OpenVPN with smartcard login



  • Hello,
    I'm trying to configure PFSense's OpenVPN in order to be able to login using smartcards.

    Setup
    Hardware + Software
    PFSense 2.1 DEV (built on Fri Nov 25 14:30:42 EST 2011)
    OpenVPN 2.2 + OpenSC -0.12.2-win64 (on Windows 8.1 PRO)
    Smartcard reader: http://www.acs.com.hk/index.php?pid=product&prod_sections=0&id=ACR38
    PKI Smartcard: http://www.ftsafe.com/product/smartcard/pkicard

    Software Configuration
    OpenVPN on PFSense was setup using the following walkthrough: http://www.youtube.com/watch?v=VdAHVSTl1ys
    Then I exported the client configuration from "client export" and I got the following files:

    pbnet-udp-34447-pbnetvpn-tls.key
    pbnet-udp-34447-pbnetvpn.ovpn
    pbnet-udp-34447-pbnetvpn.p12

    I've initialized the smartcard using PKCS15 format like below:

    C:\Program Files\OpenSC Project\OpenSC\tools>pkcs15-init -E
    Using reader with a card: ACS CCID USB Reader 0

    C:\Program Files\OpenSC Project\OpenSC\tools>pkcs15-init -C –profile pkcs15+onepin --pin 1234 --puk 123456 --label "Andrei"
    Using reader with a card: ACS CCID USB Reader 0

    C:\Program Files\OpenSC Project\OpenSC\tools>pkcs15-init -S C:\cert\client.p12 -f PKCS12 -a 01
    Using reader with a card: ACS CCID USB Reader 0
    Importing 2 certificates:
      0: /C=RO/ST=Bucharest/L=Bucharest/O=PBNET/emailAddress=noc@xxxx/CN=pbnetvpn
      1: /C=RO/ST=Bucharest/L=Bucharest/O=PBNET/emailAddress=noc@xxxx/CN=OpenVPNCA
    User PIN [User PIN] required.
    Please enter User PIN [User PIN]:
    C:\Program Files\OpenSC Project\OpenSC\tools>pkcs15-tool.exe –list-certificates

    Using reader with a card: ACS CCID USB Reader 0
    X.509 Certificate [/C=RO/ST=Bucharest/L=Bucharest/O=PBNET/emailAddress=noc@xxxxx/CN=pbnetvpn]
            Object Flags  : [0x2], modifiable
            Authority      : no
            Path          : 3f0050153100
            ID            : 465e190a5f54b0a45afe3290e7e2dffc780e5d2f
            GUID          : {465e190a-5f54-b0a4-5afe-3290e7e2dffc}
            Encoded serial : 02 01 01

    X.509 Certificate [/C=RO/ST=Bucharest/L=Bucharest/O=PBNET/emailAddress=noc@xxxxx/CN=OpenVPNCA]
            Object Flags  : [0x2], modifiable
            Authority      : yes
            Path          : 3f0050153101
            ID            : 08b45a94208eb14d679d85c24ae027750663a420
            GUID          : {08b45a94-208e-b14d-679d-85c24ae02775}
            Encoded serial : 02 01 00

    C:\Program Files\OpenSC Project\OpenSC\tools>pkcs15-tool –list-keys
    Using reader with a card: ACS CCID USB Reader 0
    Private RSA Key [Private Key]
            Object Flags  : [0x3], private, modifiable
            Usage          : [0x10E], decrypt, sign, signRecover, derive
            Access Flags  : [0x0]
            ModLength      : 2048
            Key ref        : 1 (0x1)
            Native        : yes
            Path          : 3f005015
            Auth ID        : 01
            ID            : 465e190a5f54b0a45afe3290e7e2dffc780e5d2f
            GUID          : {465e190a-5f54-b0a4-5afe-3290e7e2dffc}

    Now comes the problem:

    When connecting to the OpenVPN server using username/password everything works fine by using the following OpenVPN config file:

    dev tun
    persist-tun
    persist-key
    cipher AES-128-CBC
    tls-client
    client
    resolv-retry infinite
    remote myserverip 34447 udp
    tls-remote pbnetvpn
    auth-user-pass
    pkcs12 pbnet-udp-34447-pbnetvpn.p12
    tls-auth pbnet-udp-34447-pbnetvpn-tls.key 1
    comp-lzo

    I've tried to build an OpenVPN config file (See below) in order to connect using a SmartCard:

    dev tun
    persist-tun
    persist-key
    cipher AES-128-CBC
    tls-client
    client
    remote myserverip 34447 udp
    ca ca.crt
    tls-remote pbnetvpn
    pkcs11-providers c:\windows\system32\opensc-pkcs11.dll
    pkcs11-id 'EnterSafe/PKCS\x2315/0370293916270713/Andrei\x20\x28User\x20PIN\x29/465E190A5F54B0A45AFE3290E7E2DFFC780E5D2F'
    #pkcs12 pbnet-udp-34447-pbnetvpn.p12
    tls-auth pbnet-udp-34447-pbnetvpn-tls.key 1
    comp-lzo

    and I get the following results:

    C:\Program Files\OpenVPN\bin>openvpn.exe –config pbnet-SC-34447-pbnetvpn.ovpn
    Thu Sep 12 21:13:32 2013 DEPRECATED OPTION: --tls-remote, please update your configuration
    Thu Sep 12 21:13:32 2013 OpenVPN 2.3.2 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO]
    [PKCS11] [eurephia] [IPv6] built on Aug 22 2013
    Thu Sep 12 21:13:32 2013 PKCS#11: Adding PKCS#11 provider 'c:\windows\system32\opensc-pkcs11.dll'
    Thu Sep 12 21:13:34 2013 Control Channel Authentication: using 'pbnet-udp-34447-pbnetvpn-tls.key' as a OpenVPN static key file
    Thu Sep 12 21:13:34 2013 UDPv4 link local (bound): [undef]
    Thu Sep 12 21:13:34 2013 UDPv4 link remote: [AF_INET]x.x.x.x:34447
    Enter Andrei (User PIN) token Password:
    Thu Sep 12 21:14:34 2013 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    Thu Sep 12 21:14:34 2013 TLS Error: TLS handshake failed
    Thu Sep 12 21:14:34 2013 SIGUSR1[soft,tls-error] received, process restarting
    Thu Sep 12 21:14:36 2013 UDPv4 link local (bound): [undef]
    Thu Sep 12 21:14:36 2013 UDPv4 link remote: [AF_INET]x.x.x.x:34447

    Any help or suggestion would be greatly appreciated.



  • I found this on the web, Nitro Key

    User authentication on local computers (e.g. Windows, Linux) and networks (e.g. Firefox, OpenSSH,
    OpenVPN, IPSec, OpenID).