Context Navigation

Changes between Version 12 and Version 13 of HOWTO

Timestamp:: 07/25/14 14:38:10 (10 years ago)
Author:: Samuli Seppänen
Comment:: Fixed formatting up to "Caveats"

Legend:

: Unmodified
: Added
: Removed
: Modified

HOWTO

-                      v12
+                      v13
 = How to add dual-factor authentication to an OpenVPN configuration using client-side smart cards =
+Also see Article: The OpenVPN Smartcard HOWTO
+    About dual-factor authentication
+    What is PKCS#11?
+    Finding PKCS#11 provider library.
+    How to configure a cryptographic token
+    How to modify an OpenVPN configuration to make use of cryptographic tokens
+        Determine the correct object.
+        Using OpenVPN with PKCS#11.
+        PKCS#11 implementation considerations.
+        OpenSC PKCS#11 provider.
+    Difference between PKCS#11 and Microsoft Cryptographic API (CryptoAPI).
+About dual-factor authentication
+Also see Article: [http://acksyn.org/docs/smart-cards-openvpn.html The OpenVPN Smartcard HOWTO]
+== About dual-factor authentication ==
 Dual-factor authentication is a method of authentication that combines two elements: something you have and something you know.
 …
 If you store the secret private key in a file, the key is usually encrypted by a password. The problem with this approach is that the encrypted key is exposed to decryption attacks or spyware/malware running on the client machine. Unlike when using a cryptographic device, the file cannot erase itself automatically after several failed decryption attempts.
+What is PKCS#11?
+This standard specifies an API, called Cryptoki, to devices which hold cryptographic information and perform cryptographic functions. Cryptoki, pronounced "crypto-key" and short for cryptographic token interface, follows a simple object-based approach, addressing the goals of technology independence (any kind of device) and resource sharing (multiple applications accessing multiple devices), presenting to applications a common, logical view of the device called a cryptographic token.
+Source: RSA Security Inc. http://www.rsasecurity.com/rsalabs/pkcs/pkcs-11.
+== What is PKCS#11? ==
+''This standard specifies an API, called Cryptoki, to devices which hold cryptographic information and perform cryptographic functions. Cryptoki, pronounced "crypto-key" and short for cryptographic token interface, follows a simple object-based approach, addressing the goals of technology independence (any kind of device) and resource sharing (multiple applications accessing multiple devices), presenting to applications a common, logical view of the device called a cryptographic token.''
+Source: RSA Security Inc. (the original, now broken link: http://www.rsasecurity.com/rsalabs/pkcs/pkcs-11).
 To summarize, PKCS#11 is a standard that can be used by application software to access cryptographic tokens such as smart cards and other devices. Most device vendors provide a library that implements the PKCS#11 provider interface -- this library can be used by applications in order to access these devices. PKCS#11 is a cross-platform, vendor-independent free standard.
+Finding PKCS#11 provider library
+== Finding PKCS#11 provider library ==
 The first thing you need to do is to find the provider library, it should be installed with the device drivers. Each vendor has its own library. For example, the OpenSC PKCS#11 provider is located at /usr/lib/pkcs11/opensc-pkcs11.so on Unix or at opensc-pkcs11.dll on Windows.
+How to configure cryptographic token
+== How to configure cryptographic token ==
 You should follow an enrollment procedure:
     Initialize the PKCS#11 token.
     Generate RSA key pair on the PKCS#11 token.
     Create a certificate request based on the key pair, you can use OpenSC and OpenSSL in order to do that.
     Submit the certificate request to a certificate authority, and receive a certificate.
     Load the certificate onto the token, while noting that the id and label attributes of the certificate must match those of the private key.
+ * Initialize the PKCS#11 token.
+ * Generate RSA key pair on the PKCS#11 token.
+ * Create a certificate request based on the key pair, you can use OpenSC and OpenSSL in order to do that.
+ * Submit the certificate request to a certificate authority, and receive a certificate.
+ * Load the certificate onto the token, while noting that the id and label attributes of the certificate must match those of the private key.
 A configured token is a token that has a private key object and a certificate object, where both share the same id and label attributes.
 …
 Initialize a token using the following command:
     $ ./pkitool --pkcs11-slots /usr/lib/pkcs11/
     $ ./pkitool --pkcs11-init /usr/lib/pkcs11/
+{{{
+$ ./pkitool --pkcs11-slots /usr/lib/pkcs11/
+$ ./pkitool --pkcs11-init /usr/lib/pkcs11/
+}}}
 Enroll a certificate using the following command:
     $ ./pkitool --pkcs11 /usr/lib/pkcs11/   client1
+How to modify an OpenVPN configuration to make use of cryptographic tokens
+{{{
+$ ./pkitool --pkcs11 /usr/lib/pkcs11/   client1
+}}}
+== How to modify an OpenVPN configuration to make use of cryptographic tokens ==
 You should have OpenVPN 2.1 or above in order to use the PKCS#11 features.
+Determine the correct object
+=== Determine the correct object ===
 Each PKCS#11 provider can support multiple devices. In order to view the available object list you can use the following command:
+    $ openvpn --show-pkcs11-ids /usr/lib/pkcs11/
+    The following objects are available for use.
+    Each object shown below may be used as parameter to
+    --pkcs11-id option please remember to use single quote mark.
+    Certificate
+           DN:             /CN=User1
+           Serial:         490B82C4000000000075
+           Serialized id:  aaaa/bbb/41545F5349474E415455524581D2A1A1B23C4AA4CB17FAF7A4600
+Each certificate/private key pair have unique "Serialized id" string. The serialized id string of the requested certificate should be specified to the pkcs11-id option using single quote marks.
+    pkcs11-id 'aaaa/bbb/41545F5349474E415455524581D2A1A1B23C4AA4CB17FAF7A4600'
+Using OpenVPN with PKCS#11
+A typical set of OpenVPN options for PKCS#11
+    pkcs11-providers /usr/lib/pkcs11/
+    pkcs11-id 'aaaa/bbb/41545F5349474E415455524581D2A1A1B23C4AA4CB17FAF7A4600'
+{{{
+$ openvpn --show-pkcs11-ids /usr/lib/pkcs11/
+The following objects are available for use.
+Each object shown below may be used as parameter to
+--pkcs11-id option please remember to use single quote mark.
+Certificate
+       DN:             /CN=User1
+       Serial:         490B82C4000000000075
+       Serialized id:  aaaa/bbb/41545F5349474E415455524581D2A1A1B23C4AA4CB17FAF7A4600
+}}}
+Each certificate/private key pair have unique "Serialized id" string. The serialized id string of the requested certificate should be specified to the '''pkcs11-id''' option using single quote marks.
+{{{
+pkcs11-id 'aaaa/bbb/41545F5349474E415455524581D2A1A1B23C4AA4CB17FAF7A4600'
+}}}
+=== Using OpenVPN with PKCS#11 ===
+A typical set of OpenVPN options for PKCS#11:
+{{{
+pkcs11-providers /usr/lib/pkcs11/
+pkcs11-id 'aaaa/bbb/41545F5349474E415455524581D2A1A1B23C4AA4CB17FAF7A4600'
+}}}
 This will select the object which matches the pkcs11-id string.
+Advanced OpenVPN options for PKCS#11
+    pkcs11-providers /usr/lib/pkcs11/provider1.so /usr/lib/pkcs11/provider2.so
+    pkcs11-id 'aaaa/bbb/41545F5349474E415455524581D2A1A1B23C4AA4CB17FAF7A4600'
+    pkcs11-pin-cache 300
+    daemon
+    auth-retry nointeract
+    management-hold
+    management-signal
+    management 127.0.0.1 8888
+    management-query-passwords
+This will load two providers into OpenVPN, use the certificate specified on pkcs11-id option, and use the management interface in order to query passwords. The daemon will resume into hold state on the event when token cannot be accessed. The token will be used for 300 seconds after which the password will be re-queried, session will disconnect if management session disconnects.
+PKCS#11 implementation considerations
+'''Advanced OpenVPN options for PKCS#11'''
+{{{
+pkcs11-providers /usr/lib/pkcs11/provider1.so /usr/lib/pkcs11/provider2.so
+pkcs11-id 'aaaa/bbb/41545F5349474E415455524581D2A1A1B23C4AA4CB17FAF7A4600'
+pkcs11-pin-cache 300
+daemon
+auth-retry nointeract
+management-hold
+management-signal
+management 127.0.0.1 8888
+management-query-passwords
+}}}
+This will load two providers into OpenVPN, use the certificate specified on '''pkcs11-id''' option, and use the management interface in order to query passwords. The daemon will resume into hold state on the event when token cannot be accessed. The token will be used for 300 seconds after which the password will be re-queried, session will disconnect if management session disconnects.
+=== PKCS#11 implementation considerations ===
 Many PKCS#11 providers make use of threads, in order to avoid problems caused by implementation of LinuxThreads (setuid, chroot), it is highly recommend to upgrade to Native POSIX Thread Library (NPTL) enabled glibc if you intend to use PKCS#11.
+OpenSC PKCS#11 provider
+=== OpenSC PKCS#11 provider ===
 OpenSC PKCS#11 provider is located at /usr/lib/pkcs11/opensc-pkcs11.so on Unix or at opensc-pkcs11.dll on Windows.
+Difference between PKCS#11 and Microsoft Cryptographic API (CryptoAPI)
+== Difference between PKCS#11 and Microsoft Cryptographic API (CryptoAPI) ==
 PKCS#11 is a free, cross-platform vendor independent standard. CryptoAPI is a Microsoft specific API. Most smart card vendors provide support for both interfaces. In the Windows environment, the user should select which interface to use.
 The current implementation of OpenVPN that uses the MS CryptoAPI (cryptoapicert option) works well as long as you don't run OpenVPN as a service. If you wish to run OpenVPN in an administrative environment using a service, the implementation will not work with most smart cards because of the following reasons:
     Most smart card providers do not load certificates into the local machine store, so the implementation will be unable to access the user certificate.
     If the OpenVPN client is running as a service without direct interaction with the end-user, the service cannot query the user to provide a password for the smart card, causing the password-verification process on the smart card to fail.
+The current implementation of OpenVPN that uses the MS CryptoAPI ('''cryptoapicert''' option) works well as long as you don't run OpenVPN as a service. If you wish to run OpenVPN in an administrative environment using a service, the implementation will not work with most smart cards because of the following reasons:
+ * Most smart card providers do not load certificates into the local machine store, so the implementation will be unable to access the user certificate.
+ * If the OpenVPN client is running as a service without direct interaction with the end-user, the service cannot query the user to provide a password for the smart card, causing the password-verification process on the smart card to fail.
 Using the PKCS#11 interface, you can use smart cards with OpenVPN in any implementation, since PKCS#11 does not access Microsoft stores and does not necessarily require direct interaction with the end-user.
+Routing all client traffic (including web-traffic) through the VPN
+Overview
+= Routing all client traffic (including web-traffic) through the VPN =
+== Overview ==
 By default, when an OpenVPN client is active, only network traffic to and from the OpenVPN server site will pass over the VPN. General web browsing, for example, will be accomplished with direct connections that bypass the VPN.
 In certain cases this behavior might not be desirable -- you might want a VPN client to tunnel all network traffic through the VPN, including general internet web browsing. While this type of VPN configuration will exact a performance penalty on the client, it gives the VPN administrator more control over security policies when a client is simultaneously connected to both the public internet and the VPN at the same time.
+Implementation
+== Implementation ==
 Add the following directive to the server configuration file:
     push "redirect-gateway def1"
+{{{
+push "redirect-gateway def1"
+}}}
 If your VPN setup is over a wireless network, where all clients and the server are on the same wireless subnet, add the local flag:
     push "redirect-gateway local def1"
 Pushing the redirect-gateway option to clients will cause all IP network traffic originating on client machines to pass through the OpenVPN server. The server will need to be configured to deal with this traffic somehow, such as by NATing it to the internet, or routing it through the server site's HTTP proxy.
+{{{
+push "redirect-gateway local def1"
+}}}
+Pushing the '''redirect-gateway''' option to clients will cause all IP network traffic originating on client machines to pass through the OpenVPN server. The server will need to be configured to deal with this traffic somehow, such as by NATing it to the internet, or routing it through the server site's HTTP proxy.
 On Linux, you could use a command such as this to NAT the VPN client traffic to the internet:
     iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
 This command assumes that the VPN subnet is 10.8.0.0/24 (taken from the server directive in the OpenVPN server configuration) and that the local ethernet interface is eth0.
 When redirect-gateway is used, OpenVPN clients will route DNS queries through the VPN, and the VPN server will need handle them. This can be accomplished by pushing a DNS server address to connecting clients which will replace their normal DNS server settings during the time that the VPN is active. For example:
     push "dhcp-option DNS 10.8.0.1"
+{{{
+iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
+}}}
+This command assumes that the VPN subnet is '''10.8.0.0/24''' (taken from the '''server''' directive in the OpenVPN server configuration) and that the local ethernet interface is '''eth0'''.
+When '''redirect-gateway''' is used, OpenVPN clients will route DNS queries through the VPN, and the VPN server will need handle them. This can be accomplished by pushing a DNS server address to connecting clients which will replace their normal DNS server settings during the time that the VPN is active. For example:
+{{{
+push "dhcp-option DNS 10.8.0.1"
+}}}
 will configure Windows clients (or non-Windows clients with some extra server-side scripting) to use 10.8.0.1 as their DNS server. Any address which is reachable from clients may be used as the DNS server address.
+Caveats
+== Caveats ==
 Redirecting all network traffic through the VPN is not entirely a problem-free proposition. Here are some typical gotchas to be aware of: