How do I use OpenVPN along with hardware tokens?

Need help configuring your VPN? Just post here and you'll get that help.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
Habelo
OpenVpn Newbie
Posts: 3
Joined: Sun Oct 30, 2022 1:14 pm

How do I use OpenVPN along with hardware tokens?

Post by Habelo » Sun Oct 30, 2022 1:55 pm

I'm struggling with finding a way to get my OpenVPN connection up and running with a key/cert pair that I imported to my Yubikey. The connection works as intended with everything in the ovpn file, but when I try my new profile that makes use of the certificate pair on the Yubikey I receive an error for which I can't find a solution anywhere. No forum posts found.

OpenVPN server: Opnsense
OpenVPN client: Windows OpenVPN Connect 3.3.6
Yubikey: Yubikey 5

Error message: External Certificate signing failed

the log entries for the failed connection attempt:

Code: Select all

⏎[Oct 30, 2022, 13:38:59] EVENT: CONNECTING ⏎[Oct 30, 2022, 13:38:59] Tunnel Options:V4,dev-type tun,link-mtu 1522,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-GCM,auth [null-digest],keysize 256,tls-auth,key-method 2,tls-client
⏎[Oct 30, 2022, 13:38:59] Creds: Username/Password
⏎[Oct 30, 2022, 13:38:59] Peer Info:
IV_VER=3.git::d3f8b18b
IV_PLAT=win
IV_NCP=2
IV_TCPNL=1
IV_PROTO=30
IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305
IV_LZO_STUB=1
IV_COMP_STUB=1
IV_COMP_STUBv2=1
IV_GUI_VER=OCWindows_3.3.6-2752
IV_SSO=webauth,openurl,crtext

⏎[Oct 30, 2022, 13:38:59] EVENT: EPKI_ERROR External Certificate Signing Failed⏎[Oct 30, 2022, 13:38:59] Client exception in transport_recv_excode: OpenSSLContext::SSL::read_cleartext: BIO_read failed, cap=2576 status=-1: error:141F0006:SSL routines:tls_construct_cert_verify:EVP lib
⏎[Oct 30, 2022, 13:38:59] EVENT: DISCONNECTED ⏎
Things I tried:
-Following the guide on openvpn's website for "support of PKCS#11 physical tokens for OpenVPN Connect". That means importing the ovpn file excluding the key and cert, and putting these last two on the yubikey in slot 9a. For this importing I succesfully used both yubico-piv-tool and the yubikey manager.
-Verify the cert with the yubico-piv-tool, succesful
-Googling

It can succesfully use the yubikey, as I need to insert it and provide the correct pin, but it sees the information in the slot as "wrong" somehow, even though the connection works fine when it's all integrated in the ovpn file.

Any help on this would be appreciated. I'd like this to work since it adds to security while being really user-friendly for a company that's already accustomed to using Yubikeys for everything.

mmrvelj
OpenVpn Newbie
Posts: 2
Joined: Sun Sep 26, 2021 12:37 pm

Re: How do I use OpenVPN along with hardware tokens?

Post by mmrvelj » Tue Dec 06, 2022 11:17 am

I have the exactly same problem. I tried both with community and paid version of OpenVPN server and the result is the same. It errors out with message "EPKI_ERROR External Certificate Signing Failed".

There are not many resources or guides to find on this subject. It seems to me that, if this ever worked, it worked only in some rare cases - so this is not yet ready for the wider usage. I surely hope that I am wrong here.

Did anybody manage to setup certificates to be stored on Yubikey PIV and to use them to connect to OpenVPN server?

Habelo
OpenVpn Newbie
Posts: 3
Joined: Sun Oct 30, 2022 1:14 pm

Re: How do I use OpenVPN along with hardware tokens?

Post by Habelo » Tue Dec 06, 2022 7:39 pm

Indeed nothing to be found about it except that one guide on the openvpn website that doesn't work.

I still haven't gotten any further since, and no replies on reddit or stackoverflow either... Seems to me that really no-one is implementing this and it's not ready for use... So the only thing I can do is quote your question again:
"Did anybody manage to setup certificates to be stored on Yubikey PIV and to use them to connect to OpenVPN server?"

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1124
Joined: Tue Feb 16, 2021 10:41 am

Re: How do I use OpenVPN along with hardware tokens?

Post by openvpn_inc » Tue Dec 06, 2022 8:40 pm

Hello,

These instructions are tested with each release of OpenVPN Connect v3.3 and newer for macOS and Windows with Yubikey:
https://openvpn.net/vpn-server-resource ... n-connect/

If you have problems with them, let us know what you're doing and what device you're using and any error messages you see. If there is sensitive data in the logs, use our support ticket system at https://openvpn.net/support

Good luck,
Johan
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

mmrvelj
OpenVpn Newbie
Posts: 2
Joined: Sun Sep 26, 2021 12:37 pm

Re: How do I use OpenVPN along with hardware tokens?

Post by mmrvelj » Thu Dec 08, 2022 9:58 am

Finally I have made a progress..

Not sure where exactly problem is but.. I did manage to connect to server. What I did (on Windows 11 Pro):
  • Installed OpenSC library (v 0.23 64bit)
  • Installed OpenVPN GUI (Not OpenVPN connect)
  • Configured client like this:

Code: Select all

pkcs11-providers "C:\\Program Files\\OpenSC Project\\OpenSC\\pkcs11\\opensc-pkcs11.dll"
pkcs11-id 'pkcs11:model=PKCS%2315%20emulated;token=USERID;manufacturer=piv_II;serial=SERIALVALUE;id=%ID' 
  • and probably most important part - instead of using ECC type of key I generated RSA key! It did not work until I used RSA.

I used YubiKey to generate key (with YubiKey Manager GUI), exported CSR, signed it with VPN server CA, then back imported the certificate to YubiKey. Got the idea to use RSA when I saw similar error happening to people using flat file based keys and error message on server stating it "expects RSA key".

This is my recent find, so I cannot confirm that it is stable, but it's the first time I managed to get it to succesfully connect. I still cannot get OpenVPN Connect to work, but there are few things I need to test on that part.

@openvpn_inc - could you put some light on the type of key use tested with in your instructions you mention? Is it ECC or RSA ?

Update - It also works with OpenVPN Connect now. So ATM it seems to me that you need to use RSA based key, while ECC does not work in combination with YubiKey!

Habelo
OpenVpn Newbie
Posts: 3
Joined: Sun Oct 30, 2022 1:14 pm

Re: How do I use OpenVPN along with hardware tokens?

Post by Habelo » Mon Dec 12, 2022 12:06 pm

@openvpn_inc as stated in my first post, I have already tried to follow this guide, as it's the only real resource available on this topic. However, following this guide brings up the errors as discussed here.

@mmrvelj Well well... Seems like you found our issue! I was also using ECC keys.
Thank you for sharing your findings!
Unfortunately, changing this to RSA keys and thus reinstancing every client certificate would be too big of a hassle for me. I hope they roll out an update for OpenVPN connect to make this work with ECC as well, since the Yubikey 5 is supposed to work with ECC keys according to the Yubico website information (https://docs.yubico.com/hardware/yubike ... -apps.html).

Post Reply