VPN Server oidc config

7a6b5415 · Christian Elberfeld · 9210d729 · 7a6b5415 · 7a6b5415 · 7a6b5415
Commit 7a6b5415 authored 1 year ago by Christian Elberfeld
--- a/testserver/docker_vpnserver/Documentation.md
+++ b/testserver/docker_vpnserver/Documentation.md
-1. /srv/vpnserver und /srv/vpnserver/secrets erstellen, "wg genkey > wg_private_key" in /srv/vpnserver/secrets
-2. deployen
-3.  uffd configurieren
-    1. neuen Dienst erstellen
-    2. OAuth2 Client-ID erstellen
-        - Client-ID: vpnserver
-        - Client-Secret: /srv/vpnserver/secrets/oauth_client_secret
-        - Redirect-URIs: https://<vpnserver-domain>/user/oauth2/uffd/callback
\ No newline at end of file
+
+
+# Overview 
+
+* Authentication to VPNServer is only possible with an account in uffd, regular authentication is disabled (can be enabled as fallback)
+* All users with group 'vpnserver_access' can access the VPNServer  
+
+# Setup OIDC Authentication via uffd 
+
+Uffd Reference: https://git.cccv.de/uffd
+
+
+## Setup VPNServer
+
+* Wireguard secret initial erstellen: ```wg genkey > wg_private_key``` in /srv/vpnserver/secrets
+
+
+## Setup in uffd
+
+Create Groups:
+
+- vpnserver_access: General Access to VPNServer
+
+Create a Service / OAuth Client: 
+
+Only Users with goup nextcloud_access can access Nextcloud 
+
+Client-ID: vpnserver
+Client-Secret: from file oauth_client_secret on the server
+Redirect-URIs: 
+* https://vpn.test-warpzone.de/callback
+
--- a/testserver/docker_vpnserver/tasks/main.yml
+++ b/testserver/docker_vpnserver/tasks/main.yml
@@ -22,7 +22,7 @@
    dest: "{{ basedir }}/{{ item }}"
  with_items:
    - docker-compose.yml
-    - config.yml
+    - config.yaml
  register: config



--- a/testserver/docker_vpnserver/templates/config.yml
+++ b/testserver/docker_vpnserver/templates/config.yml
 # You can disable the builtin admin account by leaving out 'adminPassword'. Requires another backend to be configured.
-adminPassword: "{{ wg_admin_pass }}"
+# adminPassword: "{{ wg_admin_pass }}"
 # adminUsername sets the user for the Basic/Simple Auth admin account if adminPassword is set.
 # Every user of the basic and simple backend with a username matching adminUsername will have admin privileges.
-adminUsername: "vpnadmin"
+# adminUsername: "vpnadmin"
 # Configure zero or more authentication backends
 auth:
  oidc:
@@ -17,7 +17,7 @@ auth:
    # The path can be almost anything as long as it doesn't
    # conflict with a path that the web UI uses.
    # /callback is recommended.
-    redirectURL: "{{ oidc_global.provider_url }}/callback"
+    redirectURL: "https://{{ domain }}/callback"
    # List of scopes to request claims for. Must include 'openid'.
    # Must include 'email' if 'emailDomains' is used. Can include 'profile' to show the user's name in the UI.
    # Add custom ones if required for 'claimMapping'.
@@ -26,20 +26,3 @@ auth:
      - openid
      - profile
      - email
-      - groups
-    # You can optionally restrict access to users with an email address
-    # that matches an allowed domain.
-    # If empty or omitted then all email domains will be allowed.
-    # This is an advanced feature that allows you to define OIDC claim mapping expressions.
-    # This feature is used to define wg-access-server admins based off a claim in your OIDC token.
-    # A JSON-like object of claimKey: claimValue pairs as returned by the issuer is passed to the evaluation function. 
-    # See https://github.com/Knetic/govaluate/blob/9aa49832a739dcd78a5542ff189fb82c3e423116/MANUAL.md for the syntax.
-    claimMapping:
-      # This example works if you have a custom group_membership claim which is a list of strings 
-      admin: "'vpnserver_admin' in group_membership"
-      access: "'vpnserver_access' in group_membership"
-    # Let wg-access-server retrieve the claims from the ID Token instead of querying the UserInfo endpoint.
-    # Some OIDC authorization provider implementations (e.g. ADFS) only publish claims in the ID Token.
-    claimsFromIDToken: false
-    # require this claim to be "true" to allow access for the user
-    accessClaim: "access"
\ No newline at end of file
--- a/testserver/docker_vpnserver/templates/docker-compose.yml
+++ b/testserver/docker_vpnserver/templates/docker-compose.yml
@@ -10,15 +10,12 @@ services:
      net.ipv6.conf.all.forwarding: 1
    volumes:
      - "{{ basedir }}/data:/data"
-      - "{{ basedir }}/config.yaml:/config.yml" # if you have a custom config file
+      - "{{ basedir }}/config.yaml:/config.yaml" 
    ports:
-    #  - "8000:8000/tcp"
      - "51820:51820/udp"
    devices:
      - "/dev/net/tun:/dev/net/tun"
    environment:
-      - "WG_ADMIN_USERNAME=vpnadmin"
-      - "WG_ADMIN_PASSWORD={{ wg_admin_pass }}"
      - "WG_WIREGUARD_PRIVATE_KEY={{ wg_private_key }}"
      - "WG_VPN_CIDRV6=0" # to disable IPv6
      - "WG_EXTERNAL_HOST={{ domain }}"

--- a/testserver/docker_wordpress/Documentation.md
+++ b/testserver/docker_wordpress/Documentation.md
@@ -40,15 +40,15 @@ Pluin settings:

 Create Groups:

- wordpress_access: General Access to Nextcloud 
+- wordpress_access: General Access to Wordpress 
 - wordpress_admin: This Group will be Mapped to the Group admin in Wordpress 

 Create a Service / OAuth Client: 

-Only Users with goup nextcloud_access can access Nextcloud 
+Only Users with goup wordpress_access can access Wordpress 

 Client-ID: wordpress 
-Client-Secret: from file nextcloud_oidc_secret on the server
+Client-Secret: from file wordpress_client_secret on the server
 Redirect-URIs: 
 * https://www.test-warpzone.de/wp-admin/admin-ajax.php?action=openid-connect-authorize