I'm on a mission to get two-factor authentication with PKCS11 smartcard tokens working with OpenVPN. I was unpleasantly surprised when I realized this was not supported in the proprietary Access Server (AS) offer.
I still want to use the AS (just for its easy configuration interface) so my solution is to use the community version client (W32) to connect with AS.
My solution works good but my problem is that I'm not really sure if it is secure. I will briefly take you through the steps here and maybe someone can confirm that it is a stupid solution
I'm using Feitian ePass PKI token for key storage.
- In AS, add a user with Autologin.
The reason for autologin is that I want the user to provide only the token and the token-PIN, no other username/pwd should be prompted. - Extract a unified autologin config with crt and key from the console on AS:
/usr/local/openvpn_as/scripts/sacli -a openvpn -o . --user myusername --cn myusername getautologin - Extract the crt and key from the produced client.opvn and put them in client.crt and client.key respectively
- Make a PKCS12 file of crt and key that can be imported into token:
openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12 - Import client.p12 to token.
- Modify client.opvn to use PKCS11:
Remove <cert/> and <key/>.
Add: pkcs11-providers "C:\\Windows\system32\ftsc_csp11.dll"
Add: pkcs11-id <serial ID of imported key> - Use OpenVPN GUI 1.0.3 with patched PKCS11 PIN popup from http://www.ziggurat29.com/
Johan
