PrivateVPN: OIDC Integration With ChaCha20-Poly1305
PrivateVPN: OIDC Integration With ChaCha20-Poly1305
Integrating OpenID Connect (OIDC) for PrivateVPN authentication enhances security and simplifies user management. We leveraged Keycloak as our OIDC provider due to its flexibility and robust feature set. The core of our implementation relies on the vpnd daemon, modified to act as an OIDC client.
First, register PrivateVPN as a client application within Keycloak.Β Configure the following parameters:
Client ID: privatevpn-client
Client Secret: [Generated Secret - store securely]
Redirect URI: https://your-privatevpn-server.example.com/oidc/callback
Access Type: confidential
Standard Flow Enabled: true
Direct Access Grants Enabled: false
Within vpnd, the authentication flow proceeds as follows:
User initiates a VPN connection.
vpnd redirects the user to the Keycloak authorization endpoint.
User authenticates with Keycloak.
Keycloak redirects the user back to vpnd with an authorization code.
vpnd exchanges the authorization code for an ID token and access token.
vpnd validates the ID token (signature, issuer, audience, expiry).
vpnd extracts user attributes from the ID token (e.g., username, group memberships).
vpnd establishes the VPN tunnel, authorizing access based on user attributes.
We use the python-oidc library for token validation and parsing.Β Example vpnd configuration snippet:
oidc_enabled = True
oidc_issuer = "https://keycloak.example.com/auth/realms/privatevpn"
oidc_client_id = "privatevpn-client"
oidc_client_secret = "YOUR_CLIENT_SECRET"
oidc_redirect_uri = "https://your-privatevpn-server.example.com/oidc/callback"
For enhanced performance and security, we standardized on the ChaCha20-Poly1305 cipher suite for all PrivateVPN connections.Β This required updating our OpenVPN server configuration.Β Here's the relevant configuration directive:
cipher CHACHA20-POLY1305
We disabled less secure ciphers to enforce the use of ChaCha20-Poly1305. This involved explicitly excluding older ciphers within the OpenVPN configuration:
data-ciphers CHACHA20-POLY1305
data-ciphers-fallback CHACHA20-POLY1305
Client configurations must also be updated to support ChaCha20-Poly1305. Most modern OpenVPN clients support this cipher suite natively. For older clients, a configuration update may be required.
ChaCha20-Poly1305 generally offers better performance than AES-GCM, especially on CPUs without dedicated AES instructions. We observed a 10-15% increase in throughput on our test servers after switching to ChaCha20-Poly1305.
To verify the correct cipher is in use, examine the OpenVPN server logs.Β Look for the following line upon client connection:
TLS: using cipher CHACHA20-POLY1305-SHA256
Additionally, use tcpdump or Wireshark to capture and analyze the encrypted traffic. The presence of ChaCha20 encryption can be inferred from the TLS handshake.
Clock Skew: OIDC token validation is sensitive to clock skew between the PrivateVPN server and the OIDC provider. Ensure NTP is properly configured on all servers.
Client Configuration Errors: Incorrect client configurations (e.g., missing or incorrect cipher directive) can prevent successful VPN connections. Provide clear and concise documentation to users.
Keycloak Availability: PrivateVPN's authentication relies on Keycloak. Implement redundancy and monitoring for Keycloak to ensure high availability.
Redirect URI Mismatch: A mismatch between the registered redirect URI in Keycloak and the actual redirect URI used by vpnd will cause authentication failures. Double-check the configuration.
Firewall Rules: Ensure firewall rules allow communication between the PrivateVPN server and Keycloak on port 443 (HTTPS). Restrict access to Keycloak to only authorized IP addresses.