Login/Register
Connecting in a Linux box to AWS-VPN using OKTA Push Authentication
Asked Answered
Solved linuxamazon-web-servicesoktaopenvpnaws-vpn
C

2

8

First of all, a rookie, related to VPN/Security issues, so really forgive me for whatever error I make while describing my problem, and hope I'm able to make it clear.

Our contractors changed AVIATRIX-OKTA VPN for AWS-VPN with OKTA Authentication, they send as an .ovpn file, that works ok for Windows/MAC using AWS-Vpn-Client application software, but a couple of us using Linux boxes (Ubuntu specifically) run the described method in AWS which is: openvn config-file.ovpn, and it does not work.

It simply asks for usr/pwd an then it fails with auth error (we use our OKTA credentials) , seems nothing is configured to go to OKTA, open a browser or whatever it needs to do.

As an aside note, we can connect without any trouble to our k8s cluster using OKTA client libraries, no sure is this is useful or not, just in case.

The .ovpn file looks like this

client
dev tun
proto tcp
remote random.cvpn-endpoint-xxxxxx.yyy.clientvpn.us-west-2.amazonaws.com 443
remote-random-hostname
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-GCM
verb 5
<ca>
....
....
....
</ca>

auth-user-pass
auth-federate
auth-retry interact
auth-nocache
reneg-sec 0

An interesting thing to notice is that openvpn complains about auth-federate seems not to recognize it, so I started using gnome network-manager which seems to accept this configuration, but getting Auth error too.

After this I tried openvpn3 which didn't complain about configuration, but still getting the same error.

I also tried adding TOPT token to password and the same problem

Any help on how to configure it, or just know if it is possible, will be greatly welcome , seems there is very little information around this in the net and we are really stuck on this, we are willing not to change OS or machines as they are asking to, or using VM just to connect.

Thanks in advance,

Colosseum answered 22/6, 2020 at 17:13 Comment(0)
C
1

Finally I got an answer from AWS people:

If the Client VPN endpoint is configured using SAML-based authentication (such as Okta), then you have to use the AWS-provided client to connect:

https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/client-authentication.html#saml-requirements

And the promise to update del client documentation with a WARNING about this.

Colosseum answered 25/6, 2020 at 14:1 Comment(6)
Did you ever get this working from an Ubuntu machine?Blockbuster
No, we are planning to use a windows VM as router/bridge to the VPN, but still didn't start working on it.Colosseum
did they mention any plans to support linux in the future?Diphenylamine
Asked this question in AWS groups too, an nobody mentioned nothing about it.Colosseum
There is a Linux client now, although it's rather raw and I'd rather get the Client VPN working with Network Manager. aws.amazon.com/about-aws/whats-new/2021/06/…Lamberto
They stopped supporting the AWS VPN Client on Linux. If you attempt to install and run it, it just sends you in a crash loop.Fasciate
H
4

We have tried the solution mentioned in the following URL and it worked for us:

https://github.com/samm-git/aws-vpn-client/blob/master/aws-connect.sh

The detailed working of this solution is explained in :https://github.com/samm-git/aws-vpn-client/blob/master/aws-connect.sh.

We have made few changes in the configuration files to make it work.

  1. Removed the following lines in vpn.conf.

    • auth-user-pass
    • auth-federate

  2. Made the following change in line 38 in the script aws-connect.sh.

    open "$URL"

to

 xdg-open "$URL"
Hymenium answered 5/11, 2020 at 0:11 Comment(3)
Hi Minu, really great to have news from you and whoever created this project, I'll hope to be able to make try any time soon, thanks for the update.Colosseum
can confirm that works as well with AWS SSO + IAM as the IdPCountersignature
Hi, is there a windows alternative for this? I know there is the AWS VPN Client but some people can't install it or have problems connecting from thereRoswald
C
1

Finally I got an answer from AWS people:

If the Client VPN endpoint is configured using SAML-based authentication (such as Okta), then you have to use the AWS-provided client to connect:

https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/client-authentication.html#saml-requirements

And the promise to update del client documentation with a WARNING about this.

Colosseum answered 25/6, 2020 at 14:1 Comment(6)
Did you ever get this working from an Ubuntu machine?Blockbuster
No, we are planning to use a windows VM as router/bridge to the VPN, but still didn't start working on it.Colosseum
did they mention any plans to support linux in the future?Diphenylamine
Asked this question in AWS groups too, an nobody mentioned nothing about it.Colosseum
There is a Linux client now, although it's rather raw and I'd rather get the Client VPN working with Network Manager. aws.amazon.com/about-aws/whats-new/2021/06/…Lamberto
They stopped supporting the AWS VPN Client on Linux. If you attempt to install and run it, it just sends you in a crash loop.Fasciate

© 2022 - 2024 — McMap. All rights reserved.