Using server-side smartcard OpenVPN?

This forum is for admins who are looking to build or expand their OpenVPN setup.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
hichichachac
OpenVpn Newbie
Posts: 3
Joined: Mon Feb 25, 2013 10:43 am

Using server-side smartcard OpenVPN?

Post by hichichachac » Wed Feb 27, 2013 2:36 am

1) Client use smartcard and Server don't use smartcard:
+) When started running OpenVPN client is asked to enter a pin code, of course.
+) I have successfully config client-side use smart card authentication to start OpenVPN, while server-side did not use smart card --> VPN tunnel has been established successfully.

2) I think in order to increase security, you can configure both the server and client use smart card to store digital certificates. :
+) I tried to configure by adding 2 following lines end of server.ovpn file (it like on file client.ovpn):

Code: Select all

pkcs11-providers '...'
pkcs11-id '...'
+) Of course, when adding two lines I have removed 2 following lines:

Code: Select all

cert server.crt
key server.key
+) When started running OpenVPN server isn't asked to enter a pin code and server start successful (no errors).
+) Next, I started running OpenVPN client and it still did not run to the requirements to enter a pin code. the following log message:

Code: Select all

Tue Feb 26 18:38:32 2013 Local Options hash (VER=V4): '69109d17'
Tue Feb 26 18:38:32 2013 Expected Remote Options hash (VER=V4): 'c0103fa8'
Tue Feb 26 18:38:32 2013 Attempting to establish TCP connection with 192.168.79.129:1194
Tue Feb 26 18:38:32 2013 TCP connection established with 192.168.79.129:1194
Tue Feb 26 18:38:32 2013 TCPv4_CLIENT link local: [undef]
Tue Feb 26 18:38:32 2013 TCPv4_CLIENT link remote: 192.168.79.129:1194
Tue Feb 26 18:39:32 2013 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Tue Feb 26 18:39:32 2013 TLS Error: TLS handshake failed
Tue Feb 26 18:39:32 2013 Fatal TLS error (check_tls_errors_co), restarting
Tue Feb 26 18:39:32 2013 TCP/UDP: Closing socket
Tue Feb 26 18:39:32 2013 SIGUSR1[soft,tls-error] received, process restarting
Tue Feb 26 18:39:32 2013 Restart pause, 5 second(s)
Tue Feb 26 18:39:37 2013 WARNING: No server certificate verification method has
been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Tue Feb 26 18:39:37 2013 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Tue Feb 26 18:39:37 2013 Re-using SSL/TLS context
Tue Feb 26 18:39:37 2013 LZO compression initialized
Tue Feb 26 18:39:37 2013 Control Channel MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ]
Tue Feb 26 18:39:37 2013 Socket Buffers: R=[8192->8192] S=[8192->8192]
Tue Feb 26 18:39:37 2013 Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]

I wonder if OpenVPN support this configuration, or configuration is so special and need to add anything else?
Hope you can advise it for me, thanks.
Top
Post Reply

Return to “Server Administration”