Opened 10 years ago

Closed 4 years ago

#342 closed Bug / Defect (fixed)

Cannot connect to VPN from Linux by using ikey3000 token

Reported by: vkorecky Owned by:
Priority: major Milestone: release 2.5
Component: Generic / unclassified Version: OpenVPN 2.3.2 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords: ikey3000, opensc volunteer
Cc:

Description

How to reproduce this bug:


  • Any Linux distribution (I use Linuxmint 15)
  • Install openvpn, openct, opensc (sudo apt-get install opensc openct openvpn)
  • Insert token ikey3000
  • Try connect to VPN

Connection works last time in Ubuntu 9.04.
There was these versions:

  • Openvpn 2.1 RC11
  • Opensc 0.11
  • Openct 0.6

Sience 2009 connection doesn't work on any Linux distribution which I tested. OpenSUSE, Fedor, Ubuntu, etc...

Attached is:

  • my ovpn file (modified IPs for company security rules)
  • otput from command sudo openvpn --show-pkcs11-ids /usr/lib/opensc-pkcs11.so
  • full log from openvpn and opensc (debug/verbose is set to 9)

Attachments (4)

Certificates on ikey3000 token.txt (501 bytes) - added by vkorecky 10 years ago.
Output of command "sudo openvpn --show-pkcs11-ids /usr/lib/opensc-pkcs11.so"
debug.txt.zip (71.3 KB) - added by vkorecky 10 years ago.
Debug output from command sudo openvpn --config /etc/openvpn/Jihlava.ovpn --ca /etc/openvpn/gvpn_ca2.cer
VPN.ovpn (441 bytes) - added by vkorecky 10 years ago.
My ovpn configuration file
openvpn-verb4.txt (21.0 KB) - added by vkorecky 10 years ago.
Openvpn log with verb 4. Opensc debug is disabled.

Download all attachments as: .zip

Change History (14)

Changed 10 years ago by vkorecky

Output of command "sudo openvpn --show-pkcs11-ids /usr/lib/opensc-pkcs11.so"

Changed 10 years ago by vkorecky

Attachment: debug.txt.zip added

Debug output from command sudo openvpn --config /etc/openvpn/Jihlava.ovpn --ca /etc/openvpn/gvpn_ca2.cer

Changed 10 years ago by vkorecky

Attachment: VPN.ovpn added

My ovpn configuration file

comment:1 Changed 10 years ago by vkorecky

I tried compile latest openvpn version 2.3.2 with pkcs11 support (command "./configure --enable-pkcs11") and the result is the same as in version 2.2.1 which is distributed by Ubuntu (Linuxmint).

comment:2 Changed 10 years ago by JoshC

Logs at --verb 4 would be much more useful. These are pretty much unreadable with all the extra noise in the logs.

Level 5 prints characters for each packet sent/received (primarily for identifying firewall issues) and levels above 5 are debug levels you should use only when requested (or are doing personal debugging of openvpn and know you need them.)

Changed 10 years ago by vkorecky

Attachment: openvpn-verb4.txt added

Openvpn log with verb 4. Opensc debug is disabled.

comment:3 Changed 10 years ago by vkorecky

I added log of openvpn at verb 4. OpenSC debug was disabled.

comment:4 Changed 10 years ago by Gert Döring

That log looks quite good to me, tbh. Connection succeeds, authentication succeeds, push info is received from server, interface is initialized.

So what do you mean by "connection doesn't work"?

comment:5 Changed 10 years ago by vkorecky

OpenVPN login operation should finish with line:
... Initialization Sequence Completed

But in my case, OpenVPN frozen on line:
/sbin/ifconfig tun0 10.20.10.173 pointopoint 10.20.10.174 mtu 1500
and I cannot access VPN network.

If you look to debug with verb=9 you can see, that after line:
.../sbin/ifconfig tun0 10.20.10.173 pointopoint 10.20.10.174 mtu 1500
opensc continues with some actions:
...
[opensc-pkcs11] card.c:258:sc_disconnect_card: returning with: 0 (Success)
[opensc-pkcs11] ctx.c:737:sc_release_context: called
[opensc-pkcs11] reader-pcsc.c:736:pcsc_finish: called

But OpenVPN doesn't continue. It looks that OpenVPN doesn't know that opensc sucessfully finished.

comment:6 Changed 10 years ago by Samuli Seppänen

Version: 2.2.12.3.2

comment:7 Changed 10 years ago by vkorecky

Has there been any progress on this issue ?

comment:8 Changed 10 years ago by Gert Döring

No progress, because I think none of the developers have an OpenSC smartcard system, so we can't reproduce that.

It's clear that OpenVPN is hanging (that it just stops doing anything is highly unsual), but it's not clear where. It might be a bug in newer versions of opensc or pkcs11-helper (which is why it's not working for you on any linux distribution).

What you could do is try two things to narrow it down

  • try compiling openVPN 2.1 on the same system, see if it happens there as well (if yes, it's opensc or pkcs11-helper and needs to be fixed there)
  • if it works for 2.1 but fails on 2.2/2.3, we broke something. In that case, please run

strace -f openvpn <normal openvpn options>

and paste the last 200 lines from there into the ticket - it should give us an indication what is happening in which component, and why it's not proceeding.

  • try raising this topic in the openvpn forum or on the openvpn-users mailing list - I'm hoping that someone else will speak up and say "it's working perfectly well for me with a XYZ smartcard" or "I have the same issue with an ABC smartcard"

comment:9 Changed 9 years ago by Samuli Seppänen

Keywords: volunteer added
Milestone: release 2.5

We could use a volunteer/volunteers here to gauge who exactly are affected by this, and to test the fix.

comment:10 Changed 4 years ago by Gert Döring

Resolution: fixed
Status: newclosed

So. Nothing has happened for the last 5 years. My suggestions to try different OpenVPN versions have not been answered, and 2.2/2.3 are end of support.

We have improved our pkcs11 handling in various places (like, commit 5fd3d1d5, "do not set pkcs11-helper safe fork mode"), which might have fixed this. That particular commit went into v2.4.8, but there is more stuff in the 2.4 train.

So - any issues with smartcards should be retried with 2.4.9 or with 2.5.0 (as soon as it is released). If still reproduceable, please open a new ticket.

Note: See TracTickets for help on using tickets.