[PATCH] Introduce external-auth flag to make client-side authentica…

…tion methods optional
OpenVPN · Mar 17, 2024 · ea545a0 · ea545a0
1 parent 91eb460
commit ea545a0
Show file tree

Hide file tree

Showing 3 changed files with 27 additions and 3 deletions.
diff --git a/doc/man-sections/client-options.rst b/doc/man-sections/client-options.rst
@@ -87,6 +87,23 @@ configuration.
   The server configuration must specify an ``--auth-user-pass-verify``
   script to verify the username/password provided by the client.
 
+--external-auth
+  This client-only option indicates that user authentication options in the
+  client configuration are not mandatory. For security reasons, OpenVPN
+  requires client-side credentials such as client certificates or a
+  username/password combination. The OpenVPN server has the capability to
+  delegate authentication to external systems using the WEBAUTH protocol.
+  In such cases, client credentials may be omitted.
+
+  ***Security Considerations***
+
+  When the ``--external-auth`` option is enabled in OpenVPN, it bypasses the
+  check that some form of user authentication method is specified. This
+  configuration can potentially create a risky environment where an OpenVPN
+  server operates without requiring authentication. If you opt to utilize
+  ``--external-auth``, it's crucial to thoroughly validate that the OpenVPN
+  server has been adequately secured.
+
 --auth-retry type
   Controls how OpenVPN responds to username/password verification errors
   such as the client-side response to an :code:`AUTH_FAILED` message from

diff --git a/src/openvpn/options.c b/src/openvpn/options.c
@@ -499,6 +499,7 @@ static const char usage_message[] =
     "                  and a password on the second. If either the password or both\n"
     "                  the username and the password are omitted OpenVPN will prompt\n"
     "                  for them from console.\n"
+    "--external-auth  : If set, client-side credentials are optional.\n"
     "--pull           : Accept certain config file options from the peer as if they\n"
     "                  were part of the local config file.  Must be specified\n"
     "                  when connecting to a '--mode server' remote host.\n"
@@ -3004,12 +3005,12 @@ options_postprocess_verify_ce(const struct options *options,
 
                 if (sum == 0)
                 {
-                    if (!options->auth_user_pass_file)
+                    if (!options->auth_user_pass_file && !options->external_auth)
                     {
                         msg(M_USAGE, "No client-side authentication method is "
                             "specified.  You must use either "
-                            "--cert/--key, --pkcs12, or "
-                            "--auth-user-pass");
+                            "--cert/--key, --pkcs12, "
+                            "--auth-user-pass, or --external-auth");
                     }
                 }
                 else if (sum != 2)
@@ -7917,6 +7918,11 @@ add_option(struct options *options,
             options->auth_user_pass_file = "stdin";
         }
     }
+    else if (streq(p[0], "external-auth") && !p[1])
+    {
+        VERIFY_PERMISSION(OPT_P_GENERAL);
+        options->external_auth = true;
+    }
     else if (streq(p[0], "auth-retry") && p[1] && !p[2])
     {
         VERIFY_PERMISSION(OPT_P_GENERAL);

diff --git a/src/openvpn/options.h b/src/openvpn/options.h
@@ -542,6 +542,7 @@ struct options
     const char *auth_user_pass_file;
     bool auth_user_pass_file_inline;
     struct options_pre_connect *pre_connect;
+    bool external_auth;
 
     int scheduled_exit_interval;