-
-
Notifications
You must be signed in to change notification settings - Fork 25
HTTPS Listener
Important
Remember to set CONFIG_HTTP_BASEURL correctly. It should start with https:// following your public domain name plus port.
Some SSO Provider like Entra ID requires https:// based redirect URL.
In the default configuration, openvpn-auth-oauth2 listen on http://.
There are two common ways to set up an HTTPS listener
You can use one of your favorite http reverse proxies. Configure HTTPS on reverse proxy and proxy to an HTTP instance of openvpn-auth-oauth2. For beginners, traefik is recommended since it natively supports Let's Encrypt where you can get public SSL certificates for free.
openvpn-auth-oauth2 supports HTTPS out of the box.
If openvpn-auth-oauth2 runs as systemd service, the HTTPS certificates must place in /etc/openvpn-auth-oauth2/ with
the owner root and the group openvpn-auth-oauth2. See Filesystem Permissions for more information.
| env/sysconfig configuration |
CONFIG_HTTP_TLS=true
CONFIG_HTTP_KEY=/etc/openvpn-auth-oauth2/server.key
CONFIG_HTTP_CERT=/etc/openvpn-auth-oauth2/server.crt |
| yaml configuration |
http:
tls: true
key: /etc/openvpn-auth-oauth2/server.key
cert: /etc/openvpn-auth-oauth2/server.crt |
To set up a self-signed certificate, you can use the command below:
export DOMAIN_NAME=vpn.example.com
openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes \
-keyout /etc/openvpn-auth-oauth2/server.key \
-out /etc/openvpn-auth-oauth2/server.crt \
-subj "/CN=$DOMAIN_NAME" -addext "subjectAltName=DNS:$DOMAIN_NAME"
chown root:openvpn-auth-oauth2 /etc/openvpn-auth-oauth2/server.key /etc/openvpn-auth-oauth2/server.crt
chmod 640 /etc/openvpn-auth-oauth2/server.key /etc/openvpn-auth-oauth2/server.crtYou can also use Let's Encrypt to get public SSL certificates for free. The certbot is a recommended tool to get SSL certificates. Alternatively, can use acme.sh, which is a pure Unix shell script implementing ACME client protocol.
openvpn-auth-oauth2 requires a SIGHUP signal to reload the TLS certificate.
If you are using certbot, please drop some instructions to setup it.
Running openvpn-auth-oauth2 on port 443 requires special permissions.
Create a new file /etc/systemd/system/openvpn-auth-oauth2.service.d/override.conf with the following content:
[Service]
AmbientCapabilities=CAP_NET_BIND_SERVICE
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
PrivateUsers=falseThen, run the following commands:
echo "capability net_bind_service," > /etc/apparmor.d/local/usr.bin.openvpn-auth-oauth2
systemctl restart apparmor
systemctl daemon-reload
systemctl restart openvpn-auth-oauth2This wiki is synced with the docs folder from the code repository! To improve the wiki, create a pull request against the code repository with the suggested changes.