14

Or, maybe any oauth?

All I could find - is 2factor authentication with google. But I'd like to use Google Apps base for OpenVPN auth.

I believe that it is possible to make something like gitlab. Where you can put your certificate and then use it without login and password.

Psychozoic
  • 273
  • 2
  • 4
  • 13

2 Answers2

4

While looking for a solution for this I came across Gate. It automates OpenVPN profile creation behind OAuth and supports MFA. It's also got an admin console for user management. Here is a blog post from the developers outlining its use-case and features.

UPDATE 06/2019 - Pritunl is now my go-to solution for this. It supports automatic OpenVPN profile generation behind Google Auth, and provides a cross-platform client that makes setup easy with unique URI's. The user doesn't auth with Google to connect (a PIN can be required) which could be a downside for some, but I find the ease of use great for smaller teams.

cdowns
  • 41
  • 4
2

I don't think there's a good way to do this. The problem is that the authentication methods supported by Google, such as OAuth, are really geared around authenticating web applications. The key aspect of this is that you (as an application user) never give your credentials to the third-party site. The site directs you to an auth page at Google, which you sign in to and authorize the third-party site.

With OpenVPN being a non-web based application, I think it would be almost impossible to do this in a reasonable way. You'd basically have to write a custom OpenVPN authentication module that hits Google's OAuth API, requests an authentication token, then presents the user with a special URL they'd have to go to, where they'd sign in, get an access code, which they'd then have to enter into the OpenVPN authentication so it could go back to your OpenVPN authentication module to return to Google to get a "yay" or "nay" on authenticating you. If it sounds convoluted, that's because it is.

Assuming your mention of Google Apps means you're using the paid version of Google Apps (now called Google Apps for Work), your best bet would probably be to setup Single Sign-On (SSO), where your internal identity management system is the source of truth, and both Google Apps and your OpenVPN system authenticates against it. You can find out more about Google Apps SSO by just googling for it. Be aware, it's not necessarily a simple process, and often requires some effort to implement.

Basically, you need a way to supply your credentials to OpenVPN, and then have it authenticate on your behalf. This only works for cases where your users will trust their credentials to the application (in this case VPN). That works for corporate authentication, but doesn't match Google's vision where there are untrusted applications.

Christopher Cashell
  • 8,999
  • 2
  • 31
  • 43
  • 1
    Wouldn't google's application specific passwords work around most of these concerns? https://support.google.com/accounts/answer/185833?hl=en – chicks Dec 07 '14 at 13:51
  • This answer is quite outdated now (6yrs old). Most modern VPN solutions support authentication via SAML2. – Ian Mar 05 '20 at 14:41