OpenVPN with smart cards / crypto tokens HOWTO Introduction ...

OpenVPN with smart cards / crypto tokens HOWTOremote moon.mydomain.comifconfig 10.9.8.4 10.9.8.3nobindpersist-keypersist-tunca ca.crtpkcs11-providers /usr/lib/libopensc-pkcs11.sopkcs11-id'EnterSafe/PKCS\x2315/3023492517080710/Jean\x2DMichel\x20Pour\xC3\xA9\x20\x28User\x20PIN\x29/FA6642B43F1FFFA234062D10DE583FD6455A962F'comp-lzoTest your configuration:openvpn --config /etc/openvpn/tun1.conf --verb 2Sun Apr 17 22:30:12 2011 OpenVPN 2.1.3 x86_64-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [MH] [PF_INET6][eurephia] built on Apr 12 2011Sun Apr 17 22:30:12 2011 PKCS#11: Adding PKCS#11 provider '/usr/lib/opensc-pkcs11.so'Sun Apr 17 22:30:33 2011 WARNING: using --pull/--client and --ifconfig together is probably not what you wantSun Apr 17 22:30:33 2011 WARNING: No server certificate verification method has been enabled. Seehttp://openvpn.net/howto.html#mitm [4] for more info.Sun Apr 17 22:30:33 2011 NOTE: the current --script-security setting may allow this configuration to call userdefinedscriptsSun Apr 17 22:30:33 2011 Control Channel MTU parms [ L:1541 D:138 EF:38 EB:0 ET:0 EL:0 ]Sun Apr 17 22:30:33 2011 Data Channel MTU parms [ L:1541 D:1450 EF:41 EB:4 ET:0 EL:0 ]Sun Apr 17 22:30:33 2011 Local Options hash (VER=V4): '3514370b'Sun Apr 17 22:30:33 2011 Expected Remote Options hash (VER=V4): '239669a8'Sun Apr 17 22:30:33 2011 UDPv4 link local: [undef]Sun Apr 17 22:30:33 2011 UDPv4 link remote: [AF_INET]**.**.**.**:1194Sun Apr 17 22:30:34 2011 VERIFY OK: depth=1,/C=FR/ST=95/L=Montmorency/O=GOOZE/CN=GOOZE_CA/emailAddress=openvpn@gooze.euSun Apr 17 22:30:34 2011 VERIFY OK: depth=0,/C=FR/ST=95/L=Montmorency/O=GOOZE/CN=server/emailAddress=openvpn@gooze.euEnter François Pérou (User PIN) token Password:Sun Apr 17 22:30:46 2011 WARNING: 'ifconfig' is present in remote config but missing in local config,remote='ifconfig 10.9.8.4 10.9.8.3'Sun Apr 17 22:30:46 2011 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit keySun Apr 17 22:30:46 2011 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authenticationSun Apr 17 22:30:46 2011 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit keySun Apr 17 22:30:46 2011 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authenticationSun Apr 17 22:30:46 2011 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSASun Apr 17 22:30:46 2011 [server] Peer Connection Initiated with [AF_INET]**.**.**.**:1194Sun Apr 17 22:30:48 2011 TUN/TAP device tun1 openedSun Apr 17 22:30:48 2011 /sbin/ifconfig tun1 10.9.8.4 pointopoint 10.9.8.3 mtu 1500Sun Apr 17 22:31:09 2011 Initialization Sequence CompletedYou will be asked to enter you PIN code.Test the VPN using ping.Tuning configurationReaching the subnet on Moon server:Assuming that Moon server is on subnet 192.168.2.0, add the following line to your client:route 192.168.2.0 255.255.255.0References and linksReferences and links:How to build a tunnel with OpenVPN and CAcert-certificates [5] on CAcert wiki.OpenVPN PKCS#11 configuration [6] in OpenVPN manual.Licence of this documentThis document is available under the by-nc-nd Creative Commons Licence:[7]OpenVPN with smart cards / crypto tokens HOWTO by Gooze crytographic web shop [8] is licensed under a Creative CommonsAttribution-NonCommercial-NoDerivs 3.0 Unported License [7].Copyright GOOZE 2010-2011 http://www.gooze.eu 7 / 8