Unable to use hardware token (Yubikey 5C NFC) with OpenVPN 2.6.7 on pfSense

[four_feet_er]

Hello,

We are trying to setup Yubikey 5C NFC hardware key for our OpenVPN Server on pfSense+ 23.09. We want the clients to store their cert+key in .p12 format on their yubikey. From what I have checked OpenVPN Connect client has such feature:

https://openvpn.net/vpn-server-resource ... n-connect/

Clients are saving their certificate+key pair using Yubikey Manager in 9a slot. OpenVPN Version on pfsense+:

OpenVPN 2.6.7 amd64-portbld-freebsd14.0 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] [DCO]
library versions: OpenSSL 3.0.12 24 Oct 2023, LZO 2.10


I have configured my test client and tried using this solution. I am unable to connect and I am receiving this error on client:

Error: "Client exception in transport_recv_excode: OpenSSLContext::SSL::read_cleartext:BIO_read failed, cap=2640 status=-1:error:0A080006:SSL routines::EVP lib"

Code: Select all

OpenVPN Client config:
dev tun
persist-tun
persist-key
data-ciphers AES-256-GCM
data-ciphers-fallback AES-256-GCM
auth SHA256
tls-client
client
resolv-retry infinite
remote ######### 31194 udp4
nobind
auth-user-pass
remote-cert-tls server
explicit-exit-notify
verb 5
<ca>
-----BEGIN CERTIFICATE-----
##########################
-----END CERTIFICATE-----
</ca>

Error in logs on server side:

Code: Select all

Dec 20 09:41:43 ps-pfsense1-cd openvpn[89698]: Connection Attempt MULTI: multi_create_instance called
Dec 20 09:41:43 ps-pfsense1-cd openvpn[89698]: ######:25323 Note: OpenSSL hardware crypto engine functionality is not available
Dec 20 09:41:43 ps-pfsense1-cd openvpn[89698]: ######:25323 Re-using SSL/TLS context
Dec 20 09:41:43 ps-pfsense1-cd openvpn[89698]: ######:25323 Control Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1250 tun_max_mtu:0 headroom:126 payload:1600 tailroom:126 ET:0 ]
Dec 20 09:41:43 ps-pfsense1-cd openvpn[89698]: ######:25323 Data Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1500 tun_max_mtu:1600 headroom:136 payload:1768 tailroom:562 ET:0 ]
Dec 20 09:41:47 ps-pfsense1-cd openvpn[89698]: MANAGEMENT: Client connected from /var/etc/openvpn/server1/sock
Dec 20 09:41:47 ps-pfsense1-cd openvpn[89698]: MANAGEMENT: CMD 'status 2'
Dec 20 09:41:47 ps-pfsense1-cd openvpn[89698]: MANAGEMENT: Client disconnected
Dec 20 09:42:21 ps-pfsense1-cd openvpn[89698]: MANAGEMENT: Client connected from /var/etc/openvpn/server1/sock
Dec 20 09:42:21 ps-pfsense1-cd openvpn[89698]: MANAGEMENT: CMD 'status 2'
Dec 20 09:42:21 ps-pfsense1-cd openvpn[89698]: MANAGEMENT: CMD 'quit'
Dec 20 09:42:21 ps-pfsense1-cd openvpn[89698]: MANAGEMENT: Client disconnected
Dec 20 09:42:44 ps-pfsense1-cd openvpn[89698]: 89.64.35.127:25323 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Dec 20 09:42:44 ps-pfsense1-cd openvpn[89698]: 89.64.35.127:25323 TLS Error: TLS handshake failed
Dec 20 09:42:44 ps-pfsense1-cd openvpn[89698]: 89.64.35.127:25323 SIGUSR1[soft,tls-error] received, client-instance restarting

[becm]

You could try to use the classic OpenVPN client to check if the YubiKey is behaving correctly.
The modern client requires some non-trivial setup steps (as you saw in the linked doc).
Others seem to have simular issues.