yubico 5c smartcard authentication

francois91 · Post by **francois91** » Sat Apr 06, 2019 2:35 pm

I am struggling to start an openvpn tunnel using a smartcard (yubico 5c) to authenticate. Note: the authentication works fine if the certificate and private key are inlined in the client configuration file.

I am including below the server and client configs, and their respective logs. I am also including an excerpt of the client log with verb=255, that seems to indicate that the error first occurs inside the function '__pkcs11h_openssl_rsa_enc', due to being called with an incorrect padding parameter.

Any help or hints would be greatly appreciated.

1. SERVER CONFIG:

server

port 443
proto tcp-server
dev tun0
tls-server
ca easy-rsa/pki/ca.crt
cert easy-rsa/pki/issued/tx2.crt
key easy-rsa/pki/private/tx2.key
dh easy-rsa/pki/dh.pem
cipher AES-256-GCM
server 10.9.8.0 255.255.255.0
server-ipv6 my_IP6_prefix/64
comp-lzo
tls-auth /etc/openvpn/static.key 0
status openvpn-status.log
push "dhcp-option DNS 1.1.1.1"
push "dhcp-option DNS 2606:4700:4700::1111"
verb 4
txqueuelen 1000
tls-version-max 1.2

2. CLIENT CONFIG:

client

client
remote server.address 443 tcp4-client
dev tun0
cipher AES-256-GCM
route-ipv6 2000::/3
tls-client
remote-cert-tls server
key-direction 1
comp-lzo
redirect-gateway def1
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
verb 4

pkcs11-providers /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
pkcs11-id piv_II/PKCS\\x2315\\x20emulated/6152072549b06be7/FG\\x2Dxps13\\x2D1/02
pkcs11-cert-private 1
pkcs11-private-mode 0

<ca>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</ca>

<tls-auth>
-----BEGIN OpenVPN Static key V1-----
...
-----END OpenVPN Static key V1-----
</tls-auth>

3. SERVER LOG (verb 4):

Code: Select all

Sat Apr  6 15:48:01 2019 us=408094 Current Parameter Settings:
Sat Apr  6 15:48:01 2019 us=408292   config = '/etc/openvpn/tun0.conf'
Sat Apr  6 15:48:01 2019 us=408335   mode = 1
Sat Apr  6 15:48:01 2019 us=408371   persist_config = DISABLED
Sat Apr  6 15:48:01 2019 us=408406   persist_mode = 1
Sat Apr  6 15:48:01 2019 us=408441   show_ciphers = DISABLED
Sat Apr  6 15:48:01 2019 us=408476   show_digests = DISABLED
Sat Apr  6 15:48:01 2019 us=408511   show_engines = DISABLED
Sat Apr  6 15:48:01 2019 us=408546   genkey = DISABLED
Sat Apr  6 15:48:01 2019 us=408580   key_pass_file = '[UNDEF]'
Sat Apr  6 15:48:01 2019 us=408615   show_tls_ciphers = DISABLED
Sat Apr  6 15:48:01 2019 us=408651   connect_retry_max = 0
Sat Apr  6 15:48:01 2019 us=408686 Connection profiles [0]:
Sat Apr  6 15:48:01 2019 us=408722   proto = tcp-server
Sat Apr  6 15:48:01 2019 us=408757   local = '[UNDEF]'
Sat Apr  6 15:48:01 2019 us=408791   local_port = '443'
Sat Apr  6 15:48:01 2019 us=408826   remote = '[UNDEF]'
Sat Apr  6 15:48:01 2019 us=408861   remote_port = '443'
Sat Apr  6 15:48:01 2019 us=408896   remote_float = DISABLED
Sat Apr  6 15:48:01 2019 us=408931   bind_defined = DISABLED
Sat Apr  6 15:48:01 2019 us=408966   bind_local = ENABLED
Sat Apr  6 15:48:01 2019 us=409000   bind_ipv6_only = DISABLED
Sat Apr  6 15:48:01 2019 us=409036   connect_retry_seconds = 5
Sat Apr  6 15:48:01 2019 us=409071   connect_timeout = 120
Sat Apr  6 15:48:01 2019 us=409106   socks_proxy_server = '[UNDEF]'
Sat Apr  6 15:48:01 2019 us=409141   socks_proxy_port = '[UNDEF]'
Sat Apr  6 15:48:01 2019 us=409176   tun_mtu = 1500
Sat Apr  6 15:48:01 2019 us=409211   tun_mtu_defined = ENABLED
Sat Apr  6 15:48:01 2019 us=409246   link_mtu = 1500
Sat Apr  6 15:48:01 2019 us=409281   link_mtu_defined = DISABLED
Sat Apr  6 15:48:01 2019 us=409316   tun_mtu_extra = 0
Sat Apr  6 15:48:01 2019 us=409351   tun_mtu_extra_defined = DISABLED
Sat Apr  6 15:48:01 2019 us=409386   mtu_discover_type = -1
Sat Apr  6 15:48:01 2019 us=409421   fragment = 0
Sat Apr  6 15:48:01 2019 us=409456   mssfix = 1450
Sat Apr  6 15:48:01 2019 us=409492   explicit_exit_notification = 0
Sat Apr  6 15:48:01 2019 us=409527 Connection profiles END
Sat Apr  6 15:48:01 2019 us=409562   remote_random = DISABLED
Sat Apr  6 15:48:01 2019 us=409596   ipchange = '[UNDEF]'
Sat Apr  6 15:48:01 2019 us=409631   dev = 'tun0'
Sat Apr  6 15:48:01 2019 us=409666   dev_type = '[UNDEF]'
Sat Apr  6 15:48:01 2019 us=409700   dev_node = '[UNDEF]'
Sat Apr  6 15:48:01 2019 us=409735   lladdr = '[UNDEF]'
Sat Apr  6 15:48:01 2019 us=409770   topology = 1
Sat Apr  6 15:48:01 2019 us=409805   ifconfig_local = '10.9.8.1'
Sat Apr  6 15:48:01 2019 us=409840   ifconfig_remote_netmask = '10.9.8.2'
Sat Apr  6 15:48:01 2019 us=409875   ifconfig_noexec = DISABLED
Sat Apr  6 15:48:01 2019 us=409910   ifconfig_nowarn = DISABLED
Sat Apr  6 15:48:01 2019 us=409945   ifconfig_ipv6_local = '2a01:cb04:4d8:30ff::1'
Sat Apr  6 15:48:01 2019 us=409980   ifconfig_ipv6_netbits = 64
Sat Apr  6 15:48:01 2019 us=410015   ifconfig_ipv6_remote = '2a01:cb04:4d8:30ff::2'
Sat Apr  6 15:48:01 2019 us=410051   shaper = 0
Sat Apr  6 15:48:01 2019 us=410086   mtu_test = 0
Sat Apr  6 15:48:01 2019 us=410120   mlock = DISABLED
Sat Apr  6 15:48:01 2019 us=410155   keepalive_ping = 0
Sat Apr  6 15:48:01 2019 us=410191   keepalive_timeout = 0
Sat Apr  6 15:48:01 2019 us=410226   inactivity_timeout = 0
Sat Apr  6 15:48:01 2019 us=410261   ping_send_timeout = 0
Sat Apr  6 15:48:01 2019 us=410296   ping_rec_timeout = 0
Sat Apr  6 15:48:01 2019 us=410331   ping_rec_timeout_action = 0
Sat Apr  6 15:48:01 2019 us=410366   ping_timer_remote = DISABLED
Sat Apr  6 15:48:01 2019 us=410401   remap_sigusr1 = 0
Sat Apr  6 15:48:01 2019 us=410436   persist_tun = DISABLED
Sat Apr  6 15:48:01 2019 us=410471   persist_local_ip = DISABLED
Sat Apr  6 15:48:01 2019 us=410514   persist_remote_ip = DISABLED
Sat Apr  6 15:48:01 2019 us=410550   persist_key = DISABLED
Sat Apr  6 15:48:01 2019 us=410585   passtos = DISABLED
Sat Apr  6 15:48:01 2019 us=410621   resolve_retry_seconds = 1000000000
Sat Apr  6 15:48:01 2019 us=410688   resolve_in_advance = DISABLED
Sat Apr  6 15:48:01 2019 us=410724   username = '[UNDEF]'
Sat Apr  6 15:48:01 2019 us=410759   groupname = '[UNDEF]'
Sat Apr  6 15:48:01 2019 us=410794   chroot_dir = '[UNDEF]'
Sat Apr  6 15:48:01 2019 us=410829   cd_dir = '[UNDEF]'
Sat Apr  6 15:48:01 2019 us=410864   writepid = '[UNDEF]'
Sat Apr  6 15:48:01 2019 us=410899   up_script = '[UNDEF]'
Sat Apr  6 15:48:01 2019 us=410934   down_script = '[UNDEF]'
Sat Apr  6 15:48:01 2019 us=411010   down_pre = DISABLED
Sat Apr  6 15:48:01 2019 us=411053   up_restart = DISABLED
Sat Apr  6 15:48:01 2019 us=411088   up_delay = DISABLED
Sat Apr  6 15:48:01 2019 us=411123   daemon = DISABLED
Sat Apr  6 15:48:01 2019 us=411159   inetd = 0
Sat Apr  6 15:48:01 2019 us=411193   log = DISABLED
Sat Apr  6 15:48:01 2019 us=411228   suppress_timestamps = DISABLED
Sat Apr  6 15:48:01 2019 us=411264   machine_readable_output = DISABLED
Sat Apr  6 15:48:01 2019 us=411299   nice = 0
Sat Apr  6 15:48:01 2019 us=411335   verbosity = 4
Sat Apr  6 15:48:01 2019 us=411370   mute = 0
Sat Apr  6 15:48:01 2019 us=411405   gremlin = 0
Sat Apr  6 15:48:01 2019 us=411440   status_file = 'openvpn-status.log'
Sat Apr  6 15:48:01 2019 us=411475   status_file_version = 1
Sat Apr  6 15:48:01 2019 us=411511   status_file_update_freq = 60
Sat Apr  6 15:48:01 2019 us=411546   occ = ENABLED
Sat Apr  6 15:48:01 2019 us=411581   rcvbuf = 0
Sat Apr  6 15:48:01 2019 us=411616   sndbuf = 0
Sat Apr  6 15:48:01 2019 us=411651   mark = 0
Sat Apr  6 15:48:01 2019 us=411686   sockflags = 0
Sat Apr  6 15:48:01 2019 us=411721   fast_io = DISABLED
Sat Apr  6 15:48:01 2019 us=411756   comp.alg = 2
Sat Apr  6 15:48:01 2019 us=411791   comp.flags = 1
Sat Apr  6 15:48:01 2019 us=411825   route_script = '[UNDEF]'
Sat Apr  6 15:48:01 2019 us=411861   route_default_gateway = '[UNDEF]'
Sat Apr  6 15:48:01 2019 us=411943   route_default_metric = 0
Sat Apr  6 15:48:01 2019 us=411981   route_noexec = DISABLED
Sat Apr  6 15:48:01 2019 us=412016   route_delay = 0
Sat Apr  6 15:48:01 2019 us=412052   route_delay_window = 30
Sat Apr  6 15:48:01 2019 us=412087   route_delay_defined = DISABLED
Sat Apr  6 15:48:01 2019 us=412122   route_nopull = DISABLED
Sat Apr  6 15:48:01 2019 us=412157   route_gateway_via_dhcp = DISABLED
Sat Apr  6 15:48:01 2019 us=412193   allow_pull_fqdn = DISABLED
Sat Apr  6 15:48:01 2019 us=412230   route 10.9.8.0/255.255.255.0/default (not set)/default (not set)
Sat Apr  6 15:48:01 2019 us=412266   management_addr = '[UNDEF]'
Sat Apr  6 15:48:01 2019 us=412301   management_port = '[UNDEF]'
Sat Apr  6 15:48:01 2019 us=412337   management_user_pass = '[UNDEF]'
Sat Apr  6 15:48:01 2019 us=412373   management_log_history_cache = 250
Sat Apr  6 15:48:01 2019 us=412409   management_echo_buffer_size = 100
Sat Apr  6 15:48:01 2019 us=412444   management_write_peer_info_file = '[UNDEF]'
Sat Apr  6 15:48:01 2019 us=412480   management_client_user = '[UNDEF]'
Sat Apr  6 15:48:01 2019 us=412516   management_client_group = '[UNDEF]'
Sat Apr  6 15:48:01 2019 us=412552   management_flags = 0
Sat Apr  6 15:48:01 2019 us=412587   shared_secret_file = '[UNDEF]'
Sat Apr  6 15:48:01 2019 us=412623   key_direction = 0
Sat Apr  6 15:48:01 2019 us=412659   ciphername = 'AES-256-GCM'
Sat Apr  6 15:48:01 2019 us=412694   ncp_enabled = ENABLED
Sat Apr  6 15:48:01 2019 us=412730   ncp_ciphers = 'AES-256-GCM:AES-128-GCM'
Sat Apr  6 15:48:01 2019 us=412765   authname = 'SHA1'
Sat Apr  6 15:48:01 2019 us=412800   prng_hash = 'SHA1'
Sat Apr  6 15:48:01 2019 us=412836   prng_nonce_secret_len = 16
Sat Apr  6 15:48:01 2019 us=412872   keysize = 0
Sat Apr  6 15:48:01 2019 us=412907   engine = DISABLED
Sat Apr  6 15:48:01 2019 us=412942   replay = ENABLED
Sat Apr  6 15:48:01 2019 us=412978   mute_replay_warnings = DISABLED
Sat Apr  6 15:48:01 2019 us=413013   replay_window = 64
Sat Apr  6 15:48:01 2019 us=413049   replay_time = 15
Sat Apr  6 15:48:01 2019 us=413084   packet_id_file = '[UNDEF]'
Sat Apr  6 15:48:01 2019 us=413119   use_iv = ENABLED
Sat Apr  6 15:48:01 2019 us=413154   test_crypto = DISABLED
Sat Apr  6 15:48:01 2019 us=413229   tls_server = ENABLED
Sat Apr  6 15:48:01 2019 us=413266   tls_client = DISABLED
Sat Apr  6 15:48:01 2019 us=413301   key_method = 2
Sat Apr  6 15:48:01 2019 us=413336   ca_file = 'easy-rsa/pki/ca.crt'
Sat Apr  6 15:48:01 2019 us=413371   ca_path = '[UNDEF]'
Sat Apr  6 15:48:01 2019 us=413407   dh_file = 'easy-rsa/pki/dh.pem'
Sat Apr  6 15:48:01 2019 us=413442   cert_file = 'easy-rsa/pki/issued/tx2.crt'
Sat Apr  6 15:48:01 2019 us=413478   extra_certs_file = '[UNDEF]'
Sat Apr  6 15:48:01 2019 us=413514   priv_key_file = 'easy-rsa/pki/private/tx2.key'
Sat Apr  6 15:48:01 2019 us=413549   pkcs12_file = '[UNDEF]'
Sat Apr  6 15:48:01 2019 us=413584   cipher_list = '[UNDEF]'
Sat Apr  6 15:48:01 2019 us=413619   cipher_list_tls13 = '[UNDEF]'
Sat Apr  6 15:48:01 2019 us=413654   tls_cert_profile = '[UNDEF]'
Sat Apr  6 15:48:01 2019 us=413689   tls_verify = '[UNDEF]'
Sat Apr  6 15:48:01 2019 us=413724   tls_export_cert = '[UNDEF]'
Sat Apr  6 15:48:01 2019 us=413760   verify_x509_type = 0
Sat Apr  6 15:48:01 2019 us=413795   verify_x509_name = '[UNDEF]'
Sat Apr  6 15:48:01 2019 us=413830   crl_file = '[UNDEF]'
Sat Apr  6 15:48:01 2019 us=413866   ns_cert_type = 0
Sat Apr  6 15:48:01 2019 us=413902   remote_cert_ku[i] = 0
Sat Apr  6 15:48:01 2019 us=413938   remote_cert_ku[i] = 0
Sat Apr  6 15:48:01 2019 us=413973   remote_cert_ku[i] = 0
Sat Apr  6 15:48:01 2019 us=414009   remote_cert_ku[i] = 0
Sat Apr  6 15:48:01 2019 us=414044   remote_cert_ku[i] = 0
Sat Apr  6 15:48:01 2019 us=414080   remote_cert_ku[i] = 0
Sat Apr  6 15:48:01 2019 us=414115   remote_cert_ku[i] = 0
Sat Apr  6 15:48:01 2019 us=414151   remote_cert_ku[i] = 0
Sat Apr  6 15:48:01 2019 us=414186   remote_cert_ku[i] = 0
Sat Apr  6 15:48:01 2019 us=414222   remote_cert_ku[i] = 0
Sat Apr  6 15:48:01 2019 us=414257   remote_cert_ku[i] = 0
Sat Apr  6 15:48:01 2019 us=414293   remote_cert_ku[i] = 0
Sat Apr  6 15:48:01 2019 us=414328   remote_cert_ku[i] = 0
Sat Apr  6 15:48:01 2019 us=414364   remote_cert_ku[i] = 0
Sat Apr  6 15:48:01 2019 us=414399   remote_cert_ku[i] = 0
Sat Apr  6 15:48:01 2019 us=414434   remote_cert_ku[i] = 0
Sat Apr  6 15:48:01 2019 us=414470   remote_cert_eku = '[UNDEF]'
Sat Apr  6 15:48:01 2019 us=414506   ssl_flags = 3072
Sat Apr  6 15:48:01 2019 us=414541   tls_timeout = 2
Sat Apr  6 15:48:01 2019 us=414577   renegotiate_bytes = -1
Sat Apr  6 15:48:01 2019 us=414613   renegotiate_packets = 0
Sat Apr  6 15:48:01 2019 us=414648   renegotiate_seconds = 3600
Sat Apr  6 15:48:01 2019 us=414684   handshake_window = 60
Sat Apr  6 15:48:01 2019 us=414719   transition_window = 3600
Sat Apr  6 15:48:01 2019 us=414754   single_session = DISABLED
Sat Apr  6 15:48:01 2019 us=414790   push_peer_info = DISABLED
Sat Apr  6 15:48:01 2019 us=414825   tls_exit = DISABLED
Sat Apr  6 15:48:01 2019 us=414860   tls_auth_file = '/etc/openvpn/static.key'
Sat Apr  6 15:48:01 2019 us=414895   tls_crypt_file = '[UNDEF]'
Sat Apr  6 15:48:01 2019 us=414931   pkcs11_protected_authentication = DISABLED
Sat Apr  6 15:48:01 2019 us=414967   pkcs11_protected_authentication = DISABLED
Sat Apr  6 15:48:01 2019 us=415002   pkcs11_protected_authentication = DISABLED
Sat Apr  6 15:48:01 2019 us=415037   pkcs11_protected_authentication = DISABLED
Sat Apr  6 15:48:01 2019 us=415072   pkcs11_protected_authentication = DISABLED
Sat Apr  6 15:48:01 2019 us=415108   pkcs11_protected_authentication = DISABLED
Sat Apr  6 15:48:01 2019 us=415143   pkcs11_protected_authentication = DISABLED
Sat Apr  6 15:48:01 2019 us=415178   pkcs11_protected_authentication = DISABLED
Sat Apr  6 15:48:01 2019 us=415213   pkcs11_protected_authentication = DISABLED
Sat Apr  6 15:48:01 2019 us=415248   pkcs11_protected_authentication = DISABLED
Sat Apr  6 15:48:01 2019 us=415283   pkcs11_protected_authentication = DISABLED
Sat Apr  6 15:48:01 2019 us=415319   pkcs11_protected_authentication = DISABLED
Sat Apr  6 15:48:01 2019 us=415354   pkcs11_protected_authentication = DISABLED
Sat Apr  6 15:48:01 2019 us=415389   pkcs11_protected_authentication = DISABLED
Sat Apr  6 15:48:01 2019 us=415451   pkcs11_protected_authentication = DISABLED
Sat Apr  6 15:48:01 2019 us=415487   pkcs11_protected_authentication = DISABLED
Sat Apr  6 15:48:01 2019 us=415523   pkcs11_private_mode = 00000000
Sat Apr  6 15:48:01 2019 us=415559   pkcs11_private_mode = 00000000
Sat Apr  6 15:48:01 2019 us=415595   pkcs11_private_mode = 00000000
Sat Apr  6 15:48:01 2019 us=415631   pkcs11_private_mode = 00000000
Sat Apr  6 15:48:01 2019 us=415667   pkcs11_private_mode = 00000000
Sat Apr  6 15:48:01 2019 us=415702   pkcs11_private_mode = 00000000
Sat Apr  6 15:48:01 2019 us=415738   pkcs11_private_mode = 00000000
Sat Apr  6 15:48:01 2019 us=415774   pkcs11_private_mode = 00000000
Sat Apr  6 15:48:01 2019 us=415809   pkcs11_private_mode = 00000000
Sat Apr  6 15:48:01 2019 us=415845   pkcs11_private_mode = 00000000
Sat Apr  6 15:48:01 2019 us=415907   pkcs11_private_mode = 00000000
Sat Apr  6 15:48:01 2019 us=415948   pkcs11_private_mode = 00000000
Sat Apr  6 15:48:01 2019 us=415984   pkcs11_private_mode = 00000000
Sat Apr  6 15:48:01 2019 us=416041   pkcs11_private_mode = 00000000
Sat Apr  6 15:48:01 2019 us=416081   pkcs11_private_mode = 00000000
Sat Apr  6 15:48:01 2019 us=416117   pkcs11_private_mode = 00000000
Sat Apr  6 15:48:01 2019 us=416152   pkcs11_cert_private = DISABLED
Sat Apr  6 15:48:01 2019 us=416188   pkcs11_cert_private = DISABLED
Sat Apr  6 15:48:01 2019 us=416223   pkcs11_cert_private = DISABLED
Sat Apr  6 15:48:01 2019 us=416258   pkcs11_cert_private = DISABLED
Sat Apr  6 15:48:01 2019 us=416294   pkcs11_cert_private = DISABLED
Sat Apr  6 15:48:01 2019 us=416329   pkcs11_cert_private = DISABLED
Sat Apr  6 15:48:01 2019 us=416365   pkcs11_cert_private = DISABLED
Sat Apr  6 15:48:01 2019 us=416402   pkcs11_cert_private = DISABLED
Sat Apr  6 15:48:01 2019 us=416437   pkcs11_cert_private = DISABLED
Sat Apr  6 15:48:01 2019 us=416473   pkcs11_cert_private = DISABLED
Sat Apr  6 15:48:01 2019 us=416508   pkcs11_cert_private = DISABLED
Sat Apr  6 15:48:01 2019 us=416544   pkcs11_cert_private = DISABLED
Sat Apr  6 15:48:01 2019 us=416579   pkcs11_cert_private = DISABLED
Sat Apr  6 15:48:01 2019 us=416614   pkcs11_cert_private = DISABLED
Sat Apr  6 15:48:01 2019 us=416650   pkcs11_cert_private = DISABLED
Sat Apr  6 15:48:01 2019 us=416685   pkcs11_cert_private = DISABLED
Sat Apr  6 15:48:01 2019 us=416722   pkcs11_pin_cache_period = -1
Sat Apr  6 15:48:01 2019 us=416757   pkcs11_id = '[UNDEF]'
Sat Apr  6 15:48:01 2019 us=416793   pkcs11_id_management = DISABLED
Sat Apr  6 15:48:01 2019 us=416832   server_network = 10.9.8.0
Sat Apr  6 15:48:01 2019 us=416870   server_netmask = 255.255.255.0
Sat Apr  6 15:48:01 2019 us=416912   server_network_ipv6 = 2a01:cb04:4d8:30ff::
Sat Apr  6 15:48:01 2019 us=416948   server_netbits_ipv6 = 64
Sat Apr  6 15:48:01 2019 us=416986   server_bridge_ip = 0.0.0.0
Sat Apr  6 15:48:01 2019 us=417024   server_bridge_netmask = 0.0.0.0
Sat Apr  6 15:48:01 2019 us=417062   server_bridge_pool_start = 0.0.0.0
Sat Apr  6 15:48:01 2019 us=417100   server_bridge_pool_end = 0.0.0.0
Sat Apr  6 15:48:01 2019 us=417137   push_entry = 'dhcp-option DNS 1.1.1.1'
Sat Apr  6 15:48:01 2019 us=417172   push_entry = 'dhcp-option DNS 2606:4700:4700::1111'
Sat Apr  6 15:48:01 2019 us=417208   push_entry = 'tun-ipv6'
Sat Apr  6 15:48:01 2019 us=417243   push_entry = 'route 10.9.8.1'
Sat Apr  6 15:48:01 2019 us=417279   push_entry = 'topology net30'
Sat Apr  6 15:48:01 2019 us=417314   ifconfig_pool_defined = ENABLED
Sat Apr  6 15:48:01 2019 us=417352   ifconfig_pool_start = 10.9.8.4
Sat Apr  6 15:48:01 2019 us=417391   ifconfig_pool_end = 10.9.8.251
Sat Apr  6 15:48:01 2019 us=417442   ifconfig_pool_netmask = 0.0.0.0
Sat Apr  6 15:48:01 2019 us=417479   ifconfig_pool_persist_filename = '[UNDEF]'
Sat Apr  6 15:48:01 2019 us=417516   ifconfig_pool_persist_refresh_freq = 600
Sat Apr  6 15:48:01 2019 us=417552   ifconfig_ipv6_pool_defined = ENABLED
Sat Apr  6 15:48:01 2019 us=417593   ifconfig_ipv6_pool_base = 2a01:cb04:4d8:30ff::1000
Sat Apr  6 15:48:01 2019 us=417629   ifconfig_ipv6_pool_netbits = 64
Sat Apr  6 15:48:01 2019 us=417697   n_bcast_buf = 256
Sat Apr  6 15:48:01 2019 us=417736   tcp_queue_limit = 64
Sat Apr  6 15:48:01 2019 us=417772   real_hash_size = 256
Sat Apr  6 15:48:01 2019 us=417807   virtual_hash_size = 256
Sat Apr  6 15:48:01 2019 us=417842   client_connect_script = '[UNDEF]'
Sat Apr  6 15:48:01 2019 us=417878   learn_address_script = '[UNDEF]'
Sat Apr  6 15:48:01 2019 us=417913   client_disconnect_script = '[UNDEF]'
Sat Apr  6 15:48:01 2019 us=417948   client_config_dir = '[UNDEF]'
Sat Apr  6 15:48:01 2019 us=417983   ccd_exclusive = DISABLED
Sat Apr  6 15:48:01 2019 us=418018   tmp_dir = '/tmp'
Sat Apr  6 15:48:01 2019 us=418054   push_ifconfig_defined = DISABLED
Sat Apr  6 15:48:01 2019 us=418092   push_ifconfig_local = 0.0.0.0
Sat Apr  6 15:48:01 2019 us=418146   push_ifconfig_remote_netmask = 0.0.0.0
Sat Apr  6 15:48:01 2019 us=418183   push_ifconfig_ipv6_defined = DISABLED
Sat Apr  6 15:48:01 2019 us=418221   push_ifconfig_ipv6_local = ::/0
Sat Apr  6 15:48:01 2019 us=418258   push_ifconfig_ipv6_remote = ::
Sat Apr  6 15:48:01 2019 us=418294   enable_c2c = DISABLED
Sat Apr  6 15:48:01 2019 us=418329   duplicate_cn = DISABLED
Sat Apr  6 15:48:01 2019 us=418365   cf_max = 0
Sat Apr  6 15:48:01 2019 us=418400   cf_per = 0
Sat Apr  6 15:48:01 2019 us=418436   max_clients = 1024
Sat Apr  6 15:48:01 2019 us=418471   max_routes_per_client = 256
Sat Apr  6 15:48:01 2019 us=418506   auth_user_pass_verify_script = '[UNDEF]'
Sat Apr  6 15:48:01 2019 us=418541   auth_user_pass_verify_script_via_file = DISABLED
Sat Apr  6 15:48:01 2019 us=418576   auth_token_generate = DISABLED
Sat Apr  6 15:48:01 2019 us=418612   auth_token_lifetime = 0
Sat Apr  6 15:48:01 2019 us=418647   port_share_host = '[UNDEF]'
Sat Apr  6 15:48:01 2019 us=418682   port_share_port = '[UNDEF]'
Sat Apr  6 15:48:01 2019 us=418717   client = DISABLED
Sat Apr  6 15:48:01 2019 us=418752   pull = DISABLED
Sat Apr  6 15:48:01 2019 us=418787   auth_user_pass_file = '[UNDEF]'
Sat Apr  6 15:48:01 2019 us=418827 OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 20 2019
Sat Apr  6 15:48:01 2019 us=418884 library versions: OpenSSL 1.1.1b  26 Feb 2019, LZO 2.10
Sat Apr  6 15:48:01 2019 us=419173 WARNING: --keepalive option is missing from server config
Sat Apr  6 15:48:01 2019 us=420543 Diffie-Hellman initialized with 2048 bit key
Sat Apr  6 15:48:01 2019 us=421959 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Apr  6 15:48:01 2019 us=422036 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Apr  6 15:48:01 2019 us=422085 TLS-Auth MTU parms [ L:1624 D:1182 EF:68 EB:0 ET:0 EL:3 ]
Sat Apr  6 15:48:01 2019 us=422718 ROUTE_GATEWAY x.x.x.x/255.255.254.0 IFACE=eth1.832 HWADDR=28:10:7b:c2:5a:94
Sat Apr  6 15:48:01 2019 us=423305 TUN/TAP device tun0 opened
Sat Apr  6 15:48:01 2019 us=423499 TUN/TAP TX queue length set to 1000
Sat Apr  6 15:48:01 2019 us=423602 do_ifconfig, tt->did_ifconfig_ipv6_setup=1
Sat Apr  6 15:48:01 2019 us=423674 /sbin/ip link set dev tun0 up mtu 1500
Sat Apr  6 15:48:01 2019 us=429185 /sbin/ip addr add dev tun0 local 10.9.8.1 peer 10.9.8.2
Sat Apr  6 15:48:01 2019 us=434279 /sbin/ip -6 addr add 2a01:cb04:4d8:30ff::1/64 dev tun0
Sat Apr  6 15:48:01 2019 us=439589 /sbin/ip route add 10.9.8.0/24 via 10.9.8.2
Sat Apr  6 15:48:01 2019 us=444249 Data Channel MTU parms [ L:1624 D:1450 EF:124 EB:406 ET:0 EL:3 ]
Sat Apr  6 15:48:01 2019 us=444390 Could not determine IPv4/IPv6 protocol. Using AF_INET
Sat Apr  6 15:48:01 2019 us=444474 Socket Buffers: R=[87380->87380] S=[16384->16384]
Sat Apr  6 15:48:01 2019 us=444529 Listening for incoming TCP connection on [AF_INET][undef]:443
Sat Apr  6 15:48:01 2019 us=444575 TCPv4_SERVER link local (bound): [AF_INET][undef]:443
Sat Apr  6 15:48:01 2019 us=444611 TCPv4_SERVER link remote: [AF_UNSPEC]
Sat Apr  6 15:48:01 2019 us=444662 MULTI: multi_init called, r=256 v=256
Sat Apr  6 15:48:01 2019 us=444761 IFCONFIG POOL IPv6: (IPv4) size=62, size_ipv6=65536, netbits=64, base_ipv6=2a01:cb04:4d8:30ff::1000
Sat Apr  6 15:48:01 2019 us=444864 IFCONFIG POOL: base=10.9.8.4 size=62, ipv6=1
Sat Apr  6 15:48:01 2019 us=444973 MULTI: TCP INIT maxclients=1024 maxevents=1028
Sat Apr  6 15:48:01 2019 us=445080 Initialization Sequence Completed
Sat Apr  6 15:48:31 2019 us=86765 MULTI: multi_create_instance called
Sat Apr  6 15:48:31 2019 us=86973 Re-using SSL/TLS context
Sat Apr  6 15:48:31 2019 us=87070 LZO compression initializing
Sat Apr  6 15:48:31 2019 us=87389 Control Channel MTU parms [ L:1624 D:1182 EF:68 EB:0 ET:0 EL:3 ]
Sat Apr  6 15:48:31 2019 us=87496 Data Channel MTU parms [ L:1624 D:1450 EF:124 EB:406 ET:0 EL:3 ]
Sat Apr  6 15:48:31 2019 us=87676 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1552,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,keydir 0,cipher AES-256-GCM,auth [null-digest],keysize 256,tls-auth,key-method 2,tls-server'
Sat Apr  6 15:48:31 2019 us=87719 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1552,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,keydir 1,cipher AES-256-GCM,auth [null-digest],keysize 256,tls-auth,key-method 2,tls-client'
Sat Apr  6 15:48:31 2019 us=87807 TCP connection established with [AF_INET]192.168.0.180:55442
Sat Apr  6 15:48:31 2019 us=87847 TCPv4_SERVER link local: (not bound)
Sat Apr  6 15:48:31 2019 us=87930 TCPv4_SERVER link remote: [AF_INET]192.168.0.180:55442
Sat Apr  6 15:48:32 2019 us=85818 192.168.0.180:55442 TLS: Initial packet from [AF_INET]192.168.0.180:55442, sid=75718a49 692e1906
Sat Apr  6 15:48:32 2019 us=153246 192.168.0.180:55442 Connection reset, restarting [0]
Sat Apr  6 15:48:32 2019 us=153344 192.168.0.180:55442 SIGUSR1[soft,connection-reset] received, client-instance restarting
Sat Apr  6 15:48:32 2019 us=153531 TCP/UDP: Closing socket
Sat Apr  6 15:48:46 2019 us=815533 MULTI: multi_create_instance called
Sat Apr  6 15:48:46 2019 us=815700 Re-using SSL/TLS context
Sat Apr  6 15:48:46 2019 us=815746 LZO compression initializing
Sat Apr  6 15:48:46 2019 us=816017 Control Channel MTU parms [ L:1624 D:1182 EF:68 EB:0 ET:0 EL:3 ]
Sat Apr  6 15:48:46 2019 us=816108 Data Channel MTU parms [ L:1624 D:1450 EF:124 EB:406 ET:0 EL:3 ]
Sat Apr  6 15:48:46 2019 us=816235 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1552,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,keydir 0,cipher AES-256-GCM,auth [null-digest],keysize 256,tls-auth,key-method 2,tls-server'
Sat Apr  6 15:48:46 2019 us=816272 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1552,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,keydir 1,cipher AES-256-GCM,auth [null-digest],keysize 256,tls-auth,key-method 2,tls-client'
Sat Apr  6 15:48:46 2019 us=816358 TCP connection established with [AF_INET]192.168.0.180:55444
Sat Apr  6 15:48:46 2019 us=816398 TCPv4_SERVER link local: (not bound)
Sat Apr  6 15:48:46 2019 us=816438 TCPv4_SERVER link remote: [AF_INET]192.168.0.180:55444
Sat Apr  6 15:48:47 2019 us=814817 192.168.0.180:55444 TLS: Initial packet from [AF_INET]192.168.0.180:55444, sid=3f48879c 37b31ccf
Sat Apr  6 15:48:47 2019 us=880620 192.168.0.180:55444 Connection reset, restarting [0]
Sat Apr  6 15:48:47 2019 us=880721 192.168.0.180:55444 SIGUSR1[soft,connection-reset] received, client-instance restarting
Sat Apr  6 15:48:47 2019 us=880871 TCP/UDP: Closing socket
Sat Apr  6 15:51:37 2019 us=666172 TCP/UDP: Closing socket
Sat Apr  6 15:51:37 2019 us=666365 /sbin/ip route del 10.9.8.0/24
Sat Apr  6 15:51:37 2019 us=670938 Closing TUN/TAP interface
Sat Apr  6 15:51:37 2019 us=671096 /sbin/ip addr del dev tun0 local 10.9.8.1 peer 10.9.8.2
Sat Apr  6 15:51:37 2019 us=676871 /sbin/ip -6 addr del 2a01:cb04:4d8:30ff::1/64 dev tun0
Sat Apr  6 15:51:37 2019 us=720110 SIGINT[hard,] received, process exiting

4. CLIENT LOG (verb 4):

Code: Select all

Sat Apr  6 15:51:13 2019 us=752042 Current Parameter Settings:
Sat Apr  6 15:51:13 2019 us=752084   config = '/etc/openvpn/FG-xps13-pkcs11.ovpn'
Sat Apr  6 15:51:13 2019 us=752091   mode = 0
Sat Apr  6 15:51:13 2019 us=752096   persist_config = DISABLED
Sat Apr  6 15:51:13 2019 us=752100   persist_mode = 1
Sat Apr  6 15:51:13 2019 us=752104   show_ciphers = DISABLED
Sat Apr  6 15:51:13 2019 us=752108   show_digests = DISABLED
Sat Apr  6 15:51:13 2019 us=752112   show_engines = DISABLED
Sat Apr  6 15:51:13 2019 us=752116   genkey = DISABLED
Sat Apr  6 15:51:13 2019 us=752120   key_pass_file = '[UNDEF]'
Sat Apr  6 15:51:13 2019 us=752124   show_tls_ciphers = DISABLED
Sat Apr  6 15:51:13 2019 us=752128   connect_retry_max = 0
Sat Apr  6 15:51:13 2019 us=752132 Connection profiles [0]:
Sat Apr  6 15:51:13 2019 us=752136   proto = tcp4-client
Sat Apr  6 15:51:13 2019 us=752140   local = '[UNDEF]'
Sat Apr  6 15:51:13 2019 us=752144   local_port = '[UNDEF]'
Sat Apr  6 15:51:13 2019 us=752147   remote = 'vpn.server'
Sat Apr  6 15:51:13 2019 us=752151   remote_port = '443'
Sat Apr  6 15:51:13 2019 us=752155   remote_float = DISABLED
Sat Apr  6 15:51:13 2019 us=752159   bind_defined = DISABLED
Sat Apr  6 15:51:13 2019 us=752163   bind_local = DISABLED
Sat Apr  6 15:51:13 2019 us=752166   bind_ipv6_only = DISABLED
Sat Apr  6 15:51:13 2019 us=752170   connect_retry_seconds = 5
Sat Apr  6 15:51:13 2019 us=752174   connect_timeout = 120
Sat Apr  6 15:51:13 2019 us=752178   socks_proxy_server = '[UNDEF]'
Sat Apr  6 15:51:13 2019 us=752182   socks_proxy_port = '[UNDEF]'
Sat Apr  6 15:51:13 2019 us=752186   tun_mtu = 1500
Sat Apr  6 15:51:13 2019 us=752190   tun_mtu_defined = ENABLED
Sat Apr  6 15:51:13 2019 us=752194   link_mtu = 1500
Sat Apr  6 15:51:13 2019 us=752197   link_mtu_defined = DISABLED
Sat Apr  6 15:51:13 2019 us=752201   tun_mtu_extra = 0
Sat Apr  6 15:51:13 2019 us=752205   tun_mtu_extra_defined = DISABLED
Sat Apr  6 15:51:13 2019 us=752209   mtu_discover_type = -1
Sat Apr  6 15:51:13 2019 us=752213   fragment = 0
Sat Apr  6 15:51:13 2019 us=752217   mssfix = 1450
Sat Apr  6 15:51:13 2019 us=752221   explicit_exit_notification = 0
Sat Apr  6 15:51:13 2019 us=752225 Connection profiles END
Sat Apr  6 15:51:13 2019 us=752229   remote_random = DISABLED
Sat Apr  6 15:51:13 2019 us=752233   ipchange = '[UNDEF]'
Sat Apr  6 15:51:13 2019 us=752237   dev = 'tun0'
Sat Apr  6 15:51:13 2019 us=752241   dev_type = '[UNDEF]'
Sat Apr  6 15:51:13 2019 us=752245   dev_node = '[UNDEF]'
Sat Apr  6 15:51:13 2019 us=752248   lladdr = '[UNDEF]'
Sat Apr  6 15:51:13 2019 us=752252   topology = 1
Sat Apr  6 15:51:13 2019 us=752256   ifconfig_local = '[UNDEF]'
Sat Apr  6 15:51:13 2019 us=752260   ifconfig_remote_netmask = '[UNDEF]'
Sat Apr  6 15:51:13 2019 us=752264   ifconfig_noexec = DISABLED
Sat Apr  6 15:51:13 2019 us=752268   ifconfig_nowarn = DISABLED
Sat Apr  6 15:51:13 2019 us=752271   ifconfig_ipv6_local = '[UNDEF]'
Sat Apr  6 15:51:13 2019 us=752275   ifconfig_ipv6_netbits = 0
Sat Apr  6 15:51:13 2019 us=752279   ifconfig_ipv6_remote = '[UNDEF]'
Sat Apr  6 15:51:13 2019 us=752283   shaper = 0
Sat Apr  6 15:51:13 2019 us=752287   mtu_test = 0
Sat Apr  6 15:51:13 2019 us=752291   mlock = DISABLED
Sat Apr  6 15:51:13 2019 us=752294   keepalive_ping = 0
Sat Apr  6 15:51:13 2019 us=752298   keepalive_timeout = 0
Sat Apr  6 15:51:13 2019 us=752302   inactivity_timeout = 0
Sat Apr  6 15:51:13 2019 us=752306   ping_send_timeout = 0
Sat Apr  6 15:51:13 2019 us=752310   ping_rec_timeout = 0
Sat Apr  6 15:51:13 2019 us=752314   ping_rec_timeout_action = 0
Sat Apr  6 15:51:13 2019 us=752317   ping_timer_remote = DISABLED
Sat Apr  6 15:51:13 2019 us=752321   remap_sigusr1 = 0
Sat Apr  6 15:51:13 2019 us=752325   persist_tun = DISABLED
Sat Apr  6 15:51:13 2019 us=752329   persist_local_ip = DISABLED
Sat Apr  6 15:51:13 2019 us=752333   persist_remote_ip = DISABLED
Sat Apr  6 15:51:13 2019 us=752336   persist_key = DISABLED
Sat Apr  6 15:51:13 2019 us=752340   passtos = DISABLED
Sat Apr  6 15:51:13 2019 us=752344   resolve_retry_seconds = 1000000000
Sat Apr  6 15:51:13 2019 us=752352   resolve_in_advance = DISABLED
Sat Apr  6 15:51:13 2019 us=752356   username = '[UNDEF]'
Sat Apr  6 15:51:13 2019 us=752363   groupname = '[UNDEF]'
Sat Apr  6 15:51:13 2019 us=752367   chroot_dir = '[UNDEF]'
Sat Apr  6 15:51:13 2019 us=752371   cd_dir = '[UNDEF]'
Sat Apr  6 15:51:13 2019 us=752375   writepid = '[UNDEF]'
Sat Apr  6 15:51:13 2019 us=752379   up_script = '/etc/openvpn/update-resolv-conf'
Sat Apr  6 15:51:13 2019 us=752383   down_script = '/etc/openvpn/update-resolv-conf'
Sat Apr  6 15:51:13 2019 us=752387   down_pre = DISABLED
Sat Apr  6 15:51:13 2019 us=752391   up_restart = DISABLED
Sat Apr  6 15:51:13 2019 us=752395   up_delay = DISABLED
Sat Apr  6 15:51:13 2019 us=752398   daemon = DISABLED
Sat Apr  6 15:51:13 2019 us=752402   inetd = 0
Sat Apr  6 15:51:13 2019 us=752406   log = DISABLED
Sat Apr  6 15:51:13 2019 us=752410   suppress_timestamps = DISABLED
Sat Apr  6 15:51:13 2019 us=752414   machine_readable_output = DISABLED
Sat Apr  6 15:51:13 2019 us=752418   nice = 0
Sat Apr  6 15:51:13 2019 us=752421   verbosity = 4
Sat Apr  6 15:51:13 2019 us=752425   mute = 0
Sat Apr  6 15:51:13 2019 us=752429   gremlin = 0
Sat Apr  6 15:51:13 2019 us=752433   status_file = '[UNDEF]'
Sat Apr  6 15:51:13 2019 us=752437   status_file_version = 1
Sat Apr  6 15:51:13 2019 us=752441   status_file_update_freq = 60
Sat Apr  6 15:51:13 2019 us=752445   occ = ENABLED
Sat Apr  6 15:51:13 2019 us=752449   rcvbuf = 0
Sat Apr  6 15:51:13 2019 us=752452   sndbuf = 0
Sat Apr  6 15:51:13 2019 us=752456   mark = 0
Sat Apr  6 15:51:13 2019 us=752460   sockflags = 0
Sat Apr  6 15:51:13 2019 us=752464   fast_io = DISABLED
Sat Apr  6 15:51:13 2019 us=752468   comp.alg = 2
Sat Apr  6 15:51:13 2019 us=752472   comp.flags = 1
Sat Apr  6 15:51:13 2019 us=752475   route_script = '[UNDEF]'
Sat Apr  6 15:51:13 2019 us=752479   route_default_gateway = '[UNDEF]'
Sat Apr  6 15:51:13 2019 us=752483   route_default_metric = 0
Sat Apr  6 15:51:13 2019 us=752487   route_noexec = DISABLED
Sat Apr  6 15:51:13 2019 us=752491   route_delay = 0
Sat Apr  6 15:51:13 2019 us=752495   route_delay_window = 30
Sat Apr  6 15:51:13 2019 us=752499   route_delay_defined = DISABLED
Sat Apr  6 15:51:13 2019 us=752503   route_nopull = DISABLED
Sat Apr  6 15:51:13 2019 us=752507   route_gateway_via_dhcp = DISABLED
Sat Apr  6 15:51:13 2019 us=752511   allow_pull_fqdn = DISABLED
Sat Apr  6 15:51:13 2019 us=752515   [redirect_default_gateway local=0]
Sat Apr  6 15:51:13 2019 us=752519   management_addr = '[UNDEF]'
Sat Apr  6 15:51:13 2019 us=752522   management_port = '[UNDEF]'
Sat Apr  6 15:51:13 2019 us=752526   management_user_pass = '[UNDEF]'
Sat Apr  6 15:51:13 2019 us=752530   management_log_history_cache = 250
Sat Apr  6 15:51:13 2019 us=752534   management_echo_buffer_size = 100
Sat Apr  6 15:51:13 2019 us=752538   management_write_peer_info_file = '[UNDEF]'
Sat Apr  6 15:51:13 2019 us=752542   management_client_user = '[UNDEF]'
Sat Apr  6 15:51:13 2019 us=752546   management_client_group = '[UNDEF]'
Sat Apr  6 15:51:13 2019 us=752550   management_flags = 0
Sat Apr  6 15:51:13 2019 us=752554   shared_secret_file = '[UNDEF]'
Sat Apr  6 15:51:13 2019 us=752559   key_direction = 1
Sat Apr  6 15:51:13 2019 us=752563   ciphername = 'AES-256-GCM'
Sat Apr  6 15:51:13 2019 us=752566   ncp_enabled = ENABLED
Sat Apr  6 15:51:13 2019 us=752571   ncp_ciphers = 'AES-256-GCM:AES-128-GCM'
Sat Apr  6 15:51:13 2019 us=752575   authname = 'SHA1'
Sat Apr  6 15:51:13 2019 us=752579   prng_hash = 'SHA1'
Sat Apr  6 15:51:13 2019 us=752582   prng_nonce_secret_len = 16
Sat Apr  6 15:51:13 2019 us=752586   keysize = 0
Sat Apr  6 15:51:13 2019 us=752590   engine = DISABLED
Sat Apr  6 15:51:13 2019 us=752594   replay = ENABLED
Sat Apr  6 15:51:13 2019 us=752598   mute_replay_warnings = DISABLED
Sat Apr  6 15:51:13 2019 us=752602   replay_window = 64
Sat Apr  6 15:51:13 2019 us=752606   replay_time = 15
Sat Apr  6 15:51:13 2019 us=752610   packet_id_file = '[UNDEF]'
Sat Apr  6 15:51:13 2019 us=752614   use_iv = ENABLED
Sat Apr  6 15:51:13 2019 us=752618   test_crypto = DISABLED
Sat Apr  6 15:51:13 2019 us=752624   tls_server = DISABLED
Sat Apr  6 15:51:13 2019 us=752629   tls_client = ENABLED
Sat Apr  6 15:51:13 2019 us=752633   key_method = 2
Sat Apr  6 15:51:13 2019 us=752637   ca_file = '[[INLINE]]'
Sat Apr  6 15:51:13 2019 us=752641   ca_path = '[UNDEF]'
Sat Apr  6 15:51:13 2019 us=752645   dh_file = '[UNDEF]'
Sat Apr  6 15:51:13 2019 us=752648   cert_file = '[UNDEF]'
Sat Apr  6 15:51:13 2019 us=752652   extra_certs_file = '[UNDEF]'
Sat Apr  6 15:51:13 2019 us=752656   priv_key_file = '[UNDEF]'
Sat Apr  6 15:51:13 2019 us=752660   pkcs12_file = '[UNDEF]'
Sat Apr  6 15:51:13 2019 us=752664   cipher_list = '[UNDEF]'
Sat Apr  6 15:51:13 2019 us=752668   cipher_list_tls13 = '[UNDEF]'
Sat Apr  6 15:51:13 2019 us=752672   tls_cert_profile = '[UNDEF]'
Sat Apr  6 15:51:13 2019 us=752676   tls_verify = '[UNDEF]'
Sat Apr  6 15:51:13 2019 us=752680   tls_export_cert = '[UNDEF]'
Sat Apr  6 15:51:13 2019 us=752684   verify_x509_type = 0
Sat Apr  6 15:51:13 2019 us=752688   verify_x509_name = '[UNDEF]'
Sat Apr  6 15:51:13 2019 us=752692   crl_file = '[UNDEF]'
Sat Apr  6 15:51:13 2019 us=752696   ns_cert_type = 0
Sat Apr  6 15:51:13 2019 us=752700   remote_cert_ku[i] = 65535
Sat Apr  6 15:51:13 2019 us=752704   remote_cert_ku[i] = 0
Sat Apr  6 15:51:13 2019 us=752708   remote_cert_ku[i] = 0
Sat Apr  6 15:51:13 2019 us=752711   remote_cert_ku[i] = 0
Sat Apr  6 15:51:13 2019 us=752715   remote_cert_ku[i] = 0
Sat Apr  6 15:51:13 2019 us=752719   remote_cert_ku[i] = 0
Sat Apr  6 15:51:13 2019 us=752723   remote_cert_ku[i] = 0
Sat Apr  6 15:51:13 2019 us=752727   remote_cert_ku[i] = 0
Sat Apr  6 15:51:13 2019 us=752731   remote_cert_ku[i] = 0
Sat Apr  6 15:51:13 2019 us=752735   remote_cert_ku[i] = 0
Sat Apr  6 15:51:13 2019 us=752738   remote_cert_ku[i] = 0
Sat Apr  6 15:51:13 2019 us=752742   remote_cert_ku[i] = 0
Sat Apr  6 15:51:13 2019 us=752746   remote_cert_ku[i] = 0
Sat Apr  6 15:51:13 2019 us=752750   remote_cert_ku[i] = 0
Sat Apr  6 15:51:13 2019 us=752754   remote_cert_ku[i] = 0
Sat Apr  6 15:51:13 2019 us=752757   remote_cert_ku[i] = 0
Sat Apr  6 15:51:13 2019 us=752762   remote_cert_eku = 'TLS Web Server Authentication'
Sat Apr  6 15:51:13 2019 us=752766   ssl_flags = 0
Sat Apr  6 15:51:13 2019 us=752770   tls_timeout = 2
Sat Apr  6 15:51:13 2019 us=752774   renegotiate_bytes = -1
Sat Apr  6 15:51:13 2019 us=752778   renegotiate_packets = 0
Sat Apr  6 15:51:13 2019 us=752782   renegotiate_seconds = 3600
Sat Apr  6 15:51:13 2019 us=752786   handshake_window = 60
Sat Apr  6 15:51:13 2019 us=752790   transition_window = 3600
Sat Apr  6 15:51:13 2019 us=752794   single_session = DISABLED
Sat Apr  6 15:51:13 2019 us=752798   push_peer_info = DISABLED
Sat Apr  6 15:51:13 2019 us=752801   tls_exit = DISABLED
Sat Apr  6 15:51:13 2019 us=752805   tls_auth_file = '[[INLINE]]'
Sat Apr  6 15:51:13 2019 us=752809   tls_crypt_file = '[UNDEF]'
Sat Apr  6 15:51:13 2019 us=752813   pkcs11_providers = /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
Sat Apr  6 15:51:13 2019 us=752817   pkcs11_protected_authentication = DISABLED
Sat Apr  6 15:51:13 2019 us=752821   pkcs11_protected_authentication = DISABLED
Sat Apr  6 15:51:13 2019 us=752825   pkcs11_protected_authentication = DISABLED
Sat Apr  6 15:51:13 2019 us=752829   pkcs11_protected_authentication = DISABLED
Sat Apr  6 15:51:13 2019 us=752833   pkcs11_protected_authentication = DISABLED
Sat Apr  6 15:51:13 2019 us=752837   pkcs11_protected_authentication = DISABLED
Sat Apr  6 15:51:13 2019 us=752841   pkcs11_protected_authentication = DISABLED
Sat Apr  6 15:51:13 2019 us=752845   pkcs11_protected_authentication = DISABLED
Sat Apr  6 15:51:13 2019 us=752849   pkcs11_protected_authentication = DISABLED
Sat Apr  6 15:51:13 2019 us=752852   pkcs11_protected_authentication = DISABLED
Sat Apr  6 15:51:13 2019 us=752856   pkcs11_protected_authentication = DISABLED
Sat Apr  6 15:51:13 2019 us=752860   pkcs11_protected_authentication = DISABLED
Sat Apr  6 15:51:13 2019 us=752864   pkcs11_protected_authentication = DISABLED
Sat Apr  6 15:51:13 2019 us=752868   pkcs11_protected_authentication = DISABLED
Sat Apr  6 15:51:13 2019 us=752874   pkcs11_protected_authentication = DISABLED
Sat Apr  6 15:51:13 2019 us=752878   pkcs11_protected_authentication = DISABLED
Sat Apr  6 15:51:13 2019 us=752882   pkcs11_private_mode = 00000000
Sat Apr  6 15:51:13 2019 us=752886   pkcs11_private_mode = 00000000
Sat Apr  6 15:51:13 2019 us=752890   pkcs11_private_mode = 00000000
Sat Apr  6 15:51:13 2019 us=752894   pkcs11_private_mode = 00000000
Sat Apr  6 15:51:13 2019 us=752898   pkcs11_private_mode = 00000000
Sat Apr  6 15:51:13 2019 us=752902   pkcs11_private_mode = 00000000
Sat Apr  6 15:51:13 2019 us=752906   pkcs11_private_mode = 00000000
Sat Apr  6 15:51:13 2019 us=752909   pkcs11_private_mode = 00000000
Sat Apr  6 15:51:13 2019 us=752913   pkcs11_private_mode = 00000000
Sat Apr  6 15:51:13 2019 us=752917   pkcs11_private_mode = 00000000
Sat Apr  6 15:51:13 2019 us=752921   pkcs11_private_mode = 00000000
Sat Apr  6 15:51:13 2019 us=752925   pkcs11_private_mode = 00000000
Sat Apr  6 15:51:13 2019 us=752928   pkcs11_private_mode = 00000000
Sat Apr  6 15:51:13 2019 us=752932   pkcs11_private_mode = 00000000
Sat Apr  6 15:51:13 2019 us=752936   pkcs11_private_mode = 00000000
Sat Apr  6 15:51:13 2019 us=752940   pkcs11_private_mode = 00000000
Sat Apr  6 15:51:13 2019 us=752944   pkcs11_cert_private = ENABLED
Sat Apr  6 15:51:13 2019 us=752948   pkcs11_cert_private = DISABLED
Sat Apr  6 15:51:13 2019 us=752951   pkcs11_cert_private = DISABLED
Sat Apr  6 15:51:13 2019 us=752955   pkcs11_cert_private = DISABLED
Sat Apr  6 15:51:13 2019 us=752959   pkcs11_cert_private = DISABLED
Sat Apr  6 15:51:13 2019 us=752963   pkcs11_cert_private = DISABLED
Sat Apr  6 15:51:13 2019 us=752967   pkcs11_cert_private = DISABLED
Sat Apr  6 15:51:13 2019 us=752971   pkcs11_cert_private = DISABLED
Sat Apr  6 15:51:13 2019 us=752974   pkcs11_cert_private = DISABLED
Sat Apr  6 15:51:13 2019 us=752978   pkcs11_cert_private = DISABLED
Sat Apr  6 15:51:13 2019 us=752982   pkcs11_cert_private = DISABLED
Sat Apr  6 15:51:13 2019 us=752986   pkcs11_cert_private = DISABLED
Sat Apr  6 15:51:13 2019 us=752990   pkcs11_cert_private = DISABLED
Sat Apr  6 15:51:13 2019 us=752993   pkcs11_cert_private = DISABLED
Sat Apr  6 15:51:13 2019 us=752997   pkcs11_cert_private = DISABLED
Sat Apr  6 15:51:13 2019 us=753001   pkcs11_cert_private = DISABLED
Sat Apr  6 15:51:13 2019 us=753005   pkcs11_pin_cache_period = -1
Sat Apr  6 15:51:13 2019 us=753009   pkcs11_id = 'piv_II/PKCS\x2315\x20emulated/6152072549b06be7/FG\x2Dxps13\x2D1/02'
Sat Apr  6 15:51:13 2019 us=753013   pkcs11_id_management = DISABLED
Sat Apr  6 15:51:13 2019 us=753018   server_network = 0.0.0.0
Sat Apr  6 15:51:13 2019 us=753022   server_netmask = 0.0.0.0
Sat Apr  6 15:51:13 2019 us=753030   server_network_ipv6 = ::
Sat Apr  6 15:51:13 2019 us=753035   server_netbits_ipv6 = 0
Sat Apr  6 15:51:13 2019 us=753039   server_bridge_ip = 0.0.0.0
Sat Apr  6 15:51:13 2019 us=753043   server_bridge_netmask = 0.0.0.0
Sat Apr  6 15:51:13 2019 us=753048   server_bridge_pool_start = 0.0.0.0
Sat Apr  6 15:51:13 2019 us=753052   server_bridge_pool_end = 0.0.0.0
Sat Apr  6 15:51:13 2019 us=753056   ifconfig_pool_defined = DISABLED
Sat Apr  6 15:51:13 2019 us=753061   ifconfig_pool_start = 0.0.0.0
Sat Apr  6 15:51:13 2019 us=753065   ifconfig_pool_end = 0.0.0.0
Sat Apr  6 15:51:13 2019 us=753071   ifconfig_pool_netmask = 0.0.0.0
Sat Apr  6 15:51:13 2019 us=753076   ifconfig_pool_persist_filename = '[UNDEF]'
Sat Apr  6 15:51:13 2019 us=753080   ifconfig_pool_persist_refresh_freq = 600
Sat Apr  6 15:51:13 2019 us=753084   ifconfig_ipv6_pool_defined = DISABLED
Sat Apr  6 15:51:13 2019 us=753088   ifconfig_ipv6_pool_base = ::
Sat Apr  6 15:51:13 2019 us=753092   ifconfig_ipv6_pool_netbits = 0
Sat Apr  6 15:51:13 2019 us=753096   n_bcast_buf = 256
Sat Apr  6 15:51:13 2019 us=753100   tcp_queue_limit = 64
Sat Apr  6 15:51:13 2019 us=753105   real_hash_size = 256
Sat Apr  6 15:51:13 2019 us=753108   virtual_hash_size = 256
Sat Apr  6 15:51:13 2019 us=753112   client_connect_script = '[UNDEF]'
Sat Apr  6 15:51:13 2019 us=753119   learn_address_script = '[UNDEF]'
Sat Apr  6 15:51:13 2019 us=753123   client_disconnect_script = '[UNDEF]'
Sat Apr  6 15:51:13 2019 us=753127   client_config_dir = '[UNDEF]'
Sat Apr  6 15:51:13 2019 us=753130   ccd_exclusive = DISABLED
Sat Apr  6 15:51:13 2019 us=753134   tmp_dir = '/tmp'
Sat Apr  6 15:51:13 2019 us=753138   push_ifconfig_defined = DISABLED
Sat Apr  6 15:51:13 2019 us=753143   push_ifconfig_local = 0.0.0.0
Sat Apr  6 15:51:13 2019 us=753147   push_ifconfig_remote_netmask = 0.0.0.0
Sat Apr  6 15:51:13 2019 us=753151   push_ifconfig_ipv6_defined = DISABLED
Sat Apr  6 15:51:13 2019 us=753156   push_ifconfig_ipv6_local = ::/0
Sat Apr  6 15:51:13 2019 us=753160   push_ifconfig_ipv6_remote = ::
Sat Apr  6 15:51:13 2019 us=753164   enable_c2c = DISABLED
Sat Apr  6 15:51:13 2019 us=753168   duplicate_cn = DISABLED
Sat Apr  6 15:51:13 2019 us=753172   cf_max = 0
Sat Apr  6 15:51:13 2019 us=753176   cf_per = 0
Sat Apr  6 15:51:13 2019 us=753180   max_clients = 1024
Sat Apr  6 15:51:13 2019 us=753184   max_routes_per_client = 256
Sat Apr  6 15:51:13 2019 us=753188   auth_user_pass_verify_script = '[UNDEF]'
Sat Apr  6 15:51:13 2019 us=753192   auth_user_pass_verify_script_via_file = DISABLED
Sat Apr  6 15:51:13 2019 us=753196   auth_token_generate = DISABLED
Sat Apr  6 15:51:13 2019 us=753200   auth_token_lifetime = 0
Sat Apr  6 15:51:13 2019 us=753203   port_share_host = '[UNDEF]'
Sat Apr  6 15:51:13 2019 us=753207   port_share_port = '[UNDEF]'
Sat Apr  6 15:51:13 2019 us=753211   client = ENABLED
Sat Apr  6 15:51:13 2019 us=753215   pull = ENABLED
Sat Apr  6 15:51:13 2019 us=753219   auth_user_pass_file = '[UNDEF]'
Sat Apr  6 15:51:13 2019 us=753224 OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 20 2019
Sat Apr  6 15:51:13 2019 us=753232 library versions: OpenSSL 1.1.1b  26 Feb 2019, LZO 2.10
Sat Apr  6 15:51:13 2019 us=753281 PKCS#11: Adding PKCS#11 provider '/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so'
Sat Apr  6 15:51:13 2019 us=833128 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sat Apr  6 15:51:16 2019 us=530388 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Apr  6 15:51:16 2019 us=530432 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Apr  6 15:51:16 2019 us=530447 LZO compression initializing
Sat Apr  6 15:51:16 2019 us=530530 Control Channel MTU parms [ L:1624 D:1182 EF:68 EB:0 ET:0 EL:3 ]
Sat Apr  6 15:51:16 2019 us=533547 Data Channel MTU parms [ L:1624 D:1450 EF:124 EB:406 ET:0 EL:3 ]
Sat Apr  6 15:51:16 2019 us=533590 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1552,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,keydir 1,cipher AES-256-GCM,auth [null-digest],keysize 256,tls-auth,key-method 2,tls-client'
Sat Apr  6 15:51:16 2019 us=533598 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1552,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,keydir 0,cipher AES-256-GCM,auth [null-digest],keysize 256,tls-auth,key-method 2,tls-server'
Sat Apr  6 15:51:16 2019 us=533615 TCP/UDP: Preserving recently used remote address: [AF_INET]x.x.x.x:443
Sat Apr  6 15:51:16 2019 us=533634 Socket Buffers: R=[87380->87380] S=[16384->16384]
Sat Apr  6 15:51:16 2019 us=533642 Attempting to establish TCP connection with [AF_INET]x.x.x.x:443 [nonblock]
Sat Apr  6 15:51:17 2019 us=533832 TCP connection established with [AF_INET]x.x.x.x:443
Sat Apr  6 15:51:17 2019 us=533873 TCPv4_CLIENT link local: (not bound)
Sat Apr  6 15:51:17 2019 us=533882 TCPv4_CLIENT link remote: [AF_INET]x.x.x.x:443
Sat Apr  6 15:51:17 2019 us=536504 TLS: Initial packet from [AF_INET]x.x.x.x:443, sid=a6c278b2 4a76b2e3
Sat Apr  6 15:51:17 2019 us=599756 VERIFY OK: depth=1, CN=FG-CA
Sat Apr  6 15:51:17 2019 us=599907 VERIFY KU OK
Sat Apr  6 15:51:17 2019 us=599920 Validating certificate extended key usage
Sat Apr  6 15:51:17 2019 us=599927 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Sat Apr  6 15:51:17 2019 us=599939 VERIFY EKU OK
Sat Apr  6 15:51:17 2019 us=599945 VERIFY OK: depth=0, CN=tx2
Sat Apr  6 15:51:17 2019 us=600307 OpenSSL: error:141F0006:SSL routines:tls_construct_cert_verify:EVP lib
Sat Apr  6 15:51:17 2019 us=600320 TLS_ERROR: BIO read tls_read_plaintext error
Sat Apr  6 15:51:17 2019 us=600326 TLS Error: TLS object -> incoming plaintext read error
Sat Apr  6 15:51:17 2019 us=600331 TLS Error: TLS handshake failed
Sat Apr  6 15:51:17 2019 us=600381 Fatal TLS error (check_tls_errors_co), restarting
Sat Apr  6 15:51:17 2019 us=600447 TCP/UDP: Closing socket
Sat Apr  6 15:51:17 2019 us=600481 SIGUSR1[soft,tls-error] received, process restarting
Sat Apr  6 15:51:17 2019 us=600499 Restart pause, 5 second(s)
Sat Apr  6 15:51:22 2019 us=75382 SIGINT[hard,init_instance] received, process exiting

5. CLIENT LOG (snippet with verb 255):

Code: Select all

Sat Apr  6 15:57:20 2019 us=467260 Incoming Ciphertext -> TLS
Sat Apr  6 15:57:20 2019 us=467271 SSL state (connect): SSLv3/TLS read server hello
Sat Apr  6 15:57:20 2019 us=467468 VERIFY OK: depth=1, CN=FG-CA
Sat Apr  6 15:57:20 2019 us=467598 VERIFY KU OK
Sat Apr  6 15:57:20 2019 us=467609 Validating certificate extended key usage
Sat Apr  6 15:57:20 2019 us=467615 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Sat Apr  6 15:57:20 2019 us=467620 VERIFY EKU OK
Sat Apr  6 15:57:20 2019 us=467625 VERIFY OK: depth=0, CN=tx2
Sat Apr  6 15:57:20 2019 us=467650 SSL state (connect): SSLv3/TLS read server certificate
Sat Apr  6 15:57:20 2019 us=467735 SSL state (connect): SSLv3/TLS read server key exchange
Sat Apr  6 15:57:20 2019 us=467763 SSL state (connect): SSLv3/TLS read server certificate request
Sat Apr  6 15:57:20 2019 us=467771 SSL state (connect): SSLv3/TLS read server done
Sat Apr  6 15:57:20 2019 us=467845 SSL state (connect): SSLv3/TLS write client certificate
Sat Apr  6 15:57:20 2019 us=468012 SSL state (connect): SSLv3/TLS write client key exchange
Sat Apr  6 15:57:20 2019 us=468053 PKCS#11: __pkcs11h_openssl_rsa_enc entered - flen=256, from=0x559d078d6e70, to=0x559d078d6bc0, rsa=0x559d078b3630, padding=3
Sat Apr  6 15:57:20 2019 us=468060 PKCS#11: __pkcs11h_openssl_rsa_enc - return rv=112-'CKR_MECHANISM_INVALID'
Sat Apr  6 15:57:20 2019 us=468070 SSL alert (write): fatal: internal error
Sat Apr  6 15:57:20 2019 us=468085 OpenSSL: error:141F0006:SSL routines:tls_construct_cert_verify:EVP lib
Sat Apr  6 15:57:20 2019 us=468092 TLS_ERROR: BIO read tls_read_plaintext error
Sat Apr  6 15:57:20 2019 us=468097 TLS Error: TLS object -> incoming plaintext read error
Sat Apr  6 15:57:20 2019 us=468101 TLS Error: TLS handshake failed
Sat Apr  6 15:57:20 2019 us=468106 PID packet_id_free
Sat Apr  6 15:57:20 2019 us=468133 PKCS#11: __pkcs11h_openssl_ex_data_free entered - parent=0x559d078d58b0, ptr=(nil), ad=0x559d078d5918, idx=2, argl=0, argp=0x7fe74e2053dd
Sat Apr  6 15:57:20 2019 us=468148 PKCS#11: __pkcs11h_openssl_ex_data_free entered - parent=0x559d078d4b10, ptr=(nil), ad=0x559d078d4b78, idx=2, argl=0, argp=0x7fe74e2053dd

TinCanTech · Post by **TinCanTech** » Sat Apr 06, 2019 9:28 pm

francois91 wrote: ↑
Sat Apr 06, 2019 2:35 pm
OpenSSL: error:141F0006:SSL routines:tls_construct_cert_verify:EVP lib

The problem is in OpenSSL

francois91 wrote: ↑
Sat Apr 06, 2019 2:35 pm
PKCS#11: __pkcs11h_openssl_rsa_enc entered - flen=256, from=0x559d078d6e70, to=0x559d078d6bc0, rsa=0x559d078b3630, padding=3
us=468060 PKCS#11: __pkcs11h_openssl_rsa_enc - return rv=112-'CKR_MECHANISM_INVALID'

Sorry .. we do not have a solution for you.

asomers · Post by **asomers** » Wed Dec 11, 2019 5:09 pm

Perhaps you don't have a solution, but do you have a workaround? Is there _any_ SSL library that is known to work with OpenVPN and PKCS#11 ?

TinCanTech · Post by **TinCanTech** » Wed Dec 11, 2019 6:34 pm

asomers wrote: ↑
Wed Dec 11, 2019 5:09 pm
Is there _any_ SSL library that is known to work with OpenVPN and PKCS#11 ?

Yes, openssl. The problem here though is your Yubico device, maybe old drivers or maybe openvpn have not kept up with all those devices out there. Sorry openvpn is free and maintained by volunteers, so you know what they say "You get what you pay for" and nobody paid for this.

asomers wrote: ↑
Wed Dec 11, 2019 5:09 pm
Perhaps you don't have a solution, but do you have a workaround?

as you pointed out yourself here:

francois91 wrote: ↑
Sat Apr 06, 2019 2:35 pm
the authentication works fine if the certificate and private key are inlined in the client configuration file

That is the work around.

Unless you want to get Yubico to come meet the openvpn developers and get the work done.

becm · Post by **becm** » Tue Sep 01, 2020 4:03 pm

I think this was your mail to the OpenSSL mailing list that was discussed on openvpn-devel?

The software component throwing an error is pkcs11-helper, where Selva introduced a fix to support another padding format.
The change landed in pkcs11-helper 1.26, so according to the mentioned discussion that's all you should need to get it to work.

Most distributions however did not yet update to that version, so you might have to compile this library yourself.
The only platform OpenVPN has control over this is Windows, were this problem currently is is addressed as well.

OpenVPN Support Forum

yubico 5c smartcard authentication

yubico 5c smartcard authentication

Re: yubico 5c smartcard authentication

Re: yubico 5c smartcard authentication

Re: yubico 5c smartcard authentication

Re: yubico 5c smartcard authentication