OpenVPN Google SSO
There are two main components to adding SSO to OpenVPN CE. The Authentication service, and a reverse proxy.
Authentication Service
We are going to use the openvpn-auth-oauth2 by jkroepke.
You can follow the installation instructions on the Github Wiki.
Next create your Google OAUTH credentials by following the following Wiki Guide
After the service is installed, and we have our Google OAuth credentials. We want to declare the config within: /etc/sysconfig/openvpn-auth-oauth2
sh
# WebServer Config
CONFIG_HTTP_TLS=false
CONFIG_HTTP_LISTEN=:9000
CONFIG_HTTP_BASEURL=https://vpn.acme.co.uk
CONFIG_HTTP_SECRET=XXXXXXXXXXXXXXXX # Random generated secret for cookie encryption. Must be 16, 24 or 32 characters
# OAUTH Config
CONFIG_OAUTH2_PROVIDER=google
CONFIG_OAUTH2_ISSUER=https://accounts.google.com
CONFIG_OAUTH2_CLIENT_ID=XXXXXXXX.apps.googleusercontent.com
CONFIG_OAUTH2_CLIENT_SECRET=XXXXXXXX
# OpenVPN Management Config - Declared under the `management` key in your openvpn-server.conf file
CONFIG_OPENVPN_ADDR=unix:///run/openvpn/server.sock
CONFIG_OPENVPN_PASSWORD=XXXXXXXNext add the following to your openvpn-server.conf file
sh
management-client-auth
auth-user-pass-optional
auth-gen-token 28800 external-authReverse Proxy
Next up is setting up a reverse proxy to handle the OAUTH2 callbacks. For this use your preferred web server of choice, and proxy the traffic from the domain to the port declared in the CONFIG_HTTP_LISTEN key from earlier.
| Software | Guide |
|---|---|
| Nginx | https://www.digitalocean.com/community/tutorials/how-to-configure-nginx-as-a-reverse-proxy-on-ubuntu-22-04 |
| Caddy | https://caddyserver.com/docs/quick-starts/reverse-proxy |