OpenVPN/openvpn3-linux
9
20
Fork
You've already forked openvpn3-linux
9

Directly print the Auth URL for external authentication upon session-start #81

Open
opened 2025年11月04日 17:29:24 +01:00 by LukeLR · 2 comments

At my university, authentication via a second factor is required to connect to the OpenVPN. Therefore, users need to complete external authentication in a web browser. Usually, the authentication URL will be automatically opened in a web browser when starting a new session. However, users cannot easily restart the external authentication when opening the web browser fails or the authentication process fails on first try. The authentication URL needs to be fetched via openvpn3 session-auth in order to open it manually in a web browser (a second time), and (inexperienced) users often don't know that they can fetch the URL and restart the authentication.

If the authentication URL would be directly displayed when executing the session-start URL, users would directly see it and could simply click it to retry the external authentication if it fails for whatever reason. I think, the URL would fit well in the output after awaiting external authentication, like this:

lukas@framework-rose:~$ openvpn3 session-start --config HHU-VPN-Intern
Using pre-loaded configuration profile 'HHU-VPN-Intern'
Session path: /net/openvpn/v3/sessions/fd341e1cseceas4bces8a77s2d9df2ca4fb8
Auth User name: luros101.intern
Auth Password: 
Web based authentication required.
Session running, awaiting external authentication at https://mfa.university.edu/webauth.php?code=<...>
Further manage this session using 'openvpn3 session-manage' and 'openvpn3 session-auth'

What do you think? Could this be a possible improvement to openvpn3?

At my university, authentication via a second factor is required to connect to the OpenVPN. Therefore, users need to complete external authentication in a web browser. Usually, the authentication URL will be automatically opened in a web browser when starting a new session. However, users cannot easily restart the external authentication when opening the web browser fails or the authentication process fails on first try. The authentication URL needs to be fetched via `openvpn3 session-auth` in order to open it manually in a web browser (a second time), and (inexperienced) users often don't know that they can fetch the URL and restart the authentication. If the authentication URL would be directly displayed when executing the `session-start` URL, users would directly see it and could simply click it to retry the external authentication if it fails for whatever reason. I think, the URL would fit well in the output after `awaiting external authentication`, like this: ``` lukas@framework-rose:~$ openvpn3 session-start --config HHU-VPN-Intern Using pre-loaded configuration profile 'HHU-VPN-Intern' Session path: /net/openvpn/v3/sessions/fd341e1cseceas4bces8a77s2d9df2ca4fb8 Auth User name: luros101.intern Auth Password: Web based authentication required. Session running, awaiting external authentication at https://mfa.university.edu/webauth.php?code=<...> Further manage this session using 'openvpn3 session-manage' and 'openvpn3 session-auth' ``` What do you think? Could this be a possible improvement to `openvpn3`?
Owner
Copy link

For inexperienced users, I would actually recommend the OpenVPN 3 Indicator project. That gives a GUI interface where you start/stop sessions - and it should also do the web-auth part as well.

I've also attached a simple mini-project which could be used as well. This runs a little background service watching VPN sessions and will also trigger the web-auth step as a desktop notification. I've intended to include this into an OpenVPN 3 Linux release, but it got less priority as the OpenVPN 3 Indicator project appeared around the same timeframe.

But I'll consider to show the URL regardless. The challenge here is that some authentication URLs are extremely long (close to 200 characters), and that again makes it less user-friendly.

For inexperienced users, I would actually recommend the [OpenVPN 3 Indicator](https://github.com/OpenVPN/openvpn3-indicator/) project. That gives a GUI interface where you start/stop sessions - and it should also do the web-auth part as well. I've also attached a simple mini-project which could be used as well. This runs a little background service watching VPN sessions and will also trigger the web-auth step as a desktop notification. I've intended to include this into an OpenVPN 3 Linux release, but it got less priority as the OpenVPN 3 Indicator project appeared around the same timeframe. But I'll consider to show the URL regardless. The challenge here is that some authentication URLs are extremely long (close to 200 characters), and that again makes it less user-friendly.
Owner
Copy link

The openvpn3-session-watcher will be included in the next release of OpenVPN 3 Linux, included via commit b876a5469a

The `openvpn3-session-watcher` will be included in the next release of OpenVPN 3 Linux, included via commit b876a5469a27f2365d3bc301e4bcbf2bbf11ef7d
Sign in to join this conversation.
No Branch/Tag specified
master
releaseprep/v27.1
dev/core-update-wip
dev/cb89-inactive-fix
releaseprep/v26
dev/gh-issue-14-asio-include-dir
v27.1
v27.1_rc1
v27
v26
v25
v24.1
v24
v23
v22_dev
v21
v20
v19_beta
v19_betaRC1
v18_beta
v18_betaRC3
v18_betaRC2
v18_betaRC
v17_betaUb2204
v17_beta
v16_beta
v15_beta
v14_beta
v13_beta
v12_beta
v11_beta
v10_beta
v9_beta
v8_beta
v7_beta
v6_beta
v5_beta
v4_beta
v3_beta
v2_beta
v1_beta
Labels
Clear labels
Access Server
Issue related to connecting/integration with OpenVPN Access Server
addon-aws
openvpn3-service-aws / net.openvpn.v3.aws, AWS-VPC integration add-on
addon-devposture
openvpn3-service-devposture / net.openvpn.v3.devposture, Device Posture Check (DPC) service
Awaiting external feedback
Feedback from an external party is needed to continue investigation
build
Issue is related to the build system (meson) or general compilation issues
cli-openvpn2
OpenVPN 2 compat wrapper utility
cli-openvpn3
openvpn3 command line
cli-openvpn3-admin
openvpn3-admin command line
cli-openvpn3-as
OpenVPN Access Server profile download utility
Cloud Connexa
Issue related to connecting to the Cloud Connexa service
common
Shared code across modules
Development done
A fix has been applied to git master
distro-support
OS distribution support
duplicate
This is a duplicate issue of another issue ticket.
Enhancement
Proposal for an enhancement
GitHub
Issue transfered from GitHub
Infrastructure
Issue related to the infrastructure for builds, package repositories, etc
Investigating
The issue is being investigated by a project developer
OpenVPN 3 Core
Issue needs to be resolved in the OpenVPN 3 Core Library
openvpn3-systemd
systemd integration (openvpn3-session@.service, helper tools)
python
The openvpn3 Python module
service-backendstart
openvpn3-service-backendstart / net.openvpn.v3.backends, VPN client service starter
service-client
openvpn3-service-client / net.openvpn.v3.backends.be$PID, Backend VPN client service
service-configmgr
openvpn3-service-configmgr / net.openvpn.v3.configuration, Configuration Profile Manager
service-log
openvpn3-service-log / net.openvpn.v3.log, Log collector service
service-netcfg
openvpn3-service-netcfg / net.openvpn.v3.netcfg, Network Configuration Manager
service-sessionmgr
openvpn3-service-sessionmgr / net.openvpn.v3.sessions, VPN sessions manager
Support
Issue is a support question, not a bug
tests programs
Issue is related to code in src/tests
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
OpenVPN/openvpn3-linux#81
Reference in a new issue
OpenVPN/openvpn3-linux
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?