714 | | Also see Article: The OpenVPN Smartcard HOWTO |
715 | | |
716 | | About dual-factor authentication |
717 | | What is PKCS#11? |
718 | | Finding PKCS#11 provider library. |
719 | | How to configure a cryptographic token |
720 | | How to modify an OpenVPN configuration to make use of cryptographic tokens |
721 | | Determine the correct object. |
722 | | Using OpenVPN with PKCS#11. |
723 | | PKCS#11 implementation considerations. |
724 | | OpenSC PKCS#11 provider. |
725 | | Difference between PKCS#11 and Microsoft Cryptographic API (CryptoAPI). |
726 | | |
727 | | About dual-factor authentication |
| 714 | Also see Article: [http://acksyn.org/docs/smart-cards-openvpn.html The OpenVPN Smartcard HOWTO] |
| 715 | |
| 716 | == About dual-factor authentication == |
740 | | What is PKCS#11? |
741 | | |
742 | | This standard specifies an API, called Cryptoki, to devices which hold cryptographic information and perform cryptographic functions. Cryptoki, pronounced "crypto-key" and short for cryptographic token interface, follows a simple object-based approach, addressing the goals of technology independence (any kind of device) and resource sharing (multiple applications accessing multiple devices), presenting to applications a common, logical view of the device called a cryptographic token. |
743 | | |
744 | | Source: RSA Security Inc. http://www.rsasecurity.com/rsalabs/pkcs/pkcs-11. |
| 729 | |
| 730 | == What is PKCS#11? == |
| 731 | |
| 732 | ''This standard specifies an API, called Cryptoki, to devices which hold cryptographic information and perform cryptographic functions. Cryptoki, pronounced "crypto-key" and short for cryptographic token interface, follows a simple object-based approach, addressing the goals of technology independence (any kind of device) and resource sharing (multiple applications accessing multiple devices), presenting to applications a common, logical view of the device called a cryptographic token.'' |
| 733 | |
| 734 | Source: RSA Security Inc. (the original, now broken link: http://www.rsasecurity.com/rsalabs/pkcs/pkcs-11). |
754 | | Initialize the PKCS#11 token. |
755 | | Generate RSA key pair on the PKCS#11 token. |
756 | | Create a certificate request based on the key pair, you can use OpenSC and OpenSSL in order to do that. |
757 | | Submit the certificate request to a certificate authority, and receive a certificate. |
758 | | Load the certificate onto the token, while noting that the id and label attributes of the certificate must match those of the private key. |
| 746 | * Initialize the PKCS#11 token. |
| 747 | * Generate RSA key pair on the PKCS#11 token. |
| 748 | * Create a certificate request based on the key pair, you can use OpenSC and OpenSSL in order to do that. |
| 749 | * Submit the certificate request to a certificate authority, and receive a certificate. |
| 750 | * Load the certificate onto the token, while noting that the id and label attributes of the certificate must match those of the private key. |
780 | | $ openvpn --show-pkcs11-ids /usr/lib/pkcs11/ |
781 | | |
782 | | The following objects are available for use. |
783 | | Each object shown below may be used as parameter to |
784 | | --pkcs11-id option please remember to use single quote mark. |
785 | | |
786 | | Certificate |
787 | | DN: /CN=User1 |
788 | | Serial: 490B82C4000000000075 |
789 | | Serialized id: aaaa/bbb/41545F5349474E415455524581D2A1A1B23C4AA4CB17FAF7A4600 |
790 | | |
791 | | Each certificate/private key pair have unique "Serialized id" string. The serialized id string of the requested certificate should be specified to the pkcs11-id option using single quote marks. |
792 | | |
793 | | pkcs11-id 'aaaa/bbb/41545F5349474E415455524581D2A1A1B23C4AA4CB17FAF7A4600' |
794 | | |
795 | | Using OpenVPN with PKCS#11 |
796 | | A typical set of OpenVPN options for PKCS#11 |
797 | | |
798 | | pkcs11-providers /usr/lib/pkcs11/ |
799 | | pkcs11-id 'aaaa/bbb/41545F5349474E415455524581D2A1A1B23C4AA4CB17FAF7A4600' |
800 | | |
| 772 | {{{ |
| 773 | $ openvpn --show-pkcs11-ids /usr/lib/pkcs11/ |
| 774 | |
| 775 | The following objects are available for use. |
| 776 | Each object shown below may be used as parameter to |
| 777 | --pkcs11-id option please remember to use single quote mark. |
| 778 | |
| 779 | Certificate |
| 780 | DN: /CN=User1 |
| 781 | Serial: 490B82C4000000000075 |
| 782 | Serialized id: aaaa/bbb/41545F5349474E415455524581D2A1A1B23C4AA4CB17FAF7A4600 |
| 783 | }}} |
| 784 | Each certificate/private key pair have unique "Serialized id" string. The serialized id string of the requested certificate should be specified to the '''pkcs11-id''' option using single quote marks. |
| 785 | {{{ |
| 786 | pkcs11-id 'aaaa/bbb/41545F5349474E415455524581D2A1A1B23C4AA4CB17FAF7A4600' |
| 787 | }}} |
| 788 | |
| 789 | === Using OpenVPN with PKCS#11 === |
| 790 | |
| 791 | A typical set of OpenVPN options for PKCS#11: |
| 792 | {{{ |
| 793 | pkcs11-providers /usr/lib/pkcs11/ |
| 794 | pkcs11-id 'aaaa/bbb/41545F5349474E415455524581D2A1A1B23C4AA4CB17FAF7A4600' |
| 795 | }}} |
802 | | Advanced OpenVPN options for PKCS#11 |
803 | | |
804 | | pkcs11-providers /usr/lib/pkcs11/provider1.so /usr/lib/pkcs11/provider2.so |
805 | | pkcs11-id 'aaaa/bbb/41545F5349474E415455524581D2A1A1B23C4AA4CB17FAF7A4600' |
806 | | pkcs11-pin-cache 300 |
807 | | daemon |
808 | | auth-retry nointeract |
809 | | management-hold |
810 | | management-signal |
811 | | management 127.0.0.1 8888 |
812 | | management-query-passwords |
813 | | |
814 | | This will load two providers into OpenVPN, use the certificate specified on pkcs11-id option, and use the management interface in order to query passwords. The daemon will resume into hold state on the event when token cannot be accessed. The token will be used for 300 seconds after which the password will be re-queried, session will disconnect if management session disconnects. |
815 | | PKCS#11 implementation considerations |
| 797 | |
| 798 | '''Advanced OpenVPN options for PKCS#11''' |
| 799 | {{{ |
| 800 | pkcs11-providers /usr/lib/pkcs11/provider1.so /usr/lib/pkcs11/provider2.so |
| 801 | pkcs11-id 'aaaa/bbb/41545F5349474E415455524581D2A1A1B23C4AA4CB17FAF7A4600' |
| 802 | pkcs11-pin-cache 300 |
| 803 | daemon |
| 804 | auth-retry nointeract |
| 805 | management-hold |
| 806 | management-signal |
| 807 | management 127.0.0.1 8888 |
| 808 | management-query-passwords |
| 809 | }}} |
| 810 | This will load two providers into OpenVPN, use the certificate specified on '''pkcs11-id''' option, and use the management interface in order to query passwords. The daemon will resume into hold state on the event when token cannot be accessed. The token will be used for 300 seconds after which the password will be re-queried, session will disconnect if management session disconnects. |
| 811 | === PKCS#11 implementation considerations === |
825 | | The current implementation of OpenVPN that uses the MS CryptoAPI (cryptoapicert option) works well as long as you don't run OpenVPN as a service. If you wish to run OpenVPN in an administrative environment using a service, the implementation will not work with most smart cards because of the following reasons: |
826 | | |
827 | | Most smart card providers do not load certificates into the local machine store, so the implementation will be unable to access the user certificate. |
828 | | If the OpenVPN client is running as a service without direct interaction with the end-user, the service cannot query the user to provide a password for the smart card, causing the password-verification process on the smart card to fail. |
| 822 | The current implementation of OpenVPN that uses the MS CryptoAPI ('''cryptoapicert''' option) works well as long as you don't run OpenVPN as a service. If you wish to run OpenVPN in an administrative environment using a service, the implementation will not work with most smart cards because of the following reasons: |
| 823 | |
| 824 | * Most smart card providers do not load certificates into the local machine store, so the implementation will be unable to access the user certificate. |
| 825 | * If the OpenVPN client is running as a service without direct interaction with the end-user, the service cannot query the user to provide a password for the smart card, causing the password-verification process on the smart card to fail. |
850 | | |
851 | | iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE |
852 | | |
853 | | This command assumes that the VPN subnet is 10.8.0.0/24 (taken from the server directive in the OpenVPN server configuration) and that the local ethernet interface is eth0. |
854 | | |
855 | | When redirect-gateway is used, OpenVPN clients will route DNS queries through the VPN, and the VPN server will need handle them. This can be accomplished by pushing a DNS server address to connecting clients which will replace their normal DNS server settings during the time that the VPN is active. For example: |
856 | | |
857 | | push "dhcp-option DNS 10.8.0.1" |
858 | | |
| 848 | {{{ |
| 849 | iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE |
| 850 | }}} |
| 851 | This command assumes that the VPN subnet is '''10.8.0.0/24''' (taken from the '''server''' directive in the OpenVPN server configuration) and that the local ethernet interface is '''eth0'''. |
| 852 | |
| 853 | When '''redirect-gateway''' is used, OpenVPN clients will route DNS queries through the VPN, and the VPN server will need handle them. This can be accomplished by pushing a DNS server address to connecting clients which will replace their normal DNS server settings during the time that the VPN is active. For example: |
| 854 | {{{ |
| 855 | push "dhcp-option DNS 10.8.0.1" |
| 856 | }}} |