OpenVPN Auth OAuth2 Plugin Authentication Bypass Vulnerability in Experimental Mode

An authentication bypass vulnerability has been identified in the OpenVPN Auth OAuth2 plugin, specifically in versions 1.26.3 prior to 1.27.3, when deployed in experimental plugin mode. In this mode, the plugin incorrectly admits clients that do not support WebAuth/SSO, such as the OpenVPN CLI on Linux, despite authentication denials. This issue arises because the plugin returns a success status to OpenVPN, overriding the denial. The vulnerability is not present in the default management-interface mode, which handles authentication correctly.

Impact

Exploitation of this vulnerability allows unauthenticated clients to connect to the VPN and gain full network access, bypassing OIDC authentication requirements. This misconfiguration can lead to unauthorized access to internal networks via the VPN.

Reproduction

To reproduce this vulnerability, deploy the OpenVPN Auth OAuth2 plugin in experimental mode. Connect using an OpenVPN client that does not support WebAuth/SSO, such as the Linux OpenVPN CLI. The client will be granted access despite authentication denials, due to the plugin incorrectly returning a success status to OpenVPN.

Remediation

Users should upgrade to OpenVPN Auth OAuth2 version 1.27.3, which addresses the vulnerability by ensuring that authentication denials are properly communicated to OpenVPN. Additionally, switching to the default management client mode, which is not affected by this vulnerability, is recommended.