-
Notifications
You must be signed in to change notification settings - Fork 406
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Start Before Logon (SBL)? #77
Comments
This requires writing a credential provider that implements the Pre-Logon Access Provider (PLAP) usage scenario. A very basic implementation is not hard, but integrating with service (or with the GUI, or keep it as another way of starting the connection ?), providing options to choose which config to connect etc. etc. takes some work, so may not happen anytime soon. Also such a feature is often not required for domain login: as Windows caches domain login credentials, the user can login and then start the tunnel even if the DC is not reachable before the tunnel is up. However, this "start before logon" feature may be needed for setups where the corporate policy does not allow caching of domain login credentials. |
That's not quite correct. For the credentials to be cached, you first need to be able to log on to the domain controller for Windows to be able to cache the credentials. So you need to log on at least once before the credentials are being cached. In some circumstances this might not be possible without VPN though. So, a Start VPN Before Logon feature would be essential in that case. Furthermore, the crendential cache storage of Windows is finite.
Not just that. As Cisco and Microsoft put it:
So, it's useful for lots of other things and basically essential for a proper log on. Furthermore, a Start VPN Before Logon feature would be even more useful now with Windows 10, because Windows 10 now even lets you connect to wireless networks before logging on to Windows. Regards |
there's similar implementation https://github.com/Amebis/GEANTLink |
What is blocking this is lack of time not lack of interest.. The part requiring interaction with logonexec is a rather simple COM interface implementation; the rest is starting the VPN, doing user auth etc. which is tedious unless we re-use existing GUI code. I've an implementation that is not yet ready for prying eyes. Need some quality free time to make it decent, sigh... I think the link you posted does not implement PLAP interface which is required for starting VPN --- as this will execute as a part of logonexec usual auth methods are given a limited time window to complete unless PLAP interface is implemented. |
Does anyone have a definite working solution for starting OpenVPN before login? Switching to AD, our DC is connected to the VPN so if users are offsite and forget their passwords, they will be locked out. Allowing them to connect to the VPN first seems to be the easiest solution. |
what kind of auth do you use ? if login/password, it will not be any usefull. |
I think, computer active directory issued certificate would be perfect for such kind of setup. |
We use OpenVPN to connect domain computers to organizations before user logs on. The OpenVPN is started automatically as a service running as the Local System account. We use the NSSM as the service wrapper for this purpose. The service is configured to depend on Dhcp and tap0901 services just like the OpenVPNService. Probably, the OpenVPNService could do the job too. For years, we have been using manually managed certificates to authenticate. But, asking employees to go get a new certificate to the Windows Server CA before the current one expires, install it to the Local System's Certificate Store, then update the Therefore, we no longer use client certificates but Remember, by doing "start-before-logon" you are actually connecting and authenticating computers, not users. The end result is, the remote computer is connected automatically soon enough in the Windows boot not only to allow domain logons, but it also processes the Group Policy (when the bandwidth is sufficient). This was the whole point of our setup: the employee's laptops can roam around for years without the need to come back home for maintenance. Anywhere they go, they are connected from boot. |
A side note: If you use Windows provided VPN to connect before logon, you can use the domain logon - true. However, the Group Policy agent service has tried to contact AD long before that and gave up. Therefore, applying Group Policy settings over VPN is not possible. I am not familiar with Cisco AnyConnect. Can it authenticate and connect soon enough in the boot process so the Group Policy settings can apply too? |
@rozmansi, Active Directory is a combination of DNS, LDAP and kerberos working together. As long as computer can reach DNS, AD should work. Including domain logon and group policy. I'd like to see debug of group policy service in your case As for "logon before connect", it is intended to authenticate users, not computers (Your case with computer authentication via service is worth documenting however) In order to use start before logon, some api should be implemented, api is available starting win8.1 (it was drastically changed in win10) On win7 Cisco any connect emulates such api by itself |
Here are the exported Group Policy and System event logs: Methodology used:
One run represents laptop connected to the domain LAN. Another run was made using OpenVPN over WiFi with no direct access to domain LAN. Comparing the event logs you shall notice they are mostly indistinguishable. |
@rozmansi I would like to try the same with openvpn connecting before logon to get software install from GPO working on remote sites. Can you provide sample script of your setup as mentioned? |
Due to popular demand, I might make a wiki or blog page with step-by-step instructions. Here's something to get you going...
You operate VPN connection by starting/stopping/disabling the Optional: For laptops, I also install and create a Stunnel connection to my VPN server to port 443 to run a secondary OpenVPN TCP connection service thru it (I set its network interface higher metric than its UDP equivalent). This OpenVPN TCP over TLS/443 penetrates the most strict DPI firewalls and brings quite some "surprise" looks when my laptop seamlessly connect to my work in any conference room. :) |
I can confirm that at least with AnyConnect, connecting the VPN before logon does indeed provide "live" AD logon (i.e. not using cached credentials) and normal group policy processing - as if you were locally connected. If memory serves, there are a few GP settings that can both positively and negatively affect GP processing when using VPN before Logon -- I vaguely remember having to set something like "wait for group policy processing to finish on slow links" or something like that. (It was one of those one-time set it and forget it fixes, so I don't remember the exact steps... if you're experiencing GP processing problems, check those settings ) But, in general, without a doubt: AnyConnect definitely has the capability of doing full 100% "normal" logins without cached credentials and with full group policy processing (including the tricky ones that will only run during a logon.) Likewise, the built-in Windows VPN client also has this ability. That said, and without sounding "complain-y", I would stress that the capability of doing this is huge -- especially for roadwarrior users or users who are 99-100% remote but use domain joined laptops. There are certain policies and settings that will never be applied unless they run during an interactive logon (e.g. not using cached credentials). Likewise, as noted elsewhere, the cached credentials have a finite expiration time (as I recall, that's configurable in Group Policy - Security Settings? - somewhere near where one configures password complexity) ... performing an interactive logon refreshes these credentials. Unless something has changed with newer releases of Windows 10, logging on to a VPN connection after logging into Windows does not perform all of the same actions as logging in before. Yes, some group policies will background refresh and some other things will still work, but if you have a user that is 100% remote, working from home, doesn't have say a hardware VPN router, eventually, that computer will eventually require an interactive "online" logon. In one of the worst cases, an employee had to ship their laptop across the country overnight so it could be plugged into the network and updated (because no VPN before logon). From experience, the AnyConnect client has a setting you enable in the client config to enable the VPN option before logon. Then, in the Windows logon GUI, it would launch the normal client software window "on top of" the logon screen where the user could then interact with it with 100% normal functionality. Presumably, since OpenVPN now uses a system service and the client essentially communicates with that service, a similar setup could be used? |
But this doesn't provide a mechanism to allow for user authentication or say 2FA? (I mean, doing client certs on smart cards/keys with PINs could even count as 2FA.) If it's running as a service it would seemingly have to use some kind of stored authentication? What happens if say on boot it doesn't initially connect (say someone forgot to plug in a wired ethernet cable)... is there any way to trigger a reconnect without a reboot?
Nice! How's the performance? So stunnel is doing a TCP tunnel? And then it's TCP-in-TCP? (More specifically ((TLS-in-TCP)>TLS-in-TCP) for a double tunnel?) I can definitely see the need for using TCP on 443 to fool strict DPI (trying to rack my brain, can't think of any part of HTTP/HTTPS that would use UDP, so yeah). Since you kinda need the outer tunnel to be TCP, couldn't you use UDP inside for better performance? (Trying to think, TCP-in-TCP is never ideal, but UDP-in-TCP might be worse...) |
True. 2FA may be performed interactively only.
That's quite usual when you walk into a place you have never been before and your laptop doesn't have access to WiFi yet. GP client service will stall the boot for 30 seconds (by default). After that boot will resume offline. It depends on your .ovpn config. Fortunately, with some
The performance was a bit slower than direct OpenVPN UDP, but still comparable: internet links were the true bottleneck. I made sure the stunnel was up-to-date, using a strong cipher, client-side checking server cert issued by the pinned root CA, and finnaly set OpenVPN to However, I never tried to tunnel UDP thru the stunnel. |
Is there any chance of a SBL implementation for OpenVPN? Especially the version, where a box pops up and lets the user enter username and password (+optional 2FA token). |
Hi,
On Mon, Sep 07, 2020 at 07:48:53AM -0700, Gauss23 wrote:
Is there any chance of a SBL implementation for OpenVPN? Especially the version, where a box pops up and lets the user enter username and password (+optional 2FA token).
"someone would have to do it"...
I am willing to review and test, but have no idea how such an
implementation would have to be done.
gert
…--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany [email protected]
|
@rozmansi |
Hello https://www.deploymentshare.com/using-forticlient-vpn-with-hybrid-aad-logon-after-autopilot-process/ My client abandoned OpenVPN + Pfsense for this reason. |
I wonder if OpenVPN Connect supports this feature. @lstipakov any idea? |
OpenVPN Connect and Viscosity do not support this feature either. Viscosity indicated a planning for the feature but it was in 2019... |
Hi,
On Wed, Jun 30, 2021 at 04:56:46AM -0700, GutsBlack wrote:
The Fortinet client (FortiClient 6.x) also allows to launch a VPN before the login.
Starting the VPN before login is not convenient but doable, using the
OpenVPN Service (openvpnsrv2). This only works for VPNs that do not
require user auth, though.
We have no support for "the VPN starts before login and asks for credentials"
(and I have no idea how to implement that).
But indeed, that would be a truly nice feature.
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany ***@***.***
|
maybe it can help you : and https://docs.microsoft.com/en-us/windows/win32/secauthn/credential-providers-in-windows other vpn and start before logon : https://www.shrew.net/static/help-2.2.x/html/Shrew%20Soft%20VPN%20Client%20Administrators%20Guide.html?VPNAccessManager1.html other exemple : https://kb.swivelsecure.com/w/index.php/Swivel_Windows_Credential_Provider |
Hi @cron2, this project should help implementing this feature: https://github.com/phaetto/windows-credentials-provider |
In our environment we recently ditched our Cisco ASA which we leveraged the SBL module for VPN connectivity for a Netgate pfSense+ based NGFW appliance. Although this was a real nice upgrade in terms of network performance and licensing overhead, we're now missing out on the awesome functionality and manageability that Cisco's SBL afforded us. We would configure our ASA to our Windows Server's Network Policy Server (NPS) where RADIUS authentication took place, allowing us to configure various network protections and constraints through there. Packaging the SBL module with the end-user's VPN client enabled the Network Sign-In icon at the Windows Logon which gave users an incredibly simple company VPN experience. As Admins we could also push updates and changes to the overall client config and even still the SBL module at connection time would update the client-side config with the new version hosted from the VPN server/ASA. With SBL, we could always be absolutely sure that all laptops both on-prem and remote were remaining in contact with our Windows DC at logon time, and therefore had various security GPs applied such as refusing PC logon if the domain was unavailable and disabling cached logon credentials. Nowadays, we've had to disable these policies since we haven't been able to get the native Win10 Network Sign-In client to work with the pfSense OpenVPN server... Currently we're evaluating setting up an IPsec-based VPN solution on our firewall as an alternative that seems to probably play nicer with the Win10 native Network Sign-In. I'd be more than happy to help test out and field feedback to anyone that needs a proper test harness for an OpenVPN version of SBL, as my company sports a full Enterprise network architecture and Windows domain!! Just let me know!! :) |
Hey everyone, I am the author of https://github.com/phaetto/windows-credentials-provider, a credential provider written in C# for simple login operations. I thought that I would give my 2 cents. Firstly, what @gitnewcomer wrote is correct. There is a special implementation of credential provider that would allow the specific scenario. I have no experience however with that specific workflow. I am working on the background in a spinoff of that project that allows auto login operations using a credential provider in unattended VMs for automation purposes. It includes a complete and tested implementation (doing that with a company on the background) and I will open source it in the next months. I am only saying this because I can provide you with a fork of that functionality and help developing a credential provider that can orchestrate that case. I am however inexperienced with the intricate details of such a VPN setup and I would probably need help for verifying and testing. I can only do it in C# though, so let me know what you guys think. |
I have made a proof of concept with the CheckPoint Endpoint Security Client so I could test if we could use an OpenVPN connection before Domain Logon... My steps on Windows 11 Pro:
This is a proof of concept and not really usable for production!Problems found:
So this is something that is doable... but I do not have the knowledge to do it... Hope someone can make this happend so many admins out there would jump for joy! :P |
@ManZosh Check whether the default value of the registry key HKEY_CLASSES_ROOT\CLSID\4fbb8b67-cf02-4982-a7a8-3dd06a2c2ebd}\inprocserver32 |
I am working on a "Start Before Logon" setup where an OpenVPN client should be started before Windows login, but only if a Smart card is inserted. Currently the problem is, that the Smart card needs a PIN, which can't be entered before Windows login. I wrote a feature request for an option to save the PIN. See https://community.openvpn.net/openvpn/ticket/1485 An alternative solution would be to extend the Windows service for OpenVPN so that the service uses the OpenVPN management interface to enter the PIN from a configuration file. The current version of the OpenVPN Windows service probably can not do this. |
Starting verion 11.30 PLAP module is available and interatcive connection of OpenVPN tunnel with password/PIN/challenge response input from login screen is now possible. See #518 |
Could you please give a HOWTO for testing? I have OpenVPN 2.5.8 community edition installed. And I have the compiled the Git master version of OpenVPN-GUI. The openvpn/out/build/x64-release-ossl3/ directory now contains these *.exe and *.dll files:
but no openvpnserv2.exe and no installer. How I test the OpenVPN-GUI PLAP functions? |
It may be easier to test this using a snapshot installer for 2.6 -- see here Otherwise, re-install 2.5.8 by selecting to install automatic service. It's not selected by default. Set to start the service automaticlaly and then start it. Copy Then follow instructions in README -- first get persistent connections working from the GUI and then from PLAP. |
@selvanair Hi Selva! I just had a brief question for you, picking back up on all this... I installed on a new Win10Pro laptop a fresh OpenVPN client using the openvpn-master-20221216T0629-97929d16-amd64.msi you linked. I confirmed the OpenVPN service is running, alongside the interactive service (if that's even necessary for this). My profile is the same as my above comment as well, with the management lines added. The PLAP VPN button appears on the Windows Logon screen! But for some reason the client gets hung up on waiting for the management network to come up, shown below: I don't recall having this hung management interface previously when I compiled a client from source. Is the management interface literally the TAP-Windows Adapter V9? Trying a variety of trial & error troubleshooting steps, but if the management lines in the config file change at all, the PLAP icon is no longer visible on the Logon screen. |
You can test connection to management i/f by logging in and running OpenVPN-GUI. It should show profiles in config-auto grouped under Persistent Connections and will allow you to connect it. If the GUI also fails to connect to the management interface, either the Its also possible that there is a start up error when the service is bringing up openvpn process. Check the log file -- you can open it from the GUI menu or look for it in BTW, now that 2.6_beta is out testing using the latest beta release (26_beta2) may be better. |
@selvanair I've been testing the PLAP without management interface password and all worked fine.
The passwd.txt file has one line with the management interface password. I've copied the file to the same path as the ovpn (C:\Program Files\OpenVPN\config-auto), but after this, I can see the PLAP on Windows Logon screen and when I choose the ovpn profile it doesn't ask any username/password (or any OpenVPN window) and immediately shows that the connection failed. |
Alrighty, please ignore my previous comment! Something was funky with that particular laptop's network stack that was preventing the management interface from being built. I tested this on a new laptop and everything works beautifully!! Here are the steps I followed...
The connection is immediately visible from the OpenVPN server. With this, we can now achieve a Windows SysAdmin's dream of having a laptop asset residing on a foreign untrusted network be available to our Domain Controller and Remote Assistance software agent before the user is even signed into their Windows user profile! Only 3 small bugs I've noticed through successively testing this...
So this is just incredible and I'm stupidly excited to soon use this in a production capacity in our environment. Please let me know if I can be of any assistance!! Can take GIFs of any of the bugs I mentioned as well if necessary. |
Thanks for the feedback
This I cannot reproduce and should not happen. Unless the dll crashes which would be a bug. But I have not seen it.
I think this is a limitation of PLAP. It does not show the connected icon without going through a connect cycle and does not remember that state from session to session. Within a session (even after the 2 min timeout) it should remember it, I believe. I do not think we can do anything about it. If you have seen any other PLAP offerings (such as anyconnect) behave differently, I can take a look again. One thing we could possibly do is to show a connected checkmark on the tile but its not easy to implement, so unlikely to happen any time soon.
Looks similar/related to your first point. Again, this should not happen and I cannot reproduce. May be you can open a separate issue with details of OS and OpenVPN version etc. |
@gitnewcomer Have you seen this mis-behaviour on login-screen time-out or after clicking PLAP disconnect button reported by @ManZosh above? Sounds like a bug in the dll, but I cannot reproduce it. |
Hey @selvanair, it's worth mentioning the only difference there could be between your test system and mine is that the laptop I've been using is indeed joined to our production Windows Domain and therefore has many policies applied. Now I'd never think any of our policies could be affecting this, but if in your experience the PLAP icon indeed persists through Logon timeouts, then it could just be something deep in the bowels of our particular Group Policy that might be affecting these PLAP phenomena I'm seeing. I have other laptops in inventory I can put a totally fresh install of Win10Pro onto, this time I won't join it to my domain at all. I'll just run through the brief setup steps and try again and see if those bugs persist. If not, then it must be something we're flicking on or off in GP on domain-joined PCs. Lemme get to that after the holiday and I'll be sure to report back here! |
Hi @selvanair, first of all, I wish you and all here a Happy New Year! :) |
Hello Git-OpenVPN-Developer, Can anyone help me? |
This should work:
You might want to remove |
Hi @selvanair and @ManZosh, I had some time to test the PLAP again on my test lab (computer is running Windows 11 Pro with domain joined, so Windows 10 Pro could behave differently).
I can not reproduce this. If I start a OpenVPN sign-in process (where it asks me username and password from OpenVPN) and wait some time, I will get to the Windows lock screen. If I try to sign-in again to OpenVPN, the PLAP shows again like expected.
On Windows 11 I don't see any "X" on the PLAP icon after successfully connect to OpenVPN. If I click on the PLAP icon again, I only can try to sign-in again an I'm presented with a message that I'm already connected. I do have a new icon near Network Sign-In that allows me to disconnect the active OpenVPN connection if still connected. Maybe this was improved on Windows 11.
As I do not see the "X" on PLAP icon on Windows 11, I can't reproduce this behavior. But if I use the new icon to disconnect the active OpenVPN connection I'm able to connect again. As said above, this can be an improvement of Windows 11. If I have some time (having some projects running right now at work), I will setup a new computer with Windows 10 Pro on my test lab to test this steps again... |
I've tested it on Windows 10 (22H2) with this build: openvpn-master-20230309T0821-83847414-amd64.msi and as ManZosh described. It's works pretty good. I was able to connect. There's one thing what would be a bit problematic is that the profile needs to be in the program files folder instead of the users folder. So if that's gonna be the case in the release version, this would still not be a viable option for me as users need to be able to update the certificates themselves. |
The feature is already released in 2.6.0 and 2.6.1. As SBL/PLAP access is before user logs in, we have no idea of who the "user" is and what privileges they have to pickup configs from user's folder. This feature is mainly useful for computers in an AD domain, and the best option is to make use of facilities that AD provides: push certificates to the machine store of client computers via group policy, push files and updates instead of asking the user to copy them.
However, if you are using Windows certificate store for certificates and keys ( Managing using AD policies is the best option. |
Ok nice, Thanks :-) Ah yes, it's before user logon, Thanks for the detailed answer! |
This page is freakin' awesome, so thank you (@selvanair) and everyone else for this incredible timeline of progress. If I found this page looking for a solution to accessing OpenVPN prior to logon, I'm sure others will, too, so I thought I'd add my two cents. I'm using the OpenVPN-2.6.1-I001-amd64.msi release (found here) on a Windows 10 Pro machine (not domain-joined YET -> domain logon without cached credentials is the end goal). The install itself is flawless, and I went and followed the steps outlined by @ManZosh:
=================== In my case, the OpenVPNService was already running by default, so I had to restart it in order for OpenVPN to recognize the config file/options properly (note: @selvanair mentioned this was necessary if you copy-pasted the config file into the That being said, @ManZosh, I know I'm super late to the party, but you said there was an issue with the way the network stack was built on the computer that was preventing the management interface from being built--I'm guessing you would have already restarted the OpenVPNService, so that was actually a different problem, I guess. Did you ever go back to that particular computer, do any sort of wipe, and try it again? Just curious in case I ever come across a similar situation in the future. I'm running some more tests now; I'll provide any updates if they end up being worthwhile. I'm seriously impressed by how far this has come, so thanks everyone for the amazing effort. (BTW this is only my third post on GitHub--recent join--so thanks everyone for putting up with my terrible formatting; I will improve :D). |
Saw this from @MaartenJB:
@selvanair's solution here would work:
Another option if you don't want to edit registry keys or change folder permissions is to create symbolic links (using the "mklink" command on Windows) in the Hope that helps somebody! :) |
Be very careful if you do any of these things: configs in config-auto or linked to there are started as SYSTEM. If there are scripts, those will also run as SYSTEM allowing users to essentially run anything as SYSTEM. |
Can someone explain quickly how I can test PLAP? I do not see any icon for it on the logon screen. I'm using OpenVPN client 2.6.6, and confirmed that PLAP/gui.onlogon is installed (all components are installed) |
See this section and the one following it in README |
Hello, could someone please help me so I can launch the automatic OpenVPN connection from the hidden icon, I would appreciate it. |
Instead asking an unrelated question in a closed issue, open a new issue explaining what you are trying to achieve. I do not see the need for what you are doing as the GUI can be started automatically on login and connections will autostart if you do not actively disconnect on logout. |
Hi,
apparently OpenVPN seems to be able to establish a VPN connection before a user logs on to Windows. Apparently this is being done by having OpenVPN running as a service:
https://openvpn.net/index.php/open-source/documentation/howto.html#startup
Establishing a VPN connection before logging on to Windows is especially useful when needing to log on to a domain joined machine (i.e. having to authenticate on a domain controller).
Is OpenVPN also able to offer a prompt for the VPN credentials before logging on to Windows?
Cisco AnyConnect does have that feature, it's called "Start Before Logon" or in short "SBL", see for example:
https://youtu.be/dkwC5lXu-HQ
Windows itself also does offer a similar feature:
https://blog.lan-tech.ca/2012/04/29/connect-to-windows-vpn-at-logon/
https://blog.lan-tech.ca/2013/03/02/windows-8-connect-to-vpn-before-logon/
So, Windows does seem to have a "native" button for this on the log on screen (which is also being utilized by Cisco AnyConnect).
So, would it also be possible to have OpenVPN prompt for the VPN credentials when clicking on that button, so that a user can enter his VPN credentials (username + password) and connect via VPN before logging on to Windows?
Regards
The text was updated successfully, but these errors were encountered: