OpenVPN with Yubikey and LDAP Authentication

squeezy · Jan 23, 2020, 10:03 AM

Hi,

I'm looking for a way to secure my OpenVPN with 2FA from LDAP Authentication (username/password) and a yubikey (certificate).
Now I don't know how to connect those ? Is it even possible ? Do I need a Radius Server ?

It would be cool if someone could point me to the right direction so I can set this up.

Thanks,

viktor_g · Jan 23, 2020, 12:22 PM

It's possible and RADIUS is not needed.

Your OpenVPN server should work in Remote Access (SSL / TLS + User Auth) mode,
with an LDAP server for user authentication,
and, you need to sign the Yubikey certificate with the same CA that is used in the OpenVPN server configuration.

In fact, this is the same as with standard remote access (SSL / TLS + User Auth), with one difference - client certificates are stored on Yubikey

https://docs.netgate.com/pfsense/en/latest/book/openvpn/index.html

squeezy · Jan 29, 2020, 8:37 AM

Hi Viktor,

Thank you for your help. I tried to configure as you said but it's not work correctly. For the Pfsense I configure CA, OpenServer (certificate generate by CA + TLS Key disabled for testing), Authentication LDAP Server.
For the Yubikey I generate a CSR, signed by CA and imported in Slot 9a.
For the OpenVPN Client, I exported the configuration from Pfsense, I installed Openvpn client NOT GUI with OpenSC tools and get serialized ID from cert imported.

sudo openvpn --show-pkcs11-ids /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so

After I modified openVPN configuration file to use cert's yubikey :

delete row 'cert'
add row ca *PATH TO CA Cert*
add row *pkcs11-providers /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so*
add row *pkcs11-id 'INSERT SERIALIZED ID FROM --show-pkcs11-ids'*

But when I run connection, it's not work and stay stuck after "add PKCS11 provider .../pkcs11.so". It asked well for username & password but NOT PIN PROMPT ASKED for unlock access to the Yubikey (I think it's the issue). The LED from Yubikey flashes for a few seconds and turn off.

Anyone has a solution or an idea plz ?

Thanks for reading,

viktor_g · Jan 30, 2020, 2:16 PM

@squeezy

there are some issues with Linux and OpenVPN PKCS#11 PIN not-gui prompt :
https://community.openvpn.net/openvpn/ticket/1215

Have you tried it from other OS?

squeezy · Feb 4, 2020, 1:08 PM

@viktor_g

Yes I tried with Windows, now PIN prompt well but I got this message :

NEED-OK|token-insertion-request|Please insert testauth token:
Fri Jan 31 11:36:44 2020 PKCS#11: Cannot get certificate object
Fri Jan 31 11:36:44 2020 PKCS#11: Cannot get certificate object
Fri Jan 31 11:36:44 2020 PKCS#11: Unable get evp object
Fri Jan 31 11:36:44 2020 Cannot load certificate "piv_II/PKCS\x2315\x20emulated/06dfb765c7bafc01/testauth/01" using PKCS#11 interface
Fri Jan 31 11:36:44 2020 Error: private key password verification failed
Fri Jan 31 11:36:44 2020 Exiting due to fatal error

I don't understand why, I wrote the default PIN... In addition the CSR was generate from yubikey and signed by CA.. So I'm confuse about this error message..
Of course I modified the configure file like describe here : https://community.openvpn.net/openvpn/ticket/1075

Anyway thanks for your help :)

EDIT :

I resolved the problem on Windows. Now I have a PIN PROMPT :)
But when I fill it with the PIN I got this error message :

Fri Jan 31 14:16:43 2020 us=529015 PKCS#11: Cannot perform signature 32:'CKR_DATA_INVALID'
Fri Jan 31 14:16:43 2020 us=529015 OpenSSL: error:14166006:SSL routines:tls_construct_client_verify:EVP lib
Fri Jan 31 14:16:43 2020 us=529015 TLS_ERROR: BIO read tls_read_plaintext error
Fri Jan 31 14:16:43 2020 us=544623 TLS Error: TLS object -> incoming plaintext read error
Fri Jan 31 14:16:43 2020 us=544623 TLS Error: TLS handshake failed
Fri Jan 31 14:16:43 2020 us=544623 TCP/UDP: Closing socket

EDIT : VERB 9

2020-02-04 14:03:47: PKCS#11: Performing signature
2020-02-04 14:03:47: PKCS#11: Getting key attributes
2020-02-04 14:03:47: PKCS#11: Get private key attributes failed: 130:'CKR_OBJECT_HANDLE_INVALID'
2020-02-04 14:03:47: PKCS#11: Calling pin_prompt hook for 'token_name'
2020-02-04 14:04:01: PKCS#11: pin_prompt hook return rv=0
2020-02-04 14:04:01: PKCS#11: Key attributes loaded (0000000f)
2020-02-04 14:04:01: PKCS#11: Private key operation failed rv=32-'CKR_DATA_INVALID'
2020-02-04 14:04:01: PKCS#11: Calling pin_prompt hook for 'token_name'
2020-02-04 14:04:13: PKCS#11: pin_prompt hook return rv=0
2020-02-04 14:04:13: PKCS#11: Cannot perform signature 32:'CKR_DATA_INVALID'
2020-02-04 14:04:13: OpenSSL: error:141F0006:SSL routines:tls_construct_cert_verify:EVP lib
2020-02-04 14:04:13: TLS_ERROR: BIO read tls_read_plaintext error
2020-02-04 14:04:13: TLS Error: TLS object -> incoming plaintext read error
2020-02-04 14:04:13: TLS Error: TLS handshake failed
2020-02-04 14:04:13: TCP/UDP: Closing socket

viktor_g · Feb 7, 2020, 12:47 PM

TLS_ERROR: BIO read tls_read_plaintext error
2020-02-04 14:04:13: TLS Error: TLS object -> incoming plaintext read error
2020-02-04 14:04:13: TLS Error: TLS handshake failed

Does it works with certificates (not on Yubikey)?

This mean certificate/ca error/mismatch in most cases

What is Yubikey cert parameters? This is RSA or ECDSA key?

squeezy · Feb 10, 2020, 10:09 AM

Hi,

Yes it's works when certificate is not on the Yubikey.
Yubikey Paramaters is RSA.

Thanks again for your help,

squeezy · Feb 17, 2021, 9:14 PM

Hi,
I figured it out.Thank you for your help.
An Administrator could marks as resolved plz ?
Kind regards

ianp · May 3, 2021, 8:49 PM

@squeezy Do you mind explaining how you solved this please? I’m running into the same problem.
Thanks.

why · May 3, 2021, 8:49 PM

@squeezy .... bump please.....

I have same issue.

Thanks