OpenVPN with smart cards / crypto tokens HOWTO Introduction ...

OpenVPN with smart cards / crypto tokens HOWTOexport KEY_ORG="Fort-Funston"export KEY_EMAIL="me@myhost.mydomain"Note that we are using 2048 bit keys.By default, all keys will be generated in /etc/openvpn/easy-rsa/keys folder.Install your settings in OpenSSL configuration:source ./varStep 3: clean previous configurationsWarning: this will remove the key directory, including previous CAs and keys.Don't clean your configuration unless you know precisely what you are doing../clean-allStep 4: create a DH keyCreate a shared DH key used to secure key hashing:Warning: on slow computers, this can take 15 minutes../build-dhThis creates a file name dh2048.pem in /etc/openvpn/easy-rsa/keysStep 5: create CAGenerate the Certificate Authority (CA):pkitool --init-caTwo files are created in keys folder:ca.key: CA private key.ca.crt: CA X.509 certificate.Step 6: create server certificateGenerate server key (Moon):$ pkitool --server serverThree files are generated:server.key: server RSA private key.server.crt: Server X.509 certificate.server.csr: Server signing request (no need to keep it).Step 7: create client certificate on diskGenerate client key (Road warrior).The pkcs12 file includes all information, for later import to smartcard.pkitool --pkcs12 clientEnter your password twice to secure the pkcs12 file.Four files are generated:client.key: client RSA private key.client.crt: client X.509 certificate.client.csr: client signing request (no need to keep it).client.p12: PKCS#12 file including RSA private key, X.509 certificate and CA authorityStep 8: transfer client certificates to smartcardNow we need to transfer the PKCS#12 file to the smartcard.All steps are described in the Quickstarter Guide.You may need to:Erase and format the smartcard, adapt PIN code and label.Waring: you will loose all content:$ pkcs15-init -E$ pkcs15-init --create-pkcs15 --profile pkcs15+onepin --use-default-transport-key --pin 0000 --puk 111111 --label "François Pérou"Copyright GOOZE 2010-2011 http://www.gooze.eu 4 / 8

OpenVPN with smart cards / crypto tokens HOWTOImport client certificate:pkcs15-init --store-private-key client.p12 --format pkcs12 --auth-id 01 --pin 0000Using reader with a card: Feitian SCR301 00 00Please enter passphrase to unlock secret key:Importing 2 certificates:0: /C=FR/ST=95/L=Montmorency/O=GOOZE/CN=client/emailAddress=openvpn@gooze.eu1: /C=FR/ST=95/L=Montmorency/O=GOOZE/CN=GOOZE CA/emailAddress=openvpn@gooze.euNow, dump content of smartcard:$pkcs15-tool --dumpUsing reader with a card: Feitian SCR301 00 00PKCS#15 Card [François Pérou]:Version : 0Serial number : 3023492517080710Manufacturer ID: EnterSafeLast update : 20110416173513ZFlags : EID compliantPIN [User PIN]Object Flags : [0x3], private, modifiableID : 01Flags : [0x32], local, initialized, needs-paddingLength : min_len:4, max_len:16, stored_len:16Pad char : 0x00Reference : 1Type : ascii-numericPath : 3f005015Private RSA Key [Private Key]Object Flags : [0x3], private, modifiableUsage : [0xC], sign, signRecoverAccess Flags : [0x0]ModLength : 2048Key ref : 1 (0x1)Native : yesPath : 3f005015Auth ID : 01ID : fa6642b43f1fffa234062d10de583fd6455a962fGUID : {fa6642b4-3f1f-ffa2-3406-2d10de583fd6}X.509 Certificate [/C=FR/ST=95/L=Montmorency/O=GOOZE/CN=client/emailAddress=openvpn@gooze.eu]Object Flags : [0x2], modifiableAuthority : noPath : 3f0050153100ID : fa6642b43f1fffa234062d10de583fd6455a962fGUID : {fa6642b4-3f1f-ffa2-3406-2d10de583fd6}Encoded serial : 02 01 02X.509 Certificate [/C=FR/ST=95/L=Montmorency/O=GOOZE/CN=GOOZECA/emailAddress=openvpn@gooze.eu]Object Flags : [0x2], modifiableAuthority : yesPath : 3f0050153101ID : efc7893a44c581de8fa476831c46c06c447cf8b1GUID : {efc7893a-44c5-81de-8fa4-76831c46c06c}Encoded serial : 02 09 008085F62ACE424CEDOpenVPN configuration with smartcards on Moon(server)Copy credentials to /etc/openvpn folder:dh2048.pemca.crtserver.crtserver.keyCreate the following file:/etc/openvpn/tun1.confserverdev tun1Copyright GOOZE 2010-2011 http://www.gooze.eu 5 / 8

OpenVPN with smart cards / crypto tokens HOWTOremote moon.mydomain.comifconfig 10.9.8.4 10.9.8.3nobindpersist-keypersist-tunca ca.crtpkcs11-providers /usr/lib/libopensc-pkcs11.sopkcs11-id'EnterSafe/PKCS\x2315/3023492517080710/Jean\x2DMichel\x20Pour\xC3\xA9\x20\x28User\x20PIN\x29/FA6642B43F1FFFA234062D10DE583FD6455A962F'comp-lzoTest your configuration:openvpn --config /etc/openvpn/tun1.conf --verb 2Sun Apr 17 22:30:12 2011 OpenVPN 2.1.3 x86_64-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [MH] [PF_INET6][eurephia] built on Apr 12 2011Sun Apr 17 22:30:12 2011 PKCS#11: Adding PKCS#11 provider '/usr/lib/opensc-pkcs11.so'Sun Apr 17 22:30:33 2011 WARNING: using --pull/--client and --ifconfig together is probably not what you wantSun Apr 17 22:30:33 2011 WARNING: No server certificate verification method has been enabled. Seehttp://openvpn.net/howto.html#mitm [4] for more info.Sun Apr 17 22:30:33 2011 NOTE: the current --script-security setting may allow this configuration to call userdefinedscriptsSun Apr 17 22:30:33 2011 Control Channel MTU parms [ L:1541 D:138 EF:38 EB:0 ET:0 EL:0 ]Sun Apr 17 22:30:33 2011 Data Channel MTU parms [ L:1541 D:1450 EF:41 EB:4 ET:0 EL:0 ]Sun Apr 17 22:30:33 2011 Local Options hash (VER=V4): '3514370b'Sun Apr 17 22:30:33 2011 Expected Remote Options hash (VER=V4): '239669a8'Sun Apr 17 22:30:33 2011 UDPv4 link local: [undef]Sun Apr 17 22:30:33 2011 UDPv4 link remote: [AF_INET]**.**.**.**:1194Sun Apr 17 22:30:34 2011 VERIFY OK: depth=1,/C=FR/ST=95/L=Montmorency/O=GOOZE/CN=GOOZE_CA/emailAddress=openvpn@gooze.euSun Apr 17 22:30:34 2011 VERIFY OK: depth=0,/C=FR/ST=95/L=Montmorency/O=GOOZE/CN=server/emailAddress=openvpn@gooze.euEnter François Pérou (User PIN) token Password:Sun Apr 17 22:30:46 2011 WARNING: 'ifconfig' is present in remote config but missing in local config,remote='ifconfig 10.9.8.4 10.9.8.3'Sun Apr 17 22:30:46 2011 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit keySun Apr 17 22:30:46 2011 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authenticationSun Apr 17 22:30:46 2011 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit keySun Apr 17 22:30:46 2011 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authenticationSun Apr 17 22:30:46 2011 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSASun Apr 17 22:30:46 2011 [server] Peer Connection Initiated with [AF_INET]**.**.**.**:1194Sun Apr 17 22:30:48 2011 TUN/TAP device tun1 openedSun Apr 17 22:30:48 2011 /sbin/ifconfig tun1 10.9.8.4 pointopoint 10.9.8.3 mtu 1500Sun Apr 17 22:31:09 2011 Initialization Sequence CompletedYou will be asked to enter you PIN code.Test the VPN using ping.Tuning configurationReaching the subnet on Moon server:Assuming that Moon server is on subnet 192.168.2.0, add the following line to your client:route 192.168.2.0 255.255.255.0References and linksReferences and links:How to build a tunnel with OpenVPN and CAcert-certificates [5] on CAcert wiki.OpenVPN PKCS#11 configuration [6] in OpenVPN manual.Licence of this documentThis document is available under the by-nc-nd Creative Commons Licence:[7]OpenVPN with smart cards / crypto tokens HOWTO by Gooze crytographic web shop [8] is licensed under a Creative CommonsAttribution-NonCommercial-NoDerivs 3.0 Unported License [7].Copyright GOOZE 2010-2011 http://www.gooze.eu 7 / 8

OpenVPN with smart cards / crypto tokens HOWTOPermissions beyond the scope of this license may be available at http://www.gooze.eu/howto/openvpn-with-smart-cards-cryptotokens-howto/licence-of-this-document[9]. You may contact the original author GOOZE [10] for approval.When you share this work, publish a link with the following text : "An updated and collaborative version of this document isavailable at the following page" and add a link to :URL of this document: http://www.gooze.eu/howto/openvpn-with-smart-cards-crypto-tokens-howto [11]OR to PDF downloading page: http://www.gooze.eu/printpdf/book/export/html/191 [12]Copyright GOOZE.EU 2011.Source URL: http://www.gooze.eu/howto/openvpn-with-smart-cards-crypto-tokens-howtoLinks:[1] http://www.gooze.eu/feitian-pki-smartcard-ftcos-pk-01c[2] http://www.gooze.eu/feitian-epass-pki-token[3] http://www.gooze.eu/howto/smart-card-quickstarter-guide[4] http://openvpn.net/howto.html#mitm[5] http://wiki.cacert.org/openVPN[6] http://openvpn.net/index.php/open-source/documentation/howto.html#pkcs11_openvpn_config[7] http://creativecommons.org/licenses/by-nc-nd/3.0/[8] http://www.gooze.eu[9] http://www.gooze.eu/howto/openvpn-with-smart-cards-crypto-tokens-howto/licence-of-this-document[10] http://www.gooze.eu/contact[11] http://www.gooze.eu/howto/openvpn-with-smart-cards-crypto-tokens-howto[12] http://www.gooze.eu/printpdf/book/export/html/191Copyright GOOZE 2010-2011 http://www.gooze.eu 8 / 8