openvpn[172008]: x.x.x.x:21245 TLS: Username/Password authentication deferred for username 'x' [CN SET]
openvpn[172008]: MANAGEMENT: CMD 'client-pending-auth 0 1 "WEB_AUTH::https://xxx/oauth2/start?state=xxx
openvpn[172008]: SENT CONTROL [x]: 'AUTH_PENDING,timeout 180' (status=1)
openvpn[172008]: SENT CONTROL [x]: 'INFO_PRE,WEB_AUTH::https://xxx/oauth2/start?state=xxx
openvpn[172008]: x.x.x.x:21245 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 256 bits ED25519, signature: RSA-SHA256, peer temporary key: 253 bits X25519
openvpn[172008]: x.x.x.x:21245 [x] Peer Connection Initiated with [AF_INET]x.x.x.x:21245
openvpn[172008]: MANAGEMENT: CMD 'client-auth 0 1'
openvpn[172008]: x/x.x.x.x:21245 MULTI_sva: pool returned IPv4=10.8.0.4, IPv6=2001:db8:0:123::1002
openvpn[172008]: x/x.x.x.x:21245 MULTI: Learn: 10.8.0.4 -> x/x.x.x.x:21245
openvpn[172008]: x/x.x.x.x:21245 MULTI: primary virtual IP for x/x.x.x.x:21245: 10.8.0.4
openvpn[172008]: x/x.x.x.x:21245 MULTI: Learn: 2001:db8:0:123::1002 -> x/x.x.x.x:21245
openvpn[172008]: x/x.x.x.x:21245 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
openvpn[172008]: x/x.x.x.x:21245 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
openvpn[172008]: x/x.x.x.x:21245 SENT CONTROL [x]: 'PUSH_REPLY,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,redirect-gateway def1,tun-ipv6,route-gateway 10.8.0.1,topology subn>
openvpn[172008]: x/x.x.x.x:21245 Data Channel: cipher 'AES-256-GCM', peer-id: 0
openvpn[172008]: x/x.x.x.x:21245 Timers: ping 10, ping-restart 240

[jkroepke]

but there should be some way to see if openvpn actually uses the pushed username.

Its visible in the client logs, because the client logs the push options.

Maybe it part of SENT CONTROL [x] line. There is a > at the end of the line which indicates more content, but screen is not large enough. But you can navigate with the arrow keys.

username-as-common-name

Not sure, if that work. Because the Common Name will be locked on session init.

I feel that you want something that I already described here: OpenVPN/openvpn#299

[ncroese]

Maybe it part of SENT CONTROL [x] line. There is a > at the end of the line which indicates more content, but screen is not large enough. But you can navigate with the arrow keys.

Looks like it is there indeed, so the auth client is actually working as expected. I don't see it in my client logs for some reason, but I guess even if it was there it wouldn't solve my problem :).

username-as-common-name

Not sure, if that work. Because the Common Name will be locked on session init.

I feel that you want something that I already described here: OpenVPN/openvpn#299

Yes, that is indeed what I am looking for. Let's hope they make this possible in the future.

Thanks for your help!