-
-
Notifications
You must be signed in to change notification settings - Fork 53
OpenVPN Username
This document covers various aspects of username handling in openvpn-auth-oauth2, including how to pass usernames from OAuth2 providers to OpenVPN, client-side authentication requirements, and configuration options.
To use username functionality with openvpn-auth-oauth2, the OpenVPN client must have auth-user-pass configured. This is a mandatory requirement for the authentication flow to work properly.
Important: Although openvpn-auth-oauth2 theoretically doesn't require client-side authentication, the OpenVPN client expects it.
You have two options:
-
Interactive Mode: Use
auth-user-passwithout credentials, prompting the user for input:auth-user-pass -
Inline Mode: Define dummy credentials inline to prevent prompting (recommended for SSO-only authentication):
<auth-user-pass> username password </auth-user-pass>Note: The username/password can be any dummy value as they won't be validated by openvpn-auth-oauth2 or OpenVPN itself during the OAuth2 flow.
Upstream Issue: OpenVPN/openvpn #501 (Please react with 👍 if you're affected.)
If you encounter this error, ensure that auth-user-pass is configured in your client configuration as described above.
When setting up username-as-common-name on the OpenVPN server, you must also configure openvpn.common-name.environment-variable-name to username:
--openvpn.common-name.environment-variable-name=usernameOr via environment variable:
CONFIG_OPENVPN_COMMON__NAME_ENVIRONMENT__VARIABLE__NAME=usernameThis configuration is essential because username-as-common-name functions post-authentication. By aligning the environment variable name with username, you ensure smooth operation.
Important Note: During authentication, it's expected that the common-name is not the value of the username. This may be misleading because after authentication, the common name has the correct value in OpenVPN logs.
Upstream Issue: OpenVPN/openvpn #498
By default, openvpn-auth-oauth2 does not pass the username from the OAuth2 provider to OpenVPN. This limitation is due to OpenVPN's authentication interface design, which does not provide a native mechanism to set the username post-authentication.
Limitation: The IP persistence file or statistics in OpenVPN may contain empty usernames when using the default configuration.
Upstream Issue: For native OpenVPN support, please up-vote the feature request on GitHub: OpenVPN/openvpn #299
Requires OpenVPN Server 2.7+
The openvpn.override-username configuration option enables passing the username from OAuth2 token claims to OpenVPN using the override-username command. This allows real usernames to appear in OpenVPN statistics and logs.
Enable this feature using:
--openvpn.override-usernameOr via environment variable:
CONFIG_OPENVPN_OVERRIDE__USERNAME=trueThe username is extracted from the OAuth2 ID token using one of these configurations (in order of precedence):
-
oauth2.openvpn-username-claim- Extract username from a specific token claim (default:preferred_username) -
oauth2.openvpn-username-cel- Use a CEL expression to extract or transform the username from token claims
Example configurations:
# Use a specific claim
--oauth2.openvpn-username-claim=email
# Use CEL expression for complex transformations
--oauth2.openvpn-username-cel='oauth2TokenClaims.email.split("@")[0]'For more details on CEL expressions, see the Client token values documentation.
When openvpn.override-username is enabled, OpenVPN's native client-config-dir functionality will not work because the username is set after client configs are read.
Workaround: Use openvpn-auth-oauth2's built-in Client specific configuration feature instead, which:
- Works seamlessly with
openvpn.override-username - Uses token claims to lookup configuration files
- Provides additional features like profile selection UI
For more details, see the OpenVPN man page regarding override-username limitations.
If you're using OpenVPN Server < 2.7 or cannot use override-username, the openvpn.auth-token-user option provides limited username support:
--openvpn.auth-token-userThis option uses the auth-token-user push command to send a base64-encoded username, but only when the client username is empty. This has more limitations compared to override-username.
This wiki is synced with the docs folder from the code repository! To improve the wiki, create a pull request against the code repository with the suggested changes.