Opened 2 months ago

Last modified 2 months ago

#1485 new Feature Wish

Saving PIN for OpenVPN client

Reported by: Bjoern Voigt Owned by:
Priority: major Milestone:
Component: Configuration Version: OpenVPN 2.5.7 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords: pkcs11, pin, authentication
Cc: Bjoern Voigt


OpenVPN supports Smart cards and multi-factor authentication. In the majority of use-cases additional authentication data for Smart cards (PINs) and for multi-factor authentication should be entered interactively.

But there are very special use cases, where interactive entry of authentication data is not possible.

On of such use-cases is "Start Before Logon" (see Username and password can be saved via the option "auth-user-pass" and a username/password file.

Unfortunately there is no such option for saving the PIN for Smart cards. Again in most cases PINs should not be saved. But in the "Start Before Logon" use-case OpenVPN can not query the PIN interactively. That's why an option to save PINs is needed, similar to to "auth-user-pass". This would is make possible to configure laptops which automatically start an OpenVPN client before client, but only if the Smart card is inserted.

Change History (2)

comment:1 Changed 2 months ago by Selva Nair

If you are looking for "start Before Logon" (SBL aka PLAP) as in commercial offerings like Cisco Anyconnect, it is supported starting GUI 11.30. However, the release installers will start setting this up only when OpenVPN 2.6 is released. The feature is already usable by manually setting it up, though.

However, SBL is an interactive process and is done from the login screen before the user logs in. If the purpose is to start VPN before logon as may be required to reach a domain controller, I do not see why PIN or even password has to be saved. The whole idea of SBL implemented using a PLAP module is to make it possible for the user to interact with the VPN daemon before login. The login process requires user interaction, so why can't they also input Password, PIN etc from the PLAP dialog?

If you want to non-interactively start a tunnel independent of anyone is logged in or even attempting to login, you should not be using the SBL/PLAP feature. Just have the automatic service start the daemon with certificate saved in Windows cert store or provided in a file and no user interaction required. If that is not appropriate and a hardware token inserted by a user is required, then use PLAP and let the user enter the PIN during the pre-logon connect dialog.

comment:2 Changed 2 months ago by Selva Nair

Cc: Bjoern Voigt added
Note: See TracTickets for help on using tickets.