Configuration of OpenVPN with YubiKey

Need help configuring your VPN? Just post here and you'll get that help.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
Andre77
OpenVpn Newbie
Posts: 2
Joined: Thu Feb 14, 2019 2:19 pm

Configuration of OpenVPN with YubiKey

Post by Andre77 » Thu Feb 14, 2019 2:35 pm

Hi,

I'd like to use OpenVPN with my YubiKey.

I've created certificates using EasyRSA, converted them to PKCS#12 format and imported them on the YubiKey. Running openvpn.exe --show-pkcs11-ids "C:\Program Files\OpenSC Project\OpenSC\pkcs11\opensc-pkcs11.dll" gives me this output:

Code: Select all

The following objects are available for use.
Each object shown below may be used as parameter to
--pkcs11-id option please remember to use single quote mark.

Certificate
       DN:             C=DE, ST=XXXXXXXX, L=XXXXXXXX, O=XXXXXXXX, OU=XXXXXXXX, CN=XXXXXXXX, emailAddress=XXXXXXXX
       Serial:         ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ
       Serialized id:  pkcs11:model=PKCS%2315%20emulated;token=XXXXXXXX;manufacturer=piv_II;serial=YYYYYYYYYYY;id=%01
In my OpenVPN config file, I added these two lines:

Code: Select all

pkcs11-providers "C:\\Program Files\\OpenSC Project\\OpenSC\\pkcs11\\opensc-pkcs11.dll"
pkcs11-id 'pkcs11:model=PKCS%2315%20emulated;token=XXXXXXXX;manufacturer=piv_II;serial=YYYYYYYYYYY;id=%01'
When I try to connect, OpenVPN comes up with this error message:

Code: Select all

OpenVPN 2.4.6 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 26 2018
Windows version 6.2 (Windows 8 or greater) 64bit
library versions: OpenSSL 1.1.0h  27 Mar 2018, LZO 2.10
MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25341
Need hold release from management interface, waiting...
MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25341
MANAGEMENT: CMD 'state on'
MANAGEMENT: CMD 'log all on'
MANAGEMENT: CMD 'echo all on'
MANAGEMENT: CMD 'bytecount 5'
MANAGEMENT: CMD 'hold off'
MANAGEMENT: CMD 'hold release'
PKCS#11: Adding PKCS#11 provider 'C:\Program Files\OpenSC Project\OpenSC\pkcs11\opensc-pkcs11.dll'
PKCS#11: Cannot deserialize id 19-'CKR_ATTRIBUTE_VALUE_INVALID'
Cannot load certificate "pkcs11:model=PKCS%2315%20emulated;token=XXXXXXXX;manufacturer=piv_II;serial=YYYYYYYYYYY;id=%01" using PKCS#11 interface
SIGUSR1[soft,private-key-password-failure] received, process restarting
Do you have an idea what I can try to solve the problem?

Thanks a lot for any help.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Configuration of OpenVPN with YubiKey

Post by TinCanTech » Thu Feb 14, 2019 2:43 pm

Maybe you need to provide the password to load the certificate ?

Andre77
OpenVpn Newbie
Posts: 2
Joined: Thu Feb 14, 2019 2:19 pm

Re: Configuration of OpenVPN with YubiKey

Post by Andre77 » Thu Feb 14, 2019 2:58 pm

Thanks for your reply!

I created the certificate without entering a password after running this command:

Code: Select all

openssl.exe pkcs12 -export -out xxxxxxxx.p12 -inkey xxxxxxxx.key -in xxxxxxxx.crt -certfile ca.crt -nodes
The YubiKey should prompt me to press its button during connection attempt, but it doesn't do anything; instead, OpenVPN fails with mentioned error Cannot deserialize id 19-'CKR_ATTRIBUTE_VALUE_INVALID'.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Configuration of OpenVPN with YubiKey

Post by TinCanTech » Thu Feb 14, 2019 3:49 pm

Andre77 wrote:
Thu Feb 14, 2019 2:58 pm
OpenVPN fails with mentioned error Cannot deserialize id 19-'CKR_ATTRIBUTE_VALUE_INVALID'.
In fact, opensc-pkcs11.dll fails:
Andre77 wrote:
Thu Feb 14, 2019 2:35 pm
PKCS#11: Adding PKCS#11 provider 'C:\Program Files\OpenSC Project\OpenSC\pkcs11\opensc-pkcs11.dll'
PKCS#11: Cannot deserialize id 19-'CKR_ATTRIBUTE_VALUE_INVALID'
Sorry, we have no information about this.

jako265
OpenVpn Newbie
Posts: 1
Joined: Mon Feb 17, 2020 10:43 pm

Re: Configuration of OpenVPN with YubiKey

Post by jako265 » Tue Feb 18, 2020 11:06 pm

Well openvpn conf file wants this Serialized id in a different format.
try this:
from output
Serialized id: pkcs11:model=PKCS%2315%20emulated;token=XXXXXXXX;manufacturer=piv_II;serial=YYYYYYYYYYY;id=%01

openvpn want it like this:

pkcs11-id 'piv_II/PKCS\x2315\x20emulated/YYYYYYYYYYYYYY/XXXXXXXX/01'

hope this helps. It works perfectly for me.

becm
OpenVPN User
Posts: 38
Joined: Tue Sep 01, 2020 1:27 pm

Re: Configuration of OpenVPN with YubiKey

Post by becm » Sat Sep 19, 2020 8:05 pm

If the redacted token serial has actually 16 characters, the problem (and foreseeable solution) addressed in ticket #1075 applies.

Post Reply