Example of a Community server usecase; SSO (OIDC) + Timed access

Use this forum to share your network setup and what's been working for you.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
kronus_v
OpenVpn Newbie
Posts: 1
Joined: Sun Jan 29, 2023 5:11 pm

Example of a Community server usecase; SSO (OIDC) + Timed access

Post by kronus_v » Sun Jan 29, 2023 5:57 pm

Hello everyone on the forum. This is my first post, and I'm thrilled to be able to share my success story with the community.

My use-case is as follows. I have a group of friends whom I host game and virtual tabletop servers for. While I can manage some servers, the load has become, over time, more and more arduous so I asked my friends how comfortable they were in doing system administration themselves. They were thrilled at the idea of even learning how to run game servers, so I decided it was time for me to setup a VPN solution system for them. I already had servers segregated in their own subnets, separated by firewall, so on the security aspect of the network itself I've been good to implement this for a while. For this purpose I noticed my firewall does have an up-to-date implementation of OpenVPN community server using either certs, user/password combination, or both. The downside of the User/Password for this appliance is that the users must be in the firewall configs and I decided against that. Since I was going to use certs, I got to wonder how can I get my users to auth using 2fa and still give them a cert.


So I went to the drawing board and I ended up creating a VPN authentication portal that does the following:
1. Authenticate the user using SingleSignOn (OpenID Connect or OIDC for short). This SingleSignOn method allows the use of any OIDC Identity Provider (Keycloak, Azure AD, Auth0, etc.) and in my case allows for user/pass + authenticator token physical or digital.

2. Generate a time-bound x509 certificate for the VPN server the user requested using Hashicorp Vault; The user is authenticated to the vault using their own identity for accountability and security purpose (they can only request a certificate for their own user on the servers they have access to)

3. Creates the configuration file with embedded certs and ships it to the user so they can login and do their stuff. The VPN configuration metadata (hostname, port, protocol, cypher, TLS shared key, etc.) is stored in the vault too to simplify the OVPN template file rendered

I also decided to release the code as an open-source project on Github so if anyone is interested in running the portal and/or help improve it they are welcome to.

Cheers,
- Kronus

Post Reply