Hello. I figured out.
This guide will allow you to bring up the VPN with your TS-CNS ("codice fiscale") card issued by Regione Lazio!!
My server is Centos, client is Ubuntu.
You will need the PIN of your card (you can get it at your "ASL" office...this will be the toughest step!!)
SERVER SIDE:
wget
https://gist.github.com/3v1n0/e371f5816 ... v-certs.py
nano parse-gov-certs.py
change this:
DEFAULT_XML_URI = "
https://applicazioni.cnipa.gov.it/TSL/IT_TSL_CNS.xml"
to this:
DEFAULT_XML_URI = "
https://applicazioni.cnipa.gov.it/TSL/_IT_TSL_CNS.xml"
(note the missing underscore!)
chmod +x parse-gov-certs.py
./parse-gov-certs.py --output-folder /var/tmp/certs
cat /var/tmp/certs/*Lazio* >> /path_to_your_existing/ca.crt
This is my server.conf:
Code: Select all
port 1197
cipher AES-256-CBC
auth SHA256
proto udp4
dev tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
dh /etc/openvpn/dh2048.pem
client-config-dir /etc/openvpn/ccd
server 10.4.0.0 255.255.255.0
route 10.8.0.0 255.255.255.0
keepalive 10 120
comp-lzo
persist-key
persist-tun
verb 3
CLIENT SIDE:
[you need to install "opensc"]
Insert your smart card.
openvpn --show-pkcs11-ids /usr/lib/i386-linux-gnu/opensc-pkcs11.so | cut -d',' -f4 | grep CN | head -n1 | cut -d'=' -f2,3 | tr '/' '_'
copy the result #1 in a notepad file
openvpn --show-pkcs11-ids /usr/lib/i386-linux-gnu/opensc-pkcs11.so | grep Serialized | cut -d' ' -f11
copy the result #2 in a notepad file
SERVER SIDE:
nano /etc/openvpn/ccd/[PASTED_RESULT#1_FROM_NOTEPAD]
insert your custom client directives, this alone will be ok:
ifconfig-push 10.8.0.8 10.8.0.9
CLIENT SIDE CONFIG:
Code: Select all
client
cipher AES-256-CBC
auth SHA256
auth-nocache
dev tun
ca /path_to/ca.crt [the very same file hosted on the server]
proto udp
remote your.server.ip.address 1197
resolv-retry infinite
nobind
persist-key
persist-tun
comp-lzo
verb 3
pkcs11-providers '/usr/lib/i386-linux-gnu/opensc-pkcs11.so'
pkcs11-id '[PASTED_RESULT#2_FROM_NOTEPAD_BETWEEN_SINGLE_QUOTES]'
DONE!!!
What could possibly go wrong?
Everything! From missing dependencies on your server and/or client, missing smart card support in your OpenVPN release, incorrect opensc-pkcs11.so path, connectivity issues, you haven't paid electricity bill, you are under the influence of drugs, etc.