Opened 7 months ago

Last modified 5 months ago

#1215 new Bug / Defect

No PIN prompt for PKCS#11

Reported by: jans Owned by:
Priority: major Milestone:
Component: Generic / unclassified Version: OpenVPN 2.4.7 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords: PKCS#11, smart card


I’m trying to use OpenVPN client with my client key stored on a Nitrokey Start (think of it as a smart card) and accessed via PKCS#11. In general it works but entering the PIN is an issue. On Linux (Ubuntu 18.04, SUSE Tumbleweed) as well as on Windows when starting OpenVPN client it waits for the PIN to be provided but doesn’t prompt the user to enter the PIN. Instead I have to open a separate terminal, telnet into the OpenVPN client and enter the PIN (tried on Linux). This is horrible user experience and I don’t think it’s the desired work flow. From what I read OpenVPN expects systemd to provide the PIN through systemd-ask-pass but systemd doesn’t prompt to enter a PIN. My impression is that systemd-ask-pass’s primarily focus is prompting for passwords during boot-time but not during run-time. Therefore I’m wondering if using systemd-ask-pass during run-time is a good idea. Since I face the same issue on Windows (where no systemd is installed, obviously) here the cause must be something else.

Looking at solving this issue I’m wondering:

a) An option for OpenVPN to enforce password prompt even when systemd exists, wouldn’t that make sense? (I couldn’t find such) In any case this is more a workaround instead of a proper solution.

b) What would be the systematic solution to that issue? Since this issue happens on Windows too, I don’t believe pushing this issue down to systemd would be the right approach.

Change History (3)

comment:1 Changed 7 months ago by jans

It seems that this is a duplicate of #538 for the systemd-part and a duplicate of #740 for the Windows-part. Sorry for that.

Last edited 7 months ago by jans (previous) (diff)

comment:2 Changed 7 months ago by selvanair

You have two unrelated issues:
First, your client config seems to have --management-query-passwords which directs openvpn to prompt for passwords and PIN from the management interface. If you want the PIN to be prompted from the command line, remove that option. That will work the way you expect on Windows and, when not using systemd, on Linux.

Second, systemd-pkcs11 interaction is currently "broken" as you noticed from #538. This is very likely fixed by a recent commit (will be available in the next release: 2.4.8) -- see

#740 is irrelevant unless you are using OpenVPN-GUI on Windows. If you are, the GUI should prompt for the PIN.

Last edited 7 months ago by selvanair (previous) (diff)

comment:3 Changed 5 months ago by Gert Döring

so, 2.4.8 is out - @jans: is this still happening?

Note: See TracTickets for help on using tickets.