The openvpn log is faulty. Procedure

[lsx1205]

Problem Statement

When openvpn interconnects with oauth2 plug-in to jump to casdoor, if the client does not use auth-user-pass, skip user name and password authentication, OpenVPn. log will not collect user login information, I want to log in to the user to do ccd route control, is there a way to solve this brother

openvpn-auth-oauth2 logs

TLS: Username/Password authentication deferred for username '' 
TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
TLS: tls_multi_process: initial untrusted session promoted to semi-trusted

Environment

• openvpn-auth-oauth2 Version:latest
• OpenVPN Server Version:latest
• Server OS:latest
• OpenVPN Client (flavor, OS):os

[jkroepke]

want to log in to the user to do ccd route control

At the moment, this feature is not supported in OpenVPN, if external authentication is used.

#202

[lsx1205]

想要登录用户进行ccd路由控制

目前，如果使用外部身份验证，OpenVPN 不支持此功能。

#202

Can OpenVPn-auth-oAuth2 override openvpn user names? What's the good solution

[jkroepke]

No, OpenVPN does not provide any interface that allows that.

What's the good solution

For this topic, a solution does not exist yet.

[lsx1205]

Brother, according to my current thinking, openvpn collects information about users according to the auth-user-pass option, which I do not use. The authentication method I use as casdoor, oauth2, is after auth-user-pass. auth-user-pass has defined username at this time, and the username of casdoor collected later cannot override it. Can I improve this if I call oauth2 first for authentication? Does it work?

log：
peer info: IV_AUTO_SESS=1
peer info: IV_GUI_VER=OCmacOS_3.4.9-4830
peer info: IV_SSO=webauth,crtext

TLS: Username/Password authentication deferred for username '' [CN SET]
TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
TLS: tls_multi_process: initial untrusted session promoted to semi-trusted
MANAGEMENT: CMD 'client-pending-auth 1 1 "WEB_AUTH::http://xxxxxxxxx:443/oauth2/start?state=T3GCZurZBtGwiSmVUyrY-FAOXTaNXHzSn3hzux9cpWcOJNorVBwlFEY4fBmQA1HuPY5-oOp8WLtQM6IklRNOfiRpRQKrYO2OZY_2oQES" 120'
SENT CONTROL []: 'AUTH_PENDING,timeout 120' (status=1)

[jkroepke]

The correct username must sent by the client and cant be changed.

[lsx1205]

客户端必须发送正确的用户名，并且不能更改。

I don't understand what you mean. If the username and password are used for authentication and the username information is needed, the client must provide the username and password information, right? However, if the auth-user-pass parameter is not used, can openvpn directly use the url authentication mode provided by the oauth2 plug-in instead of delayed authentication?

[jkroepke]

can openvpn directly use the url authentication mode provided by the oauth2 plug-in instead of delayed authentication?

The username must come from the client. This is a design choice at OpenVPN server and it is not my control to change that behavior. The OpenVPN server doesn't have any capabilities to set a username on a connection.

But feel free to implement the requested functionally in OpenVPN server directly. Once availible, openvpn-auth-oauth2 is happy to implement the new interface.

See #202