Releases: m-barthelemy/vpn-webauth
Notifications and VPN Session Continuity
This release adds an option for the users to allow notifications after registering or signing up.
-
Browser notifications to users: instead of just having the VPN connection to fail if a user needs to sign in to this app, they would receive a clickable notification taking them to the login page.
-
Automatic VPN sessions renewal: using background notifications, if a user connects to the VPN from a new source IP address, or if they don’t have a valid VPN session but still have a valid web session in this app, the browser is requested to send a “proof of session”.
If the session is validated by the app and the browser IP matches the VPN connection request source IP, the user is transparently allowed to connect. This can improve user experience significantly, and increase security a bit by allowing to set
VPNSESSIONVALIDITY
, relying only on the VPN user identity and the source IP, to a short duration.This is a best-effort feature; since Strongswan blocks while waiting for the result of the
ext-auth
plugin calling this app, we give up after 500ms if the browser hasn’t replied with a valid “proof of session”. Both the user and background notifications require the browser to be running, but don't need this app to be active or even opened. -
MFAVALIDITY
andVPNSESSIONVALIDITY
now need to be specified as a number plus time unit. Examples: “30m”, “1d”, “12h30m”. -
Improved security: cookies are now restricted to the exact host of the app; early abort if request body is too large; all requests are now time limited.
Display OTC expiry
Display one time code expiry date
Avoid 500 errors about favicon in the log
/vpn/check endpoint protection
- The
/vpn/check
endpoint can now optionally be protected by a password set using the newVPNCHECKPASSWORD
environment variable. In that case, the password also needs to be set in the Strongswanext-auth
configuration. - All the environment variables have been simplified by removing the
VPNWA_
prefix. - There is a new
vpn_connections
table keeping an audit log of all the connections attempts received from the VPN server. Entries are purged during application startup if they are older thanCONNECTIONSRETENTION
days. There is currently no feature in the application to query it.
TouchID and Security keys
-
The app now support Webauthn authentication, using physical security key, Apple TouchID/FaceID or Windows Hello.
TouchID brings the best user experience and security for Apple devices users (macOS Big Sur or iOS 14 required).
Physical security keys are devices such as Fido keys, Yubikeys.
Users can have multiple additional authentications and are prompted to choose upon first use of the app.
These new options offer a better user experience since the workflow is less disruptive and faster, compared to the OTP token option. -
The new
VPNWA_EXCLUDEDIDENTITIES
environment variable allows to specify a list of VPN identities that do not require any additional authentication and will always be allowed.
HTTPS Support
This releases adds support for running the app in a standalone mode (ie without any reverse proxy) with TLS.
The new environment variable VPNWA_SSLMODE
allows to select the type of SSL setup.
3 new modes a supported
auto
: Use fully automated Let's Encrypt certificate generation. Magic!
custom
: Provide a custom certificate and key.
proxy
: Delegate TLS termination and management to a proxy such as Nginx; however the app will set the HSTS header and the Secure
flag on its cookies.
none
disables any active HTTPS support. The app can still be run behind an HTTPS proxy.
Add missing embedded font
Add missing embedded font
Fully self-contained binary
Now, building this project generate a fully self-contained binary, including the html templates and static assets.
First working release
0.1 CSP for QR code