-
-
Notifications
You must be signed in to change notification settings - Fork 30
HTTPS Listener
Important
Remember to set CONFIG_HTTP_BASEURL correctly. It should start with https:// following your public domain name plus port.
Some SSO Provider like Entra ID requires https:// based redirect URL.
In the default configuration, openvpn-auth-oauth2 listen on http://.
There are two common ways to set up an HTTPS listener
You can use one of your favorite http reverse proxies. Configure HTTPS on reverse proxy and proxy to an HTTP instance of openvpn-auth-oauth2. For beginners, traefik is recommended since it natively supports Let's Encrypt where you can get public SSL certificates for free.
openvpn-auth-oauth2 supports HTTPS out of the box.
If openvpn-auth-oauth2 runs as systemd service, the HTTPS certificates must place in /etc/openvpn-auth-oauth2/ with
the owner root and the group openvpn-auth-oauth2. See Filesystem Permissions for more information.
| env/sysconfig configuration |
CONFIG_HTTP_TLS=true
CONFIG_HTTP_KEY=/etc/openvpn-auth-oauth2/server.key
CONFIG_HTTP_CERT=/etc/openvpn-auth-oauth2/server.crt |
| yaml configuration |
http:
tls: true
key: /etc/openvpn-auth-oauth2/server.key
cert: /etc/openvpn-auth-oauth2/server.crt |
To set up a self-signed certificate, you can use the command below:
export DOMAIN_NAME=vpn.example.com
openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes \
-keyout /etc/openvpn-auth-oauth2/server.key \
-out /etc/openvpn-auth-oauth2/server.crt \
-subj "/CN=$DOMAIN_NAME" -addext "subjectAltName=DNS:$DOMAIN_NAME"
chown root:openvpn-auth-oauth2 /etc/openvpn-auth-oauth2/server.key /etc/openvpn-auth-oauth2/server.crt
chmod 640 /etc/openvpn-auth-oauth2/server.key /etc/openvpn-auth-oauth2/server.crtYou can also use Let's Encrypt to get public SSL certificates for free. The certbot is a recommended tool to get SSL certificates. Alternatively, can use acme.sh, which is a pure Unix shell script implementing ACME client protocol.
openvpn-auth-oauth2 requires a SIGHUP signal to reload the TLS certificate.
You need to install certbot and suitable for you DNS plugin. More information on supported by certbot DNS plugins and how to config them you may find here. It's up to you to define what ACME server to use for verification. By default it's set to letsencrypt, you may change it with --server option. Also, take a look at RFS 8555 about ACME Protocol.
You can create certs with command below and than copy them to /etc/openvpn-auth-oauth2/ directory or create a link to files. Do not forget to set right permissions.
The command below utilize certbot to create an free ssl certificate for a domain hosted on cloudflare.
certbot certonly --noninteractive --verbose \
--force-renewal \
--dns-cloudflare \
--dns-cloudflare-credentials /path/to/your/cloudflare.ini \
--agree-tos \
--email your@email.com \
--key-type rsa \
--rsa-key-size 2048 \
--domains this.is.example.domain \
--preferred-challenges dns-01 \
--server "https://acme-v02.api.letsencrypt.org/directory"Running openvpn-auth-oauth2 on port 443 requires special permissions.
Create a new file /etc/systemd/system/openvpn-auth-oauth2.service.d/override.conf with the following content:
[Service]
AmbientCapabilities=CAP_NET_BIND_SERVICE
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
PrivateUsers=falseThen, run the following commands:
echo "capability net_bind_service," > /etc/apparmor.d/local/usr.bin.openvpn-auth-oauth2
systemctl restart apparmor
systemctl daemon-reload
systemctl restart openvpn-auth-oauth2This wiki is synced with the docs folder from the code repository! To improve the wiki, create a pull request against the code repository with the suggested changes.