Client configuration through URL problems

Official client software for OpenVPN Access Server and OpenVPN Cloud.
Post Reply
atoy40
OpenVpn Newbie
Posts: 4
Joined: Fri Apr 29, 2022 8:41 am

Client configuration through URL problems

Post by atoy40 » Fri Jan 19, 2024 2:58 pm

Hi,

I'm implementing a web server to configure OpenVPN Connect using a URL, but I've some strange behavior i'd like to understand (and I hope to fix :))

Here is the flow of operations we are using (following https://github.com/OpenVPN/openvpn3/blo ... webauth.md reference document) :

0) Set the URL to https://our.vpn.webserver into OpenVPN Connect URL import.

1) the web server responds with this header to the https://our.vpn.webserver/openvpn-api/profile HEAD request :
Ovpn-WebAuth: ourcompany,external

2) The client ask to open a web browser, and "GET" the same URL with some query string params (deviceId, ...). After user credentials are verified, a "onetime" JWT token is generated and the web page relocate itself to openvpn://import-profile/https://our.vpn.webserver/api/profile/[JWT token]

( the https://ourvpnwebserver/api/profile/[JWT token] url, after verification of the jwt token, returns the client configuration with the Content-Type application/x-openvpn-profile)

3) The web browser asks to open this URI with openvpn connect

4) OpenVPN connect then asks to import the profile from "our.vpn.webserver"

A profile is then added to OpenVPN Connect without any error. But now, if I try to connect to this profile, It asks for the user password and then immediatly return a certificate error (our server use a certificate signed with a autosigned CA, and the client config contains the CA certificate).

I've downloaded the client config manually (using the https part of the openvpn:// uri) and import it manually, in this case no problem, the connection works well.

It seems profiles imported through URL are not handled as profiles imported from files. One thing I notice in the config.json file of openvpn connect is the "ProfileType" which is not the same, "AS" for the "URL imported" one and "PC" for the "file imported".

Thanks for help
Anthony.

here is the config we use (__LOGIN__ is replaced by the user login) :

Client config

#OVPN_FRIENDLY_PROFILE_NAME=__LOGIN__@uppa
setenv USERNAME "__LOGIN__"
setenv CLIENT_CERT 0

client
dev tun
remote our.vpn.server 1194 udp
auth-user-pass
remote-cert-tls server
nobind

<ca>
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
</ca>

key-direction 1
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
[...]
-----END OpenVPN Static key V1-----
</tls-auth>
Top
Post Reply

Return to “OpenVPN Connect (Windows)”