Connecting a Linux box to AWS-VPN using OKTA Authentication/Authorization

Question

First of all, a rookie, related to VPN/Security issues, so really forgive me for whatever error I make while describing my problem, and hope I'm able to make it clear.  
  
Our contractors changed AVIATRIX-OKTA VPN for AWS-VPN with OKTA Authentication, they send as an .ovpn file, that works ok for Windows/MAC using AWS-Vpn-Client application software, but a couple of us using Linux boxes (Ubuntu specifically) run the described method in AWS which is:

```
openvn config-file.ovpn
```

but it fails to authenticate.

It simply asks for usr/pwd an then it fails with auth error (we use our OKTA credentials) , seems nothing is configured to go to OKTA, open a browser or whatever it needs to do.  
  
As an aside note, we can connect without any trouble to our aws k8s cluster using OKTA client libraries, no sure is this is useful or not, just in case.  
  
The .ovpn file looks like this  
-------------------------------------------------------

```
client
dev tun
proto tcp
remote random.cvpn-endpoint-xxxxxx.yyy.clientvpn.us-west-2.amazonaws.com 443
remote-random-hostname
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-GCM
verb 5

....
....
....

auth-user-pass
auth-federate
auth-retry interact
auth-nocache
reneg-sec 0
```

-------------------------------------------------------  
**An interesting thing to notice is that openvpn complains about _auth-federate_**   
seems not to recognize it,  so I started using gnome network-manager which seems  
to accept this configuration, but getting Auth error too.  
  
After this I tried **openvpn3** which didn't complain about configuration,   
but still getting the same error.  
  
Any help on how to configure it, or just know if it is possible, will be greatly welcome , seems there is very little information around this in the net and we are really stuck on this, we are willing not to change OS or machines as they are asking to, or using VM just to connect.  
  
Thanks in advance,

Answer

I hope for a Linux client..  
The general theme of getting Linux client stuff from AWS is getting better, they provided the NOSQL workbench in Linux form recently.

Answer

Finally I got an answer from AWS people:  
  
> If the Client VPN endpoint is configured using SAML-based authentication (such as Okta), then you > > have to use the AWS-provided client to connect:  
>   
> https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/client-authentication.html#saml-requirements  
  
And the promise to update the client documentation with a WARNING about this.

Answer

Definitely, not sure why there is not, okta is kind of linux friendly openvpn no need to explain, so why there is not one, is probably the question.  
  
Just to mention, previously as I stated, we used aviatrix, which provided a token that we can use as a password wehen askled and use standard OVPN configuration without any trouble, why not a simple similar solution.  
  
Thanks Steven for triggering this response :-)  
  
Edited by: tjc on Jun 26, 2020 6:32 AM

Connecting a Linux box to AWS-VPN using OKTA Authentication/Authorization

The .ovpn file looks like this

関連するコンテンツ