OpenVPN with smartcard login
-
Hello,
I'm trying to configure PFSense's OpenVPN in order to be able to login using smartcards.Setup
Hardware + Software
PFSense 2.1 DEV (built on Fri Nov 25 14:30:42 EST 2011)
OpenVPN 2.2 + OpenSC -0.12.2-win64 (on Windows 8.1 PRO)
Smartcard reader: http://www.acs.com.hk/index.php?pid=product&prod_sections=0&id=ACR38
PKI Smartcard: http://www.ftsafe.com/product/smartcard/pkicardSoftware Configuration
OpenVPN on PFSense was setup using the following walkthrough: http://www.youtube.com/watch?v=VdAHVSTl1ys
Then I exported the client configuration from "client export" and I got the following files:pbnet-udp-34447-pbnetvpn-tls.key
pbnet-udp-34447-pbnetvpn.ovpn
pbnet-udp-34447-pbnetvpn.p12I've initialized the smartcard using PKCS15 format like below:
C:\Program Files\OpenSC Project\OpenSC\tools>pkcs15-init -E
Using reader with a card: ACS CCID USB Reader 0C:\Program Files\OpenSC Project\OpenSC\tools>pkcs15-init -C –profile pkcs15+onepin --pin 1234 --puk 123456 --label "Andrei"
Using reader with a card: ACS CCID USB Reader 0C:\Program Files\OpenSC Project\OpenSC\tools>pkcs15-init -S C:\cert\client.p12 -f PKCS12 -a 01
Using reader with a card: ACS CCID USB Reader 0
Importing 2 certificates:
0: /C=RO/ST=Bucharest/L=Bucharest/O=PBNET/emailAddress=noc@xxxx/CN=pbnetvpn
1: /C=RO/ST=Bucharest/L=Bucharest/O=PBNET/emailAddress=noc@xxxx/CN=OpenVPNCA
User PIN [User PIN] required.
Please enter User PIN [User PIN]:
C:\Program Files\OpenSC Project\OpenSC\tools>pkcs15-tool.exe –list-certificatesUsing reader with a card: ACS CCID USB Reader 0
X.509 Certificate [/C=RO/ST=Bucharest/L=Bucharest/O=PBNET/emailAddress=noc@xxxxx/CN=pbnetvpn]
Object Flags : [0x2], modifiable
Authority : no
Path : 3f0050153100
ID : 465e190a5f54b0a45afe3290e7e2dffc780e5d2f
GUID : {465e190a-5f54-b0a4-5afe-3290e7e2dffc}
Encoded serial : 02 01 01X.509 Certificate [/C=RO/ST=Bucharest/L=Bucharest/O=PBNET/emailAddress=noc@xxxxx/CN=OpenVPNCA]
Object Flags : [0x2], modifiable
Authority : yes
Path : 3f0050153101
ID : 08b45a94208eb14d679d85c24ae027750663a420
GUID : {08b45a94-208e-b14d-679d-85c24ae02775}
Encoded serial : 02 01 00C:\Program Files\OpenSC Project\OpenSC\tools>pkcs15-tool –list-keys
Using reader with a card: ACS CCID USB Reader 0
Private RSA Key [Private Key]
Object Flags : [0x3], private, modifiable
Usage : [0x10E], decrypt, sign, signRecover, derive
Access Flags : [0x0]
ModLength : 2048
Key ref : 1 (0x1)
Native : yes
Path : 3f005015
Auth ID : 01
ID : 465e190a5f54b0a45afe3290e7e2dffc780e5d2f
GUID : {465e190a-5f54-b0a4-5afe-3290e7e2dffc}Now comes the problem:
When connecting to the OpenVPN server using username/password everything works fine by using the following OpenVPN config file:
dev tun
persist-tun
persist-key
cipher AES-128-CBC
tls-client
client
resolv-retry infinite
remote myserverip 34447 udp
tls-remote pbnetvpn
auth-user-pass
pkcs12 pbnet-udp-34447-pbnetvpn.p12
tls-auth pbnet-udp-34447-pbnetvpn-tls.key 1
comp-lzoI've tried to build an OpenVPN config file (See below) in order to connect using a SmartCard:
dev tun
persist-tun
persist-key
cipher AES-128-CBC
tls-client
client
remote myserverip 34447 udp
ca ca.crt
tls-remote pbnetvpn
pkcs11-providers c:\windows\system32\opensc-pkcs11.dll
pkcs11-id 'EnterSafe/PKCS\x2315/0370293916270713/Andrei\x20\x28User\x20PIN\x29/465E190A5F54B0A45AFE3290E7E2DFFC780E5D2F'
#pkcs12 pbnet-udp-34447-pbnetvpn.p12
tls-auth pbnet-udp-34447-pbnetvpn-tls.key 1
comp-lzoand I get the following results:
C:\Program Files\OpenVPN\bin>openvpn.exe –config pbnet-SC-34447-pbnetvpn.ovpn
Thu Sep 12 21:13:32 2013 DEPRECATED OPTION: --tls-remote, please update your configuration
Thu Sep 12 21:13:32 2013 OpenVPN 2.3.2 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO]
[PKCS11] [eurephia] [IPv6] built on Aug 22 2013
Thu Sep 12 21:13:32 2013 PKCS#11: Adding PKCS#11 provider 'c:\windows\system32\opensc-pkcs11.dll'
Thu Sep 12 21:13:34 2013 Control Channel Authentication: using 'pbnet-udp-34447-pbnetvpn-tls.key' as a OpenVPN static key file
Thu Sep 12 21:13:34 2013 UDPv4 link local (bound): [undef]
Thu Sep 12 21:13:34 2013 UDPv4 link remote: [AF_INET]x.x.x.x:34447
Enter Andrei (User PIN) token Password:
Thu Sep 12 21:14:34 2013 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Thu Sep 12 21:14:34 2013 TLS Error: TLS handshake failed
Thu Sep 12 21:14:34 2013 SIGUSR1[soft,tls-error] received, process restarting
Thu Sep 12 21:14:36 2013 UDPv4 link local (bound): [undef]
Thu Sep 12 21:14:36 2013 UDPv4 link remote: [AF_INET]x.x.x.x:34447Any help or suggestion would be greatly appreciated.
-
I found this on the web, Nitro Key
User authentication on local computers (e.g. Windows, Linux) and networks (e.g. Firefox, OpenSSH,
OpenVPN, IPSec, OpenID).