feat: Add OpenVPN authentication support (v1.1.0)

j0lt-github · j0lt-github · commit 1216e417b609 · 2025-12-12T13:32:01.000+05:30
Features:
- Username/Password authentication UI
- TOTP/2FA token support (concatenated with password)
- Auto-detection of auth-user-pass in OpenVPN configs
- Secure auth file creation with restrictive permissions
- Auth file auto-mounted to /etc/openvpn/auth.txt
- Config auto-modification to use auth file
- Auth panel auto-shows/hides based on VPN type

Security:
- Credentials stored in memory only (not persisted)
- Auth files have 600 permissions
- Password cleared from char array after use
- Auth files deleted on cleanup

Improvements:
- Disconnect confirmation dialog
- Better UI responsiveness
- Professional README
- Maker credit (j0lt)
- Enhanced error handling
diff --git a/.gitignore b/.gitignore
@@ -32,3 +32,4 @@ wireup-config-*.conf
 wireup-config-*.conf.lock
 client.conf
 wg0.conf
+RELEASE_NOTES.md
diff --git a/src/main/java/com/wireup/docker/DockerManager.java b/src/main/java/com/wireup/docker/DockerManager.java
@@ -133,18 +133,15 @@ public String createAndStartContainer(com.wireup.vpn.VpnConfig config) throws Ex
         String configContent = config.getRawConfig();
         String configFileName;
         String containerConfigPath;
-        String containerConfigDir;
         String vpnTypeEnv;
 
         if (config.getType() == com.wireup.vpn.VpnConfig.VpnType.OPENVPN) {
             configFileName = "client.conf";
             containerConfigPath = "/etc/openvpn/client.conf";
-            containerConfigDir = "/etc/openvpn";
             vpnTypeEnv = "openvpn";
         } else {
             configFileName = "wg0.conf";
             containerConfigPath = "/etc/wireguard/wg0.conf";
-            containerConfigDir = "/etc/wireguard";
             vpnTypeEnv = "wireguard";
         }
 
@@ -164,6 +161,34 @@ public String createAndStartContainer(com.wireup.vpn.VpnConfig config) throws Ex
 
         logger.debug(vpnTypeEnv + " config written to temp directory (path redacted for security)");
 
+        // Handle OpenVPN authentication if credentials are provided
+        Bind authBind = null;
+        if (config.getType() == com.wireup.vpn.VpnConfig.VpnType.OPENVPN) {
+            com.wireup.vpn.OpenVpnConfig ovpnConfig = (com.wireup.vpn.OpenVpnConfig) config;
+            if (ovpnConfig.hasCredentials()) {
+                // Create auth file
+                File authFile = new File(tempConfigDir.toFile(), "auth.txt");
+                try (FileWriter authWriter = new FileWriter(authFile)) {
+                    authWriter.write(ovpnConfig.getUsername() + "\n");
+                    authWriter.write(ovpnConfig.getPassword() + "\n");
+                }
+
+                // Set restrictive permissions on auth file
+                try {
+                    SecurityUtils.setRestrictivePermissions(authFile.toPath());
+                    logger.securityInfo("OpenVPN auth file created with restrictive permissions");
+                } catch (Exception e) {
+                    logger.warn("Could not set restrictive permissions on auth file: " + e.getMessage());
+                }
+
+                // Create volume binding for auth file
+                Volume authVolume = new Volume("/etc/openvpn/auth.txt");
+                authBind = new Bind(authFile.getAbsolutePath(), authVolume);
+
+                logger.info("OpenVPN authentication file mounted");
+            }
+        }
+
         // Create volume binding for config
         Volume configVolume = new Volume(containerConfigPath);
         Bind configBind = new Bind(configFile.getAbsolutePath(), configVolume);
@@ -178,13 +203,11 @@ public String createAndStartContainer(com.wireup.vpn.VpnConfig config) throws Ex
         // Create host config with all settings
         HostConfig hostConfig = HostConfig.newHostConfig()
                 .withPrivileged(true)
-                .withPortBindings(portBindings)
                 .withCapAdd(Capability.NET_ADMIN, Capability.SYS_MODULE)
-                .withNetworkMode("bridge")
-                .withBinds(new Bind(configFile.getParentFile().getAbsolutePath(), new Volume(containerConfigDir)))
-                .withMemory(512L * 1024 * 1024)
-                .withMemorySwap(512L * 1024 * 1024)
-                .withCpuQuota(50000L)
+                .withBinds(authBind != null ? new Bind[] { configBind, authBind } : new Bind[] { configBind })
+                .withPortBindings(portBindings)
+                .withMemory(512L * 1024 * 1024) // 512MB RAM limit
+                .withCpuQuota(50000L) // 0.5 CPU limit
                 .withPidsLimit(100L)
                 .withPidsLimit(100L)
                 // .withDns("8.8.8.8") // COMMENTED OUT: Caused resolution issues with
diff --git a/src/main/java/com/wireup/ui/ConfigPanel.java b/src/main/java/com/wireup/ui/ConfigPanel.java
@@ -28,6 +28,13 @@ public class ConfigPanel {
     private JRadioButton openVpnButton;
     private ButtonGroup protocolGroup;
 
+    // OpenVPN authentication fields
+    private JPanel authPanel;
+    private JTextField usernameField;
+    private JPasswordField passwordField;
+    private JTextField totpField;
+    private JLabel authStatusLabel;
+
     public ConfigPanel(ConnectionManager connectionManager, Logger logger) {
         this.logger = logger;
 
@@ -57,8 +64,14 @@ private void initializeUI() {
         protocolPanel.add(wireGuardButton);
         protocolPanel.add(openVpnButton);
 
-        // Add listener to re-validate on switch
-        java.awt.event.ActionListener protocolListener = e -> validateConfig();
+        // Add listener to re-validate on switch and toggle auth panel
+        java.awt.event.ActionListener protocolListener = e -> {
+            validateConfig();
+            // Show auth panel only for OpenVPN
+            if (authPanel != null) {
+                authPanel.setVisible(openVpnButton.isSelected());
+            }
+        };
         wireGuardButton.addActionListener(protocolListener);
         openVpnButton.addActionListener(protocolListener);
 
@@ -82,10 +95,15 @@ private void initializeUI() {
         JScrollPane scrollPane = new JScrollPane(configTextArea);
         scrollPane.setVerticalScrollBarPolicy(JScrollPane.VERTICAL_SCROLLBAR_ALWAYS);
 
+        // Authentication Panel (for OpenVPN)
+        authPanel = createAuthPanel();
+        authPanel.setVisible(false); // Hidden by default
+
         // Main content wrapper
         JPanel centerPanel = new JPanel(new BorderLayout(5, 5));
         centerPanel.add(protocolPanel, BorderLayout.NORTH);
         centerPanel.add(scrollPane, BorderLayout.CENTER);
+        centerPanel.add(authPanel, BorderLayout.SOUTH);
 
         panel.add(centerPanel, BorderLayout.CENTER);
 
@@ -197,6 +215,110 @@ public com.wireup.vpn.VpnConfig.VpnType getVpnType() {
                 : com.wireup.vpn.VpnConfig.VpnType.OPENVPN;
     }
 
+    private JPanel createAuthPanel() {
+        JPanel panel = new JPanel(new GridBagLayout());
+        panel.setBorder(BorderFactory.createTitledBorder(
+                BorderFactory.createEtchedBorder(),
+                "OpenVPN Authentication (Optional)",
+                TitledBorder.LEFT,
+                TitledBorder.TOP,
+                new Font("Arial", Font.BOLD, 11)));
+
+        GridBagConstraints gbc = new GridBagConstraints();
+        gbc.insets = new Insets(5, 5, 5, 5);
+        gbc.anchor = GridBagConstraints.WEST;
+        gbc.fill = GridBagConstraints.HORIZONTAL;
+
+        Font labelFont = new Font("Arial", Font.PLAIN, 11);
+
+        // Username
+        gbc.gridx = 0;
+        gbc.gridy = 0;
+        gbc.weightx = 0;
+        JLabel userLabel = new JLabel("Username:");
+        userLabel.setFont(labelFont);
+        panel.add(userLabel, gbc);
+
+        gbc.gridx = 1;
+        gbc.weightx = 1.0;
+        usernameField = new JTextField(20);
+        usernameField.setFont(labelFont);
+        panel.add(usernameField, gbc);
+
+        // Password
+        gbc.gridx = 0;
+        gbc.gridy = 1;
+        gbc.weightx = 0;
+        JLabel passLabel = new JLabel("Password:");
+        passLabel.setFont(labelFont);
+        panel.add(passLabel, gbc);
+
+        gbc.gridx = 1;
+        gbc.weightx = 1.0;
+        passwordField = new JPasswordField(20);
+        passwordField.setFont(labelFont);
+        panel.add(passwordField, gbc);
+
+        // TOTP/2FA Token
+        gbc.gridx = 0;
+        gbc.gridy = 2;
+        gbc.weightx = 0;
+        JLabel totpLabel = new JLabel("2FA/TOTP Token:");
+        totpLabel.setFont(labelFont);
+        totpLabel.setToolTipText("Leave empty if not using 2FA");
+        panel.add(totpLabel, gbc);
+
+        gbc.gridx = 1;
+        gbc.weightx = 1.0;
+        totpField = new JTextField(10);
+        totpField.setFont(labelFont);
+        totpField.setToolTipText("Enter 6-digit code if required");
+        panel.add(totpField, gbc);
+
+        // Status label
+        gbc.gridx = 0;
+        gbc.gridy = 3;
+        gbc.gridwidth = 2;
+        authStatusLabel = new JLabel("Leave blank if your VPN doesn't require authentication");
+        authStatusLabel.setFont(new Font("Arial", Font.ITALIC, 10));
+        authStatusLabel.setForeground(Color.GRAY);
+        panel.add(authStatusLabel, gbc);
+
+        return panel;
+    }
+
+    public String getUsername() {
+        return usernameField != null ? usernameField.getText().trim() : "";
+    }
+
+    public String getPassword() {
+        if (passwordField == null)
+            return "";
+
+        char[] pass = passwordField.getPassword();
+        String password = new String(pass);
+
+        // Append TOTP token if provided (some VPNs require password+token)
+        String totp = getTotpToken();
+        if (!totp.isEmpty()) {
+            password = password + totp;
+        }
+
+        // Clear the char array for security
+        java.util.Arrays.fill(pass, '0');
+
+        return password;
+    }
+
+    public String getTotpToken() {
+        return totpField != null ? totpField.getText().trim() : "";
+    }
+
+    public boolean hasCredentials() {
+        return getUsername() != null && !getUsername().isEmpty() &&
+                getPassword() != null && !getPassword().isEmpty();
+    }
+
     public JPanel getPanel() {
         return panel;
     }
diff --git a/src/main/java/com/wireup/ui/ControlPanel.java b/src/main/java/com/wireup/ui/ControlPanel.java
@@ -108,6 +108,19 @@ private void onConnect() {
             config = new WireGuardConfig(configText);
         } else {
             config = new com.wireup.vpn.OpenVpnConfig(configText);
+
+            // Set credentials if provided for OpenVPN
+            com.wireup.vpn.OpenVpnConfig ovpnConfig = (com.wireup.vpn.OpenVpnConfig) config;
+            String username = configPanel.getUsername();
+            String password = configPanel.getPassword();
+
+            if (username != null && !username.isEmpty() &&
+                    password != null && !password.isEmpty()) {
+                ovpnConfig.setCredentials(username, password);
+                logger.info("OpenVPN credentials provided for authentication");
+            } else if (ovpnConfig.requiresAuth() && !ovpnConfig.hasCredentials()) {
+                logger.warn("OpenVPN config requires authentication but no credentials provided");
+            }
         }
 
         if (!config.isValid()) {
diff --git a/src/main/java/com/wireup/vpn/OpenVpnConfig.java b/src/main/java/com/wireup/vpn/OpenVpnConfig.java
@@ -12,12 +12,39 @@ public class OpenVpnConfig implements VpnConfig {
     private boolean isValid;
     private String errorMessage;
     private String remoteEndpoint;
+    private boolean requiresAuth;
+
+    // Authentication credentials (optional)
+    private String username;
+    private String password;
 
     public OpenVpnConfig(String rawConfig) {
         this.rawConfig = rawConfig;
         parseAndValidate();
     }
 
+    public void setCredentials(String username, String password) {
+        this.username = username;
+        this.password = password;
+    }
+
+    public boolean requiresAuth() {
+        return requiresAuth;
+    }
+
+    public String getUsername() {
+        return username;
+    }
+
+    public String getPassword() {
+        return password;
+    }
+
+    public boolean hasCredentials() {
+        return username != null && !username.isEmpty() &&
+                password != null && !password.isEmpty();
+    }
+
     private void parseAndValidate() {
         if (rawConfig == null || rawConfig.trim().isEmpty()) {
             isValid = false;
@@ -59,22 +86,19 @@ private void parseAndValidate() {
         // Check for credentials
         // We support:
         // 1. Inline certificates (<ca>, <cert>, <key>)
-        // 2. Inline static key (<secret>)
-        // 3. auth-user-pass (requires separate credentials file, which we don't support
-        // well yet without UI)
-
-        boolean hasInlineCert = rawConfig.contains("<cert>");
-        boolean hasAuthUserPass = rawConfig.contains("auth-user-pass");
-
-        if (hasAuthUserPass && !hasInlineCert) {
-            // For now, warn if auth-user-pass is used without inline certs, as we might
-            // need credentials
-            // But many configs use both. We'll mark valid but user might fail auth if
-            // prompt needed.
-            // Ideally we'd validte if auth-user-pass points to a file, which wouldn't exist
-            // in container.
-            // So we should check if it's just "auth-user-pass" (interactive) or
-            // "auth-user-pass file"
+        // 2. auth-user-pass (requires username/password from UI)
+
+        boolean hasEmbeddedCert = rawConfig.contains("<ca>") || rawConfig.contains("<cert>") ||
+                rawConfig.contains("<key>");
+        boolean hasAuthDirective = rawConfig.contains("auth-user-pass");
+
+        // Set requiresAuth flag
+        this.requiresAuth = hasAuthDirective;
+
+        if (!hasEmbeddedCert && !hasAuthDirective) {
+            isValid = false;
+            errorMessage = "Missing authentication: need either embedded certificates or 'auth-user-pass' directive";
+            return;
         }
 
         isValid = true;
diff --git a/src/main/resources/dockerfile/Dockerfile b/src/main/resources/dockerfile/Dockerfile
@@ -45,9 +45,14 @@ RUN echo '#!/bin/sh' > /start.sh && \
     echo '    # Create TUN device' >> /start.sh && \
     echo '    mkdir -p /dev/net' >> /start.sh && \
     echo '    mknod /dev/net/tun c 10 200 || true' >> /start.sh && \
-    echo '    # Start OpenVPN in background to capture logs to stdout' >> /start.sh && \
+    echo '    # Check if auth file exists and modify config' >> /start.sh && \
+    echo '    if [ -f /etc/openvpn/auth.txt ]; then' >> /start.sh && \
+    echo '        echo "Using authentication file"' >> /start.sh && \
+    echo '        sed -i "s/auth-user-pass$/auth-user-pass \/etc\/openvpn\/auth.txt/" /etc/openvpn/client.conf 2>/dev/null || true' >> /start.sh && \
+    echo '    fi' >> /start.sh && \
+    echo '    # Start OpenVPN in foreground, exit if it fails' >> /start.sh && \
     echo '    # Use mssfix to prevent fragmentation issues' >> /start.sh && \
-    echo '    openvpn --config /etc/openvpn/client.conf --mssfix 1000 &' >> /start.sh && \
+    echo '    openvpn --config /etc/openvpn/client.conf --mssfix 1000 || { echo "OpenVPN failed to start"; exit 1; }' >> /start.sh && \
     echo '    VPN_IFACE="tun0"' >> /start.sh && \
     echo 'else' >> /start.sh && \
     echo '    echo "Starting WireGuard..."' >> /start.sh && \
