I have successfully config client-side use smart card authentication to start OpenVPN, while server-side did not use smart card.
I think in order to increase security, you can configure both the server and client use smart card to store digital certificates.
I tried to configure by adding 2 following lines end of server.ovpn file (it like on file client.ovpn):
pkcs11-providers '...'
pkcs11-id '...'
Of course, when adding two lines I put the following line:
cert server.crt
Server start successful (no errors) but the client failed.
I wonder if OpenVPN support this configuration, or configuration is so special and need to add anything else?
Hope you can advise it for me, thanks.
Using server-side smart cards openvpn?
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
-
hichichachac
- OpenVpn Newbie
- Posts: 3
- Joined: Mon Feb 25, 2013 10:43 am
-
hichichachac
- OpenVpn Newbie
- Posts: 3
- Joined: Mon Feb 25, 2013 10:43 am
Re: Using server-side smart cards openvpn?
1) Client use smartcard and Server don't use smartcard:
+) When started running OpenVPN client is asked to enter a pin code, of course.
2) Both the server and client use smart card:
+) When started running OpenVPN server isn't asked to enter a pin code and server start successful (no errors).
+) Next, I started running OpenVPN client and it still did not run to the requirements to enter a pin code. the following log message:
+) When started running OpenVPN client is asked to enter a pin code, of course.
2) Both the server and client use smart card:
+) When started running OpenVPN server isn't asked to enter a pin code and server start successful (no errors).
+) Next, I started running OpenVPN client and it still did not run to the requirements to enter a pin code. the following log message:
Code: Select all
Tue Feb 26 18:38:32 2013 Local Options hash (VER=V4): '69109d17'
Tue Feb 26 18:38:32 2013 Expected Remote Options hash (VER=V4): 'c0103fa8'
Tue Feb 26 18:38:32 2013 Attempting to establish TCP connection with 192.168.79.129:1194
Tue Feb 26 18:38:32 2013 TCP connection established with 192.168.79.129:1194
Tue Feb 26 18:38:32 2013 TCPv4_CLIENT link local: [undef]
Tue Feb 26 18:38:32 2013 TCPv4_CLIENT link remote: 192.168.79.129:1194
Tue Feb 26 18:39:32 2013 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Tue Feb 26 18:39:32 2013 TLS Error: TLS handshake failed
Tue Feb 26 18:39:32 2013 Fatal TLS error (check_tls_errors_co), restarting
Tue Feb 26 18:39:32 2013 TCP/UDP: Closing socket
Tue Feb 26 18:39:32 2013 SIGUSR1[soft,tls-error] received, process restarting
Tue Feb 26 18:39:32 2013 Restart pause, 5 second(s)
Tue Feb 26 18:39:37 2013 WARNING: No server certificate verification method has
been enabled. See http://openvpn.net/howto.html#mitm for more info.
Tue Feb 26 18:39:37 2013 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Tue Feb 26 18:39:37 2013 Re-using SSL/TLS context
Tue Feb 26 18:39:37 2013 LZO compression initialized
Tue Feb 26 18:39:37 2013 Control Channel MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ]
Tue Feb 26 18:39:37 2013 Socket Buffers: R=[8192->8192] S=[8192->8192]
Tue Feb 26 18:39:37 2013 Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]