OpenVPN with Yubikey and LDAP Authentication
I'm looking for a way to secure my OpenVPN with 2FA from LDAP Authentication (username/password) and a yubikey (certificate).
Now I don't know how to connect those ? Is it even possible ? Do I need a Radius Server ?
It would be cool if someone could point me to the right direction so I can set this up.
It's possible and RADIUS is not needed.
Your OpenVPN server should work in Remote Access (SSL / TLS + User Auth) mode,
with an LDAP server for user authentication,
and, you need to sign the Yubikey certificate with the same CA that is used in the OpenVPN server configuration.
In fact, this is the same as with standard remote access (SSL / TLS + User Auth), with one difference - client certificates are stored on Yubikey
Thank you for your help. I tried to configure as you said but it's not work correctly. For the Pfsense I configure CA, OpenServer (certificate generate by CA + TLS Key disabled for testing), Authentication LDAP Server.
For the Yubikey I generate a CSR, signed by CA and imported in Slot 9a.
For the OpenVPN Client, I exported the configuration from Pfsense, I installed Openvpn client NOT GUI with OpenSC tools and get serialized ID from cert imported.
sudo openvpn --show-pkcs11-ids /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so
After I modified openVPN configuration file to use cert's yubikey :
delete row 'cert' add row ca *PATH TO CA Cert* add row *pkcs11-providers /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so* add row *pkcs11-id 'INSERT SERIALIZED ID FROM --show-pkcs11-ids'*
But when I run connection, it's not work and stay stuck after "add PKCS11 provider .../pkcs11.so". It asked well for username & password but NOT PIN PROMPT ASKED for unlock access to the Yubikey (I think it's the issue). The LED from Yubikey flashes for a few seconds and turn off.
Anyone has a solution or an idea plz ?
Thanks for reading,
there are some issues with Linux and OpenVPN PKCS#11 PIN not-gui prompt :
Have you tried it from other OS?
Yes I tried with Windows, now PIN prompt well but I got this message :
NEED-OK|token-insertion-request|Please insert testauth token: Fri Jan 31 11:36:44 2020 PKCS#11: Cannot get certificate object Fri Jan 31 11:36:44 2020 PKCS#11: Cannot get certificate object Fri Jan 31 11:36:44 2020 PKCS#11: Unable get evp object Fri Jan 31 11:36:44 2020 Cannot load certificate "piv_II/PKCS\x2315\x20emulated/06dfb765c7bafc01/testauth/01" using PKCS#11 interface Fri Jan 31 11:36:44 2020 Error: private key password verification failed Fri Jan 31 11:36:44 2020 Exiting due to fatal error
I don't understand why, I wrote the default PIN... In addition the CSR was generate from yubikey and signed by CA.. So I'm confuse about this error message..
Of course I modified the configure file like describe here : https://community.openvpn.net/openvpn/ticket/1075
Anyway thanks for your help :)
I resolved the problem on Windows. Now I have a PIN PROMPT :)
But when I fill it with the PIN I got this error message :
Fri Jan 31 14:16:43 2020 us=529015 PKCS#11: Cannot perform signature 32:'CKR_DATA_INVALID' Fri Jan 31 14:16:43 2020 us=529015 OpenSSL: error:14166006:SSL routines:tls_construct_client_verify:EVP lib Fri Jan 31 14:16:43 2020 us=529015 TLS_ERROR: BIO read tls_read_plaintext error Fri Jan 31 14:16:43 2020 us=544623 TLS Error: TLS object -> incoming plaintext read error Fri Jan 31 14:16:43 2020 us=544623 TLS Error: TLS handshake failed Fri Jan 31 14:16:43 2020 us=544623 TCP/UDP: Closing socket
EDIT : VERB 9
2020-02-04 14:03:47: PKCS#11: Performing signature 2020-02-04 14:03:47: PKCS#11: Getting key attributes 2020-02-04 14:03:47: PKCS#11: Get private key attributes failed: 130:'CKR_OBJECT_HANDLE_INVALID' 2020-02-04 14:03:47: PKCS#11: Calling pin_prompt hook for 'token_name' 2020-02-04 14:04:01: PKCS#11: pin_prompt hook return rv=0 2020-02-04 14:04:01: PKCS#11: Key attributes loaded (0000000f) 2020-02-04 14:04:01: PKCS#11: Private key operation failed rv=32-'CKR_DATA_INVALID' 2020-02-04 14:04:01: PKCS#11: Calling pin_prompt hook for 'token_name' 2020-02-04 14:04:13: PKCS#11: pin_prompt hook return rv=0 2020-02-04 14:04:13: PKCS#11: Cannot perform signature 32:'CKR_DATA_INVALID' 2020-02-04 14:04:13: OpenSSL: error:141F0006:SSL routines:tls_construct_cert_verify:EVP lib 2020-02-04 14:04:13: TLS_ERROR: BIO read tls_read_plaintext error 2020-02-04 14:04:13: TLS Error: TLS object -> incoming plaintext read error 2020-02-04 14:04:13: TLS Error: TLS handshake failed 2020-02-04 14:04:13: TCP/UDP: Closing socket
TLS_ERROR: BIO read tls_read_plaintext error
2020-02-04 14:04:13: TLS Error: TLS object -> incoming plaintext read error
2020-02-04 14:04:13: TLS Error: TLS handshake failed
Does it works with certificates (not on Yubikey)?
This mean certificate/ca error/mismatch in most cases
What is Yubikey cert parameters? This is RSA or ECDSA key?
Yes it's works when certificate is not on the Yubikey.
Yubikey Paramaters is RSA.
Thanks again for your help,
I figured it out.Thank you for your help.
An Administrator could marks as resolved plz ?
@squeezy Do you mind explaining how you solved this please? I’m running into the same problem.