Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN with Yubikey and LDAP Authentication

    Scheduled Pinned Locked Moved OpenVPN
    10 Posts 4 Posters 4.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      squeezy
      last edited by squeezy

      Hi,

      I'm looking for a way to secure my OpenVPN with 2FA from LDAP Authentication (username/password) and a yubikey (certificate).
      Now I don't know how to connect those ? Is it even possible ? Do I need a Radius Server ?

      It would be cool if someone could point me to the right direction so I can set this up.

      Thanks,

      1 Reply Last reply Reply Quote 0
      • viktor_gV
        viktor_g Netgate
        last edited by

        It's possible and RADIUS is not needed.

        Your OpenVPN server should work in Remote Access (SSL / TLS + User Auth) mode,
        with an LDAP server for user authentication,
        and, you need to sign the Yubikey certificate with the same CA that is used in the OpenVPN server configuration.

        In fact, this is the same as with standard remote access (SSL / TLS + User Auth), with one difference - client certificates are stored on Yubikey

        https://docs.netgate.com/pfsense/en/latest/book/openvpn/index.html

        1 Reply Last reply Reply Quote 0
        • S
          squeezy
          last edited by squeezy

          Hi Viktor,

          Thank you for your help. I tried to configure as you said but it's not work correctly. For the Pfsense I configure CA, OpenServer (certificate generate by CA + TLS Key disabled for testing), Authentication LDAP Server.
          For the Yubikey I generate a CSR, signed by CA and imported in Slot 9a.
          For the OpenVPN Client, I exported the configuration from Pfsense, I installed Openvpn client NOT GUI with OpenSC tools and get serialized ID from cert imported.

          sudo openvpn --show-pkcs11-ids /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so
          

          After I modified openVPN configuration file to use cert's yubikey :

          delete row 'cert'
          add row ca *PATH TO CA Cert*
          add row *pkcs11-providers /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so*
          add row *pkcs11-id 'INSERT SERIALIZED ID FROM --show-pkcs11-ids'*
          

          But when I run connection, it's not work and stay stuck after "add PKCS11 provider .../pkcs11.so". It asked well for username & password but NOT PIN PROMPT ASKED for unlock access to the Yubikey (I think it's the issue). The LED from Yubikey flashes for a few seconds and turn off.

          Anyone has a solution or an idea plz ?

          Thanks for reading,

          viktor_gV 1 Reply Last reply Reply Quote 0
          • viktor_gV
            viktor_g Netgate @squeezy
            last edited by

            @squeezy

            there are some issues with Linux and OpenVPN PKCS#11 PIN not-gui prompt :
            https://community.openvpn.net/openvpn/ticket/1215

            Have you tried it from other OS?

            1 Reply Last reply Reply Quote 0
            • S
              squeezy
              last edited by squeezy

              @viktor_g

              Yes I tried with Windows, now PIN prompt well but I got this message :

              NEED-OK|token-insertion-request|Please insert testauth token:
              Fri Jan 31 11:36:44 2020 PKCS#11: Cannot get certificate object
              Fri Jan 31 11:36:44 2020 PKCS#11: Cannot get certificate object
              Fri Jan 31 11:36:44 2020 PKCS#11: Unable get evp object
              Fri Jan 31 11:36:44 2020 Cannot load certificate "piv_II/PKCS\x2315\x20emulated/06dfb765c7bafc01/testauth/01" using PKCS#11 interface
              Fri Jan 31 11:36:44 2020 Error: private key password verification failed
              Fri Jan 31 11:36:44 2020 Exiting due to fatal error
              

              I don't understand why, I wrote the default PIN... In addition the CSR was generate from yubikey and signed by CA.. So I'm confuse about this error message..
              Of course I modified the configure file like describe here : https://community.openvpn.net/openvpn/ticket/1075

              Anyway thanks for your help :)

              EDIT :

              I resolved the problem on Windows. Now I have a PIN PROMPT :)
              But when I fill it with the PIN I got this error message :

              Fri Jan 31 14:16:43 2020 us=529015 PKCS#11: Cannot perform signature 32:'CKR_DATA_INVALID'
              Fri Jan 31 14:16:43 2020 us=529015 OpenSSL: error:14166006:SSL routines:tls_construct_client_verify:EVP lib
              Fri Jan 31 14:16:43 2020 us=529015 TLS_ERROR: BIO read tls_read_plaintext error
              Fri Jan 31 14:16:43 2020 us=544623 TLS Error: TLS object -> incoming plaintext read error
              Fri Jan 31 14:16:43 2020 us=544623 TLS Error: TLS handshake failed
              Fri Jan 31 14:16:43 2020 us=544623 TCP/UDP: Closing socket
              

              EDIT : VERB 9

              2020-02-04 14:03:47: PKCS#11: Performing signature
              2020-02-04 14:03:47: PKCS#11: Getting key attributes
              2020-02-04 14:03:47: PKCS#11: Get private key attributes failed: 130:'CKR_OBJECT_HANDLE_INVALID'
              2020-02-04 14:03:47: PKCS#11: Calling pin_prompt hook for 'token_name'
              2020-02-04 14:04:01: PKCS#11: pin_prompt hook return rv=0
              2020-02-04 14:04:01: PKCS#11: Key attributes loaded (0000000f)
              2020-02-04 14:04:01: PKCS#11: Private key operation failed rv=32-'CKR_DATA_INVALID'
              2020-02-04 14:04:01: PKCS#11: Calling pin_prompt hook for 'token_name'
              2020-02-04 14:04:13: PKCS#11: pin_prompt hook return rv=0
              2020-02-04 14:04:13: PKCS#11: Cannot perform signature 32:'CKR_DATA_INVALID'
              2020-02-04 14:04:13: OpenSSL: error:141F0006:SSL routines:tls_construct_cert_verify:EVP lib
              2020-02-04 14:04:13: TLS_ERROR: BIO read tls_read_plaintext error
              2020-02-04 14:04:13: TLS Error: TLS object -> incoming plaintext read error
              2020-02-04 14:04:13: TLS Error: TLS handshake failed
              2020-02-04 14:04:13: TCP/UDP: Closing socket
              
              
              1 Reply Last reply Reply Quote 0
              • viktor_gV
                viktor_g Netgate
                last edited by

                TLS_ERROR: BIO read tls_read_plaintext error
                2020-02-04 14:04:13: TLS Error: TLS object -> incoming plaintext read error
                2020-02-04 14:04:13: TLS Error: TLS handshake failed

                Does it works with certificates (not on Yubikey)?

                This mean certificate/ca error/mismatch in most cases

                What is Yubikey cert parameters? This is RSA or ECDSA key?

                1 Reply Last reply Reply Quote 0
                • S
                  squeezy
                  last edited by

                  Hi,

                  Yes it's works when certificate is not on the Yubikey.
                  Yubikey Paramaters is RSA.

                  Thanks again for your help,

                  1 Reply Last reply Reply Quote 0
                  • S
                    squeezy
                    last edited by squeezy

                    Hi,
                    I figured it out.Thank you for your help.
                    An Administrator could marks as resolved plz ?
                    Kind regards

                    I 1 Reply Last reply Reply Quote 0
                    • I
                      ianp @squeezy
                      last edited by

                      @squeezy Do you mind explaining how you solved this please? I’m running into the same problem.
                      Thanks.

                      W 1 Reply Last reply Reply Quote 0
                      • W
                        why @ianp
                        last edited by

                        @squeezy .... bump please.....

                        I have same issue.

                        Thanks

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.