Authenticate with non-writable Smart Card

Scripts to manage certificates or generate config files
Post Reply
bruto
OpenVPN User
Posts: 10
Joined: Sat Jan 06, 2018 12:16 pm

Authenticate with non-writable Smart Card

Post by bruto » Sat Jan 06, 2018 12:34 pm

Hello everyone and happy new year from Italy!
I'm figuring out whether it's possible or not to use an italian government "CNS" smart card in order to login into my VPN.
All the tutorials I've found online assume that you have a "writable" (unlocked?) smart card.

The setup is Ubuntu 14 + OpenVPN 2.3.2 + opensc 0.13.0
Issuing the command:

Code: Select all

openvpn --show-pkcs11-ids /usr/lib/i386-linux-gnu/opensc-pkcs11.so
Correctly shows the "Serialized id".
Anyone can help me with client and server configuration in order to use this ID and start the VPN?
The relevant section of the HOWTO

https://openvpn.net/index.php/open-sour ... ual_factor

is too technical for me.
Many thanks,
FT

bruto
OpenVPN User
Posts: 10
Joined: Sat Jan 06, 2018 12:16 pm

Re: Authenticate with non-writable Smart Card

Post by bruto » Mon Jan 08, 2018 2:43 pm

Hello everyone!
Does anybody had a similar issue?
Maybe I posted in the wrong forum?

Thank you,
Francesco

bruto
OpenVPN User
Posts: 10
Joined: Sat Jan 06, 2018 12:16 pm

Re: Authenticate with non-writable Smart Card

Post by bruto » Wed Feb 07, 2018 9:34 am

Sad that this topic raises little-to-no interest!
Italy gov. deployed a zillion of those tokens which could be used for lots of creative applications!
Anyone would dig this?

Cheers,
F.

bruto
OpenVPN User
Posts: 10
Joined: Sat Jan 06, 2018 12:16 pm

DONE

Post by bruto » Sun Feb 11, 2018 12:36 pm

Hello. I figured out.
This guide will allow you to bring up the VPN with your TS-CNS ("codice fiscale") card issued by Regione Lazio!!
My server is Centos, client is Ubuntu.
You will need the PIN of your card (you can get it at your "ASL" office...this will be the toughest step!!)

SERVER SIDE:
wget https://gist.github.com/3v1n0/e371f5816 ... v-certs.py
nano parse-gov-certs.py
change this:
DEFAULT_XML_URI = "https://applicazioni.cnipa.gov.it/TSL/IT_TSL_CNS.xml"
to this:
DEFAULT_XML_URI = "https://applicazioni.cnipa.gov.it/TSL/_IT_TSL_CNS.xml"
(note the missing underscore!)
chmod +x parse-gov-certs.py
./parse-gov-certs.py --output-folder /var/tmp/certs
cat /var/tmp/certs/*Lazio* >> /path_to_your_existing/ca.crt
This is my server.conf:

Code: Select all

port 1197
cipher AES-256-CBC
auth SHA256
proto udp4
dev tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
dh /etc/openvpn/dh2048.pem
client-config-dir /etc/openvpn/ccd
server 10.4.0.0 255.255.255.0
route 10.8.0.0 255.255.255.0
keepalive 10 120
comp-lzo
persist-key
persist-tun
verb 3
CLIENT SIDE:
[you need to install "opensc"]
Insert your smart card.
openvpn --show-pkcs11-ids /usr/lib/i386-linux-gnu/opensc-pkcs11.so | cut -d',' -f4 | grep CN | head -n1 | cut -d'=' -f2,3 | tr '/' '_'
copy the result #1 in a notepad file
openvpn --show-pkcs11-ids /usr/lib/i386-linux-gnu/opensc-pkcs11.so | grep Serialized | cut -d' ' -f11
copy the result #2 in a notepad file

SERVER SIDE:
nano /etc/openvpn/ccd/[PASTED_RESULT#1_FROM_NOTEPAD]
insert your custom client directives, this alone will be ok:
ifconfig-push 10.8.0.8 10.8.0.9

CLIENT SIDE CONFIG:

Code: Select all

client
cipher AES-256-CBC
auth SHA256
auth-nocache
dev tun
ca /path_to/ca.crt [the very same file hosted on the server]
proto udp
remote your.server.ip.address 1197
resolv-retry infinite
nobind
persist-key
persist-tun
comp-lzo
verb 3
pkcs11-providers '/usr/lib/i386-linux-gnu/opensc-pkcs11.so'
pkcs11-id '[PASTED_RESULT#2_FROM_NOTEPAD_BETWEEN_SINGLE_QUOTES]'
DONE!!!
What could possibly go wrong?
Everything! From missing dependencies on your server and/or client, missing smart card support in your OpenVPN release, incorrect opensc-pkcs11.so path, connectivity issues, you haven't paid electricity bill, you are under the influence of drugs, etc.

Post Reply