Page MenuHomeVyOS Platform

Add pkcs11 support to OpenVPN interfaces
Closed, WontfixPublicENHANCEMENT

Description

It would be nice to have pkcs11 support when defining OpenVPN vtun interfaces. Currently it always requires cert-file and key-file directives.

Current situation example with cert-file and key-file (normal usage):

tls {
    ca-cert-file /config/auth/vpn/ca.crt
    cert-file /config/auth/vpn/vpn.crt
    key-file /config/auth/vpn/vpn.key
}

Possible example when using a token with pkcs11:

openvpn-option "--pkcs11-providers /usr/lib/libeToken.so"
 tls {
     ca-cert-file /config/auth/vpn/ca.crt
     pkcs11-id "'SafeNet, Inc./eToken/0123abcd/eToken PRO Java/10809016BCD13550'"
 }

Details

Difficulty level
Normal (likely a few hours)
Version
-
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Feature (new functionality)

Event Timeline

syncer triaged this task as Wishlist priority.May 9 2016, 9:51 PM
syncer added projects: VyOS 2.0.x, VyOS 1.1.x.
syncer added subscribers: dmbaturin, syncer.

@dmbaturin this should be not hard to implement, correct?

I already have a working patch for my own setup, I attached it:

Also needs to following new file:

$ cat /opt/vyatta/share/vyatta-cfg/templates/interfaces/openvpn/node.tag/tls/pkcs11-id/node.def
type: txt
help: PKCS11 Identifier

Patch is made for VyOS 1.1.7 (helium)

@dmbaturin can you take a look and merge this patch ?

It would be nice if this was available in the next release. Happy to receive any feedback if I need to improve the patch.

syncer changed the edit policy from "Public (No Login Required)" to "Custom Policy".Aug 21 2017, 1:34 AM
syncer edited projects, added VyOS 1.2 Crux; removed VyOS 1.1.x, VyOS 2.0.x.
syncer set Version to -.
syncer edited subscribers, added: Maintainers; removed: syncer, dmbaturin.

@UnicronNL can you check patch and advise if that is something that we can include in 1.1.8

Is there any progress on this merge?

Now that we can add user-pass authenticaton so the configuration is accepted without cert and keyfile we can fool the configuration to make it accept and work with pkcs11 settings:

# dummy user and pass
set interfaces openvpn vtun1 authentication password 'y'
set interfaces openvpn vtun1 authentication username 'x'

#pkcs11 settings
set interfaces openvpn vtun1 openvpn-option '--pkcs11-providers /usr/lib/libeToken.so'
set interfaces openvpn vtun1 openvpn-option '--pkcs11-id SafeNet,\ Inc./eToken/0123abcd/SafeNet\ eToken\ 5110/10809016BCD13550'

Actually making tls cert-file and tls key-file fully optional would make it more clean, but this is a good workaround.

syncer changed the subtype of this task from "Task" to "Enhancement".Oct 20 2018, 4:49 AM
dmbaturin set Why the issue appeared? to Will be filled on close.

Hi, I requested this feature, but due to the addition of username/password it can work as a good workaround.

See the solution i posted above.

For what it's worth, you may close this feature request.

closed as requested since there is no need for a new implementation.

The workaround stopped working after the OpenVPN configuration checks moved from Perl to Python. As this still applies to VyOS 1.3 this issue should be reopened, I can also create a new issue if that is preferred.

Old that allowed workaround by enabling username/password authentication as a dummy:
https://github.com/vyos/vyatta-openvpn/blob/current/lib/Vyatta/OpenVPN/Config.pm#L768

New (always requires tls-cert and tls-key):
https://github.com/vyos/vyos-1x/blob/current/src/conf_mode/interfaces-openvpn.py#L331

I still think making the cert-file and key-file directives optional and not mandatory is much better and cleaner. This change would also allow "username/password authentication only" again without any other modifications, next to pkcs11-id directives that someone can add via openvpn-option for advanced use.

Hi @yun,

thanks for your detailed bisection of this issue. You mind submitting a GitHub PullRequest as per https://docs.vyos.io/en/equuleus/contributing/development.html?

Unfortunately I had to revert this PR as it broke the smoketests and also triggered the following OpenVPN error:

Options error: You must define certificate file (--cert) or PKCS#12 file (--pkcs12)

Hmm. Can you point me to the smoketest that failed? I will investigate. Maybe it actually tests if the strict check are in place, because now cert-file and key-file are optional, but it should keep working if you configure it.

You can find the test here: https://github.com/vyos/vyos-1x/blob/current/smoketest/scripts/cli/test_interfaces_openvpn.py

You can execute it on an installed VyOS ISO by executing: /usr/libexec/vyos/tests/smoke/cli/test_interfaces_openvpn.py

As I suspected, it check if the ConfigSession properly errors if "tls cert-file" and "tls key-file" are NOT defined (for server):

https://github.com/vyos/vyos-1x/blob/current/smoketest/scripts/cli/test_interfaces_openvpn.py#L259

I will refactor my PR without modifying the smoketests

I have made a second attempt of the PR: https://github.com/vyos/vyos-1x/pull/928
The original tls configuration checks are back, but it's only checked if no alternative authentication methods are configured.

Sadly, I could not run the smoketest as it was not present on my VyOS-1.3.0-rc5 iso. Downloading and running the Python smoketest script gave me an error as well.

erkin set Is it a breaking change? to Unspecified (possibly destroys the router).Wed, Sep 1, 10:56 AM
erkin set Issue type to Feature (new functionality).