wireguard_webadmin icon indicating copy to clipboard operation
wireguard_webadmin copied to clipboard

Published 20 hours ago verified publisher icon eduardogsilva

OIDC-Integrated Temporary VPN Access

Open eduardogsilva opened this issue 8 months ago • 7 comments

Hi everyone,

I received a suggestion on Reddit for a feature that could enhance VPN security by providing temporary access credentials, and I'm evaluating whether this could be a good alternative for this project. Here’s the basic idea:

  • Users log into a web interface.
  • Through the interface, they can generate a temporary credential (e.g., valid for X hours) to configure their VPN client.
  • Once the credential expires, access is automatically revoked until the user logs in again.
  • The system could integrate with OpenID Connect or other authentication methods to add an extra layer of security.

While this concept is interesting, I'm not sure if there is really a strong demand for it. I’m leaving this issue open to collect opinions and feedback on the subject. Are there any existing solutions addressing this need? How would this feature fit into your use cases?

Looking forward to your thoughts and suggestions!

eduardogsilva avatar Mar 18 '25 01:03 eduardogsilva

I think this idea would be great. I had already suggested the idea of ​​Active Directory Sync back then.

I personally think OIDC or Active Directory Sync Integration would be a great idea. I also use it in my company, and we could then automatically provide VPN configurations to all users.

mcordes92 avatar Mar 18 '25 12:03 mcordes92

I think this idea would be great. I had already suggested the idea of ​​Active Directory Sync back then.

I personally think OIDC or Active Directory Sync Integration would be a great idea. I also use it in my company, and we could then automatically provide VPN configurations to all users.

Please, can you detail more on how do you see it working? Just for temporary access? When and how to disable the peer configuration?

Please share more details on how would you use it.

eduardogsilva avatar Mar 18 '25 13:03 eduardogsilva

Hi there, I will show you how firezone was working. First you go to the website:

Image

here you do the login with the oidc

and now you are in:

Image

Before you login for the firts time the vpn portal does not know who you are, you are only on your sso with the permission to access to the vpn. Once you login with your sso into the vpn portal for the first time, the vpn portal will automatically create a user with no settings that can only access with oidc.

Like we explained early and as you can see in the screenshot, the user has nothing right now. Once the user press the add device button, the portal will create a predefined config:

Image

Image

now you can download the config and import it in your prefeared client.

you can also make some roles in the vpn portal that are associated to oidc group scope, and than do a default config for each group.

here you can see how it works:

Image

there is a firewall that prevent you to access to the vpn, once you login the firewall unlock you and after a predefined time the firewall will lock you again.

here are some more configurations as an admin:

Image

Image

Image

Image

Image

Image

Image

this is the default configuration to create the config to distribute across wireguard clients.

this are the default config of the vpn portal itself:

Image

Image

If you need something else you can tell me.

Thank you

skea999 avatar May 08 '25 12:05 skea999

Hello @skea999,

thank you for detailing this, this gives me a nice idea on how this feature could be implemented.

What happens when the vpn expires? does it forces the user to a "captive portal inside the vpn" or does disables the peer configuration until the user log in on the public web interface?

Captive portal is nice, but adds a new layer of complexity.

Would it be ok if we skip oidc logins and stick only to user(or email)+password combo? maybe an extra 2fa?

cheers!

eduardogsilva avatar May 17 '25 18:05 eduardogsilva

When the VPN expires there is no captive portal and no suggestion. It simply disable peer and you are on your own, in this manner you can use the default wiregiard client. However firezone does not disable peers, it block the connection with the firewall. If you disable peer it is better I think. The only way that a client has to know that the session is expired is by watching the transfer rate.

Oidc is required for an enterprise organisation to adopt this, but you can do it later.

skea999 avatar May 20 '25 11:05 skea999

When the VPN expires there is no captive portal and no suggestion. It simply disable peer and you are on your own, in this manner you can use the default wiregiard client. However firezone does not disable peers, it block the connection with the firewall. If you disable peer it is better I think. The only way that a client has to know that the session is expired is by watching the transfer rate.

Oidc is required for an enterprise organisation to adopt this, but you can do it later.

In my opinion, traffic blocking the peer instead of removing it's configuration from the running wireguard, it's possible, and actually even better than "disturbing the wireguard" doing a reload, but maybe just removing the peer, is less things to worry about.

Two features that I believe that would be important are:

  • being able to associate firewall rules/profiles to those peers
  • defining an IP pool for those peers. Cheers

eduardogsilva avatar May 20 '25 14:05 eduardogsilva

This would make your tool very enterprise ready.

adamboutcher avatar Jul 24 '25 16:07 adamboutcher