Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Does SAML work with using SBL/PLAP with OpenVPN GUI? #687

Closed
bgironx15 opened this issue May 7, 2024 · 7 comments
Closed

Does SAML work with using SBL/PLAP with OpenVPN GUI? #687

bgironx15 opened this issue May 7, 2024 · 7 comments

Comments

@bgironx15
Copy link

bgironx15 commented May 7, 2024
edited

Hello @selvanair @lstipakov ,

I tested OpenVPN GUI with SBL/PLAP using PAM, LOCAL, LDAP, and RADIUS as Authentication Methods, and worked fine, however, this didn't work with SAML

This is what I noticed:

  • When I use a regular SAML Client Profile (.ovpn file), I see that the OpenVPN GUI sends IV_SSO=openurl,webauth,crtext' to my VPN Server:

2024-05-07T13:45:36-0500 [stdout#info] [OVPN 1] OUT: "2024-05-07 18:45:36 181.236.101.224:49953 PUSH: Received control message: 'PUSH_REQUEST'"
2024-05-07T13:45:44-0500 [stdout#info] [OVPN 1] OUT: "2024-05-07 18:45:44 181.236.101.224:49953 PUSH: Received control message: 'PUSH_REQUEST'"
2024-05-07T13:45:47-0500 [stdout#info] [OVPN 1] OUT: '2024-05-07 18:45:47 181.236.101.224:51189 peer info: IV_VER=2.6.10'
2024-05-07T13:45:47-0500 [stdout#info] [OVPN 1] OUT: '2024-05-07 18:45:47 181.236.101.224:51189 peer info: IV_PLAT=win'
2024-05-07T13:45:47-0500 [stdout#info] [OVPN 1] OUT: '2024-05-07 18:45:47 181.236.101.224:51189 peer info: IV_TCPNL=1'
2024-05-07T13:45:47-0500 [stdout#info] [OVPN 1] OUT: '2024-05-07 18:45:47 181.236.101.224:51189 peer info: IV_MTU=1600'
2024-05-07T13:45:47-0500 [stdout#info] [OVPN 1] OUT: '2024-05-07 18:45:47 181.236.101.224:51189 peer info: IV_NCP=2'
2024-05-07T13:45:47-0500 [stdout#info] [OVPN 1] OUT: '2024-05-07 18:45:47 181.236.101.224:51189 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM'
2024-05-07T13:45:47-0500 [stdout#info] [OVPN 1] OUT: '2024-05-07 18:45:47 181.236.101.224:51189 peer info: IV_PROTO=990'
2024-05-07T13:45:47-0500 [stdout#info] [OVPN 1] OUT: '2024-05-07 18:45:47 181.236.101.224:51189 peer info: IV_LZO_STUB=1'
2024-05-07T13:45:47-0500 [stdout#info] [OVPN 1] OUT: '2024-05-07 18:45:47 181.236.101.224:51189 peer info: IV_COMP_STUB=1'
2024-05-07T13:45:47-0500 [stdout#info] [OVPN 1] OUT: '2024-05-07 18:45:47 181.236.101.224:51189 peer info: IV_COMP_STUBv2=1'
2024-05-07T13:45:47-0500 [stdout#info] [OVPN 1] OUT: '2024-05-07 18:45:47 181.236.101.224:51189 peer info: IV_HWADDR=c0:3c:59:8d:ba:5d'
2024-05-07T13:45:47-0500 [stdout#info] [OVPN 1] OUT: '2024-05-07 18:45:47 181.236.101.224:51189 peer info: IV_SSL=OpenSSL_3.2.1_30_Jan_2024'
2024-05-07T13:45:47-0500 [stdout#info] [OVPN 1] OUT: '2024-05-07 18:45:47 181.236.101.224:51189 peer info: IV_PLAT_VER=10.0,_amd64_executable'
2024-05-07T13:45:47-0500 [stdout#info] [OVPN 1] OUT: '2024-05-07 18:45:47 181.236.101.224:51189 peer info: IV_GUI_VER=OpenVPN_GUI_11.48.0.0'
2024-05-07T13:45:47-0500 [stdout#info] [OVPN 1] OUT: '2024-05-07 18:45:47 181.236.101.224:51189 peer info: IV_SSO=openurl,webauth,crtext'
2024-05-07T13:45:47-0500 [stdout#info] [OVPN 1] OUT: "2024-05-07 18:45:47 181.236.101.224:51189 TLS: Username/Password authentication deferred for username '[email protected]' "

  • When I use a SAML Client Profile (.ovpn file) with the SBL Directives below:

management 127.0.0.1 12345
management-hold
management-query-passwords

I see that the OpenVPN GUI do not send IV_SSO=openurl,webauth,crtext' to my VPN Server:

2024-05-07T13:46:09-0500 [stdout#info] [OVPN 1] OUT: '2024-05-07 18:46:09 181.236.101.224:52634 VERIFY OK: depth=0, CN=test1'
2024-05-07T13:46:09-0500 [stdout#info] [OVPN 1] OUT: '2024-05-07 18:46:09 181.236.101.224:52634 peer info: IV_VER=2.6.10'
2024-05-07T13:46:09-0500 [stdout#info] [OVPN 1] OUT: '2024-05-07 18:46:09 181.236.101.224:52634 peer info: IV_PLAT=win'
2024-05-07T13:46:09-0500 [stdout#info] [OVPN 1] OUT: '2024-05-07 18:46:09 181.236.101.224:52634 peer info: IV_TCPNL=1'
2024-05-07T13:46:09-0500 [stdout#info] [OVPN 1] OUT: '2024-05-07 18:46:09 181.236.101.224:52634 peer info: IV_MTU=1600'
2024-05-07T13:46:09-0500 [stdout#info] [OVPN 1] OUT: '2024-05-07 18:46:09 181.236.101.224:52634 peer info: IV_NCP=2'
2024-05-07T13:46:09-0500 [stdout#info] [OVPN 1] OUT: '2024-05-07 18:46:09 181.236.101.224:52634 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM'
2024-05-07T13:46:09-0500 [stdout#info] [OVPN 1] OUT: '2024-05-07 18:46:09 181.236.101.224:52634 peer info: IV_PROTO=990'
2024-05-07T13:46:09-0500 [stdout#info] [OVPN 1] OUT: '2024-05-07 18:46:09 181.236.101.224:52634 peer info: IV_HWADDR=c0:3c:59:8d:ba:5d'
2024-05-07T13:46:09-0500 [stdout#info] [OVPN 1] OUT: '2024-05-07 18:46:09 181.236.101.224:52634 peer info: IV_SSL=OpenSSL_3.2.1_30_Jan_2024'
2024-05-07T13:46:09-0500 [stdout#info] [OVPN 1] OUT: '2024-05-07 18:46:09 181.236.101.224:52634 peer info: IV_PLAT_VER=10.0,_amd64_executable'
2024-05-07T13:46:09-0500 [stdout#info] [OVPN 1] OUT: "2024-05-07 18:46:09 181.236.101.224:52634 TLS: Username/Password authentication deferred for username '[email protected]' "
2024-05-07T13:46:09-0500 [stdout#info] [OVPN 1] OUT: '2024-05-07 18:46:09 181.236.101.224:52634 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1'
2024-05-07T13:46:09-0500 [stdout#info] [OVPN 1] OUT: '2024-05-07 18:46:09 181.236.101.224:52634 TLS: tls_multi_process: initial untrusted session promoted to semi-trusted'
2024-05-07T13:46:09-0500 [stdout#info] VPN Auth Failed: 'websso' ['This profile requires web based SAML authentication, please upgrade to a web-based login capable client (IV_SSO=webauth)']
2024-05-07T13:46:09-0500 [stdout#info] [OVPN 1] OUT: '2024-05-07 18:46:09 MANAGEMENT: CMD 'client-deny 16 1 "AS auth failed" "This profile requires web based SAML authentication, please upgrade to a web-based login capable client (IV_SSO=webauth)"''
2024-05-07T13:46:09-0500 [stdout#info] [OVPN 1] OUT: '2024-05-07 18:46:09 MULTI: connection rejected: AS auth failed, CLI:This profile requires web based SAML authentication, please upgrade to a web-based login capable client (IV_SSO=webauth)'
2024-05-07T13:46:09-0500 [stdout#info] [OVPN 1] OUT: '2024-05-07 18:46:09 181.236.101.224:52634 Delayed exit in 5 seconds'
2024-05-07T13:46:09-0500 [stdout#info] [OVPN 1] OUT: "2024-05-07 18:46:09 181.236.101.224:52634 SENT CONTROL [UNDEF]: 'AUTH_FAILED,This profile requires web based SAML authentication, please upgrade to a web-based login capable client (IV_SSO=webauth)' (status=1)"
2024-05-07T13:46:09-0500 [stdout#info] [OVPN 1] OUT: "2024-05-07 18:46:09 181.236.101.224:52634 SENT CONTROL [test1]: 'AUTH_FAILED,This profile requires web based SAML authentication, please upgrade to a web-based login capable client (IV_SSO=webauth)' (status=1)"

Is this a bug?
@schwabe
Copy link

schwabe commented May 7, 2024

Apart from the fact that I am not sure if webauth/launching a browser works with PLAP/SBL, the UI normally starts OpenVPN with all the management-* options but also with --setenv IV_SSO openurl,webauth,crtext. If you start OpenVPN just with the management commands but not the setenv command, OpenVPN will not send that IV_SSO.

@bgironx15
Copy link
Author

I added the "setenv" directive to the Client Profile along with the management commands and same situation (OpenVPN GUI is not sending IV_SSO=openurl,webauth,crtext'

management 127.0.0.1 12345
management-hold
management-query-passwords
setenv IV_SSO openurl,webauth,crtext

@selvanair
Copy link
Collaborator

I added the "setenv" directive to the Client Profile along with the management commands and same situation (OpenVPN GUI is not sending IV_SSO=openurl,webauth,crtext'

I think what you are missing is restarting the process after the config has been edited with IV_SSO. To do this, restart the OpenVPNService.

sc stop OpenVPNService
sc start OpenVPNService

Here is why:
PLAP instances are launched by OpenVPNService at boot, not by OpenVPN-GUI. The UI at PLAP screen or the GUI only allows you to control the already running openvpn.exe to put the tunnel on hold, reconnect etc., All required options should be in the config file when openvpn.exe is launched by the service. Currently there is no way for the GUI to amend setenv options of an already running process.

@bgironx15
Copy link
Author

Hey @selvanair thanks. Now, I'm not getting that error but the SAML Authentication gets stuck here because there is no External Web Browser redirection so we can continue the SAML Authentication via IdP Login Page:

image

How will that work if we're still before the Windows Login?

@selvanair
Copy link
Collaborator

selvanair commented May 7, 2024
edited

Launching a browser is not supported from PLAP screen. CR_TEXT should work.

For prestarted connections, OPEN_URL will work only after the user logs in and the GUI attaches to the running process.

Edit: I started responding to this thread without reading the title or the initial question: No, SAML does not currently work from PLAP.

@bgironx15
Copy link
Author

@selvanair thanks for the clarification

Is there any plan to add SAML working with SBL/PLAP? or not possible at all?

@selvanair
Copy link
Collaborator

No plans at my end. Opening a web browser should be possible, but doesn't look safe to me as everything runs as SYSTEM on logon screen.

@selvanair selvanair closed this as not planned Won't fix, can't repro, duplicate, stale May 17, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@schwabe @selvanair @bgironx15