OpenVPN with Yubikey and LDAP Authentication



  • Hi,

    I'm looking for a way to secure my OpenVPN with 2FA from LDAP Authentication (username/password) and a yubikey (certificate).
    Now I don't know how to connect those ? Is it even possible ? Do I need a Radius Server ?

    It would be cool if someone could point me to the right direction so I can set this up.

    Thanks,


  • Global Moderator

    It's possible and RADIUS is not needed.

    Your OpenVPN server should work in Remote Access (SSL / TLS + User Auth) mode,
    with an LDAP server for user authentication,
    and, you need to sign the Yubikey certificate with the same CA that is used in the OpenVPN server configuration.

    In fact, this is the same as with standard remote access (SSL / TLS + User Auth), with one difference - client certificates are stored on Yubikey

    https://docs.netgate.com/pfsense/en/latest/book/openvpn/index.html



  • Hi Viktor,

    Thank you for your help. I tried to configure as you said but it's not work correctly. For the Pfsense I configure CA, OpenServer (certificate generate by CA + TLS Key disabled for testing), Authentication LDAP Server.
    For the Yubikey I generate a CSR, signed by CA and imported in Slot 9a.
    For the OpenVPN Client, I exported the configuration from Pfsense, I installed Openvpn client NOT GUI with OpenSC tools and get serialized ID from cert imported.

    sudo openvpn --show-pkcs11-ids /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so
    

    After I modified openVPN configuration file to use cert's yubikey :

    delete row 'cert'
    add row ca *PATH TO CA Cert*
    add row *pkcs11-providers /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so*
    add row *pkcs11-id 'INSERT SERIALIZED ID FROM --show-pkcs11-ids'*
    

    But when I run connection, it's not work and stay stuck after "add PKCS11 provider .../pkcs11.so". It asked well for username & password but NOT PIN PROMPT ASKED for unlock access to the Yubikey (I think it's the issue). The LED from Yubikey flashes for a few seconds and turn off.

    Anyone has a solution or an idea plz ?

    Thanks for reading,


  • Global Moderator

    @squeezy

    there are some issues with Linux and OpenVPN PKCS#11 PIN not-gui prompt :
    https://community.openvpn.net/openvpn/ticket/1215

    Have you tried it from other OS?



  • @viktor_g

    Yes I tried with Windows, now PIN prompt well but I got this message :

    NEED-OK|token-insertion-request|Please insert testauth token:
    Fri Jan 31 11:36:44 2020 PKCS#11: Cannot get certificate object
    Fri Jan 31 11:36:44 2020 PKCS#11: Cannot get certificate object
    Fri Jan 31 11:36:44 2020 PKCS#11: Unable get evp object
    Fri Jan 31 11:36:44 2020 Cannot load certificate "piv_II/PKCS\x2315\x20emulated/06dfb765c7bafc01/testauth/01" using PKCS#11 interface
    Fri Jan 31 11:36:44 2020 Error: private key password verification failed
    Fri Jan 31 11:36:44 2020 Exiting due to fatal error
    

    I don't understand why, I wrote the default PIN... In addition the CSR was generate from yubikey and signed by CA.. So I'm confuse about this error message..
    Of course I modified the configure file like describe here : https://community.openvpn.net/openvpn/ticket/1075

    Anyway thanks for your help :)

    EDIT :

    I resolved the problem on Windows. Now I have a PIN PROMPT :)
    But when I fill it with the PIN I got this error message :

    Fri Jan 31 14:16:43 2020 us=529015 PKCS#11: Cannot perform signature 32:'CKR_DATA_INVALID'
    Fri Jan 31 14:16:43 2020 us=529015 OpenSSL: error:14166006:SSL routines:tls_construct_client_verify:EVP lib
    Fri Jan 31 14:16:43 2020 us=529015 TLS_ERROR: BIO read tls_read_plaintext error
    Fri Jan 31 14:16:43 2020 us=544623 TLS Error: TLS object -> incoming plaintext read error
    Fri Jan 31 14:16:43 2020 us=544623 TLS Error: TLS handshake failed
    Fri Jan 31 14:16:43 2020 us=544623 TCP/UDP: Closing socket
    

    EDIT : VERB 9

    2020-02-04 14:03:47: PKCS#11: Performing signature
    2020-02-04 14:03:47: PKCS#11: Getting key attributes
    2020-02-04 14:03:47: PKCS#11: Get private key attributes failed: 130:'CKR_OBJECT_HANDLE_INVALID'
    2020-02-04 14:03:47: PKCS#11: Calling pin_prompt hook for 'token_name'
    2020-02-04 14:04:01: PKCS#11: pin_prompt hook return rv=0
    2020-02-04 14:04:01: PKCS#11: Key attributes loaded (0000000f)
    2020-02-04 14:04:01: PKCS#11: Private key operation failed rv=32-'CKR_DATA_INVALID'
    2020-02-04 14:04:01: PKCS#11: Calling pin_prompt hook for 'token_name'
    2020-02-04 14:04:13: PKCS#11: pin_prompt hook return rv=0
    2020-02-04 14:04:13: PKCS#11: Cannot perform signature 32:'CKR_DATA_INVALID'
    2020-02-04 14:04:13: OpenSSL: error:141F0006:SSL routines:tls_construct_cert_verify:EVP lib
    2020-02-04 14:04:13: TLS_ERROR: BIO read tls_read_plaintext error
    2020-02-04 14:04:13: TLS Error: TLS object -> incoming plaintext read error
    2020-02-04 14:04:13: TLS Error: TLS handshake failed
    2020-02-04 14:04:13: TCP/UDP: Closing socket
    
    

  • Global Moderator

    TLS_ERROR: BIO read tls_read_plaintext error
    2020-02-04 14:04:13: TLS Error: TLS object -> incoming plaintext read error
    2020-02-04 14:04:13: TLS Error: TLS handshake failed

    Does it works with certificates (not on Yubikey)?

    This mean certificate/ca error/mismatch in most cases

    What is Yubikey cert parameters? This is RSA or ECDSA key?



  • Hi,

    Yes it's works when certificate is not on the Yubikey.
    Yubikey Paramaters is RSA.

    Thanks again for your help,



  • Hi,
    I figured it out.Thank you for your help.
    An Administrator could marks as resolved plz ?
    Kind regards


Log in to reply