SSL VPN authentication with Google

Zyxel_Kevin

OpenID Connect (OIDC) is a modern authentication protocol built on OAuth 2.0. We now support OIDC integration with Google for SSLVPN authentication. This integration allows us to leverage their existing identity provider for a seamless login experience while centralizing account management and reducing the risks associated with traditional passwords. 

 

Before You Begin 

Before configuring the firewall, you must complete the required setup on your identity provider. 

Authentication Proxy 

Navigate to User & Authentication > User Authentication > Advance 

To prevent certificate warnings during the VPN client dial-up, this should be a commercial CA-signed certificate or your internal CA's certificate must be distributed to all client devices. And the Common Name (CN) or SAN (Subject Alternative Name) of the certificate should be a FQDN that can be resolve to the WAN IP of your firewall. 

Register an APIs & Services in Google  

1.Go to Google Cloud Console > APIs & Services > OAuth consent screen 

2.Follow the setup wizard to enter your application details. Create a project name 

3.The Audience is set to Internal to restrict API access exclusively to authorized workshop participants and ensure environment isolation  

4.Enter Contact Information and Create 

5.Continue with the setup wizard to create your OAuth client 

6.Select Application type as "Web application". Assign a recognizable name to your client. 

 Create OIDC AAA Server 

1. Login to the USG FLEX H and navigate to User & Authentication > User Authentication > AAA Server. Add OIDC Server. 

Overview your OAuth Client IDs, you need  “Client ID”, “Client secret”  for Firewall setup. 

2.Fill in Server details 

Issuer URL: https://accounts.google.com 

Client ID: {Client ID} 

Client Secret: {Client Secret) 

Redirect Address: {FQDN} 

 

3.Copy the above “Redirect URI” back to Oauth 2.0 Client IDs and paste in Authorized redirect URLs 

4. Go back to the USG FLEX H, OIDC Server page, at Configuration Validation.  

5. Click Test on the Firewall. 

6.You should see "OIDC Authentication Successful." 

SSLVPN setting on USG FLEX H Series 

1. Configure SSLVPN and set OIDC as the Primary Server and Set Allowed User to oidc-users. 

Please note you cannot choose another Auth Server if you want to use OIDC.  

Verification 

1. Connected VPN via OpenVPN Connect Client 

2. A browser will automatically open the Google login page.  

3. Authenticate with your Google account. 

4. Check status at VPN Status > SSL VPN > Remote Access VPN.