Issues when enabling google SSO on server

pjak · November 14, 2023, 8:57am

Hi,

I am getting issues when I decide to enable google auth on the server. I try to connect in the client and then i can some issues in the client logs and in the server:

Client Logs:

[2023-11-14 19:50:36][WARN] ▶ profile: Request ovpn connection error
profile: Request put error
Post "https://pritunl-vpn.elmotalent.com.au/key/ovpn/653192f416f4d00d7653b1a2/654abba0acdd479d0d57ad48/655297bb8e4724a1c0bf5be1": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
ORIGINAL STACK TRACE:
github.com/pritunl/pritunl-client-electron/service/profile.(*Profile).reqOvpn
	/Users/apple/go/src/github.com/pritunl/pritunl-client-electron/service/profile/profile.go:2357 +0x102748314
github.com/pritunl/pritunl-client-electron/service/profile.(*Profile).openOvpn
	/Users/apple/go/src/github.com/pritunl/pritunl-client-electron/service/profile/profile.go:1988 +0x10274650b
github.com/pritunl/pritunl-client-electron/service/profile.(*Profile).startOvpn
	/Users/apple/go/src/github.com/pritunl/pritunl-client-electron/service/profile/profile.go:1375 +0x10274302b
github.com/pritunl/pritunl-client-electron/service/profile.(*Profile).Start
	/Users/apple/go/src/github.com/pritunl/pritunl-client-electron/service/profile/profile.go:1358 +0x102742e5b
github.com/pritunl/pritunl-client-electron/service/handlers.profilePost.func1
	/Users/apple/go/src/github.com/pritunl/pritunl-client-electron/service/handlers/profile.go:108 +0x102762dc3
runtime.goexit
	/opt/homebrew/Cellar/go/1.21.3/libexec/src/runtime/asm_arm64.s:1197 +0x102234593
[2023-11-14 19:50:39][INFO] ▶ profile: Disconnecting ◆ profile_id="168a999570ef68f7"
[2023-11-14 19:50:40][INFO] ▶ utils: Clearing DNS
[2023-11-14 19:50:40][INFO] ▶ profile: Disconnected ◆ profile_id="168a999570ef68f7"```

Server logs:

[2023-11-14 19:50:36][WARN] ▶ profile: Request ovpn connection error
profile: Request put error
Post "https://pritunl-vpn.elmotalent.com.au/key/ovpn/653192f416f4d00d7653b1a2/654abba0acdd479d0d57ad48/655297bb8e4724a1c0bf5be1": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
ORIGINAL STACK TRACE:
github.com/pritunl/pritunl-client-electron/service/profile.(*Profile).reqOvpn
	/Users/apple/go/src/github.com/pritunl/pritunl-client-electron/service/profile/profile.go:2357 +0x102748314
github.com/pritunl/pritunl-client-electron/service/profile.(*Profile).openOvpn
	/Users/apple/go/src/github.com/pritunl/pritunl-client-electron/service/profile/profile.go:1988 +0x10274650b
github.com/pritunl/pritunl-client-electron/service/profile.(*Profile).startOvpn
	/Users/apple/go/src/github.com/pritunl/pritunl-client-electron/service/profile/profile.go:1375 +0x10274302b
github.com/pritunl/pritunl-client-electron/service/profile.(*Profile).Start
	/Users/apple/go/src/github.com/pritunl/pritunl-client-electron/service/profile/profile.go:1358 +0x102742e5b
github.com/pritunl/pritunl-client-electron/service/handlers.profilePost.func1
	/Users/apple/go/src/github.com/pritunl/pritunl-client-electron/service/handlers/profile.go:108 +0x102762dc3
runtime.goexit
	/opt/homebrew/Cellar/go/1.21.3/libexec/src/runtime/asm_arm64.s:1197 +0x102234593
[2023-11-14 19:50:39][INFO] ▶ profile: Disconnecting ◆ profile_id="168a999570ef68f7"
[2023-11-14 19:50:40][INFO] ▶ utils: Clearing DNS
[2023-11-14 19:50:40][INFO] ▶ profile: Disconnected ◆ profile_id="168a999570ef68f7"

The URL in the post that the client shows is the host public address and not the address that i have set in the SSO connection url in the settings and it also doesn’t open up the pritunl url for SSO, i have had it working before but seems to not be working now?

zach · November 14, 2023, 9:57pm

The single sign-on connection authentication is an additional layer of authentication for single sign-on. Single sign-on can be used without the connection authentication, the single sign-on API is used to verify if the user is still active and the profile certificate provides authentication in addition to any secondary methods configured. This option requires the client to access the Pritunl web server to send authentication requests.

Once the option is enabled on a server the option Connection Single Sign-On Domain will be shown in the top right settings. This should be configured to a domain that can be used to access the Pritunl web server. If a load balancer is configured the domain for that load balancer should be used. The error in the logs shows the web server is inaccessible at that domain.

pjak · November 14, 2023, 10:20pm

Hi Zach,

Thanks for the reply. I understand what you are saying, howver what i mean is, the client is trying to sent a POST request to https://pritunl-vpn.elmotalent.com.au which is the VPN endpoint and not the webserver. The webserver URL is https://pritunl.elmotalent.com.au and this is what I have configured in here Connection Single Sign-On Domain. Is there a reason the client is not respecting this URL? I have deleted user and recreated and redownloaded profile
Thanks

pjak · November 15, 2023, 12:30am

Note,

As soon as i turn off google auth everything worths as expected and connects no problem

zach · November 16, 2023, 9:34pm

There is likely an issue connecting to the single sign-on domain where the web server is running. The client will iterate through all available domains. The connection single sign-on domain has the highest priority. Only the last error message so the error from the first domain won’t be shown in the logs.

You can download the profile edit the file and replace the sync addresses and all the remotes with one domain than import the profile to view the error message.