Page MenuHomeVyOS Platform

Add pkcs11 support to OpenVPN interfaces
Closed, WontfixPublicENHANCEMENT


It would be nice to have pkcs11 support when defining OpenVPN vtun interfaces. Currently it always requires cert-file and key-file directives.

Current situation example with cert-file and key-file (normal usage):

tls {
    ca-cert-file /config/auth/vpn/ca.crt
    cert-file /config/auth/vpn/vpn.crt
    key-file /config/auth/vpn/vpn.key

Possible example when using a token with pkcs11:

openvpn-option "--pkcs11-providers /usr/lib/"
 tls {
     ca-cert-file /config/auth/vpn/ca.crt
     pkcs11-id "'SafeNet, Inc./eToken/0123abcd/eToken PRO Java/10809016BCD13550'"


Difficulty level
Normal (likely a few hours)
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Feature (new functionality)

Event Timeline

syncer triaged this task as Wishlist priority.May 9 2016, 9:51 PM
syncer added projects: VyOS 2.0.x, VyOS 1.1.x.
syncer added subscribers: dmbaturin, syncer.

@dmbaturin this should be not hard to implement, correct?

I already have a working patch for my own setup, I attached it:

Also needs to following new file:

$ cat /opt/vyatta/share/vyatta-cfg/templates/interfaces/openvpn/node.tag/tls/pkcs11-id/node.def
type: txt
help: PKCS11 Identifier

Patch is made for VyOS 1.1.7 (helium)

@dmbaturin can you take a look and merge this patch ?

It would be nice if this was available in the next release. Happy to receive any feedback if I need to improve the patch.

syncer changed the edit policy from "Public (No Login Required)" to "Custom Policy".Aug 21 2017, 1:34 AM
syncer edited projects, added VyOS 1.2 Crux; removed VyOS 1.1.x, VyOS 2.0.x.
syncer set Version to -.
syncer edited subscribers, added: Maintainers; removed: syncer, dmbaturin.

@UnicronNL can you check patch and advise if that is something that we can include in 1.1.8

Is there any progress on this merge?

Now that we can add user-pass authenticaton so the configuration is accepted without cert and keyfile we can fool the configuration to make it accept and work with pkcs11 settings:

# dummy user and pass
set interfaces openvpn vtun1 authentication password 'y'
set interfaces openvpn vtun1 authentication username 'x'

#pkcs11 settings
set interfaces openvpn vtun1 openvpn-option '--pkcs11-providers /usr/lib/'
set interfaces openvpn vtun1 openvpn-option '--pkcs11-id SafeNet,\ Inc./eToken/0123abcd/SafeNet\ eToken\ 5110/10809016BCD13550'

Actually making tls cert-file and tls key-file fully optional would make it more clean, but this is a good workaround.

syncer changed the subtype of this task from "Task" to "Enhancement".Oct 20 2018, 4:49 AM
dmbaturin set Why the issue appeared? to Will be filled on close.

Hi, I requested this feature, but due to the addition of username/password it can work as a good workaround.

See the solution i posted above.

For what it's worth, you may close this feature request.

closed as requested since there is no need for a new implementation.

The workaround stopped working after the OpenVPN configuration checks moved from Perl to Python. As this still applies to VyOS 1.3 this issue should be reopened, I can also create a new issue if that is preferred.

Old that allowed workaround by enabling username/password authentication as a dummy:

New (always requires tls-cert and tls-key):

I still think making the cert-file and key-file directives optional and not mandatory is much better and cleaner. This change would also allow "username/password authentication only" again without any other modifications, next to pkcs11-id directives that someone can add via openvpn-option for advanced use.

Hi @yun,

thanks for your detailed bisection of this issue. You mind submitting a GitHub PullRequest as per

Unfortunately I had to revert this PR as it broke the smoketests and also triggered the following OpenVPN error:

Options error: You must define certificate file (--cert) or PKCS#12 file (--pkcs12)

Hmm. Can you point me to the smoketest that failed? I will investigate. Maybe it actually tests if the strict check are in place, because now cert-file and key-file are optional, but it should keep working if you configure it.

You can find the test here:

You can execute it on an installed VyOS ISO by executing: /usr/libexec/vyos/tests/smoke/cli/

As I suspected, it check if the ConfigSession properly errors if "tls cert-file" and "tls key-file" are NOT defined (for server):

I will refactor my PR without modifying the smoketests

I have made a second attempt of the PR:
The original tls configuration checks are back, but it's only checked if no alternative authentication methods are configured.

Sadly, I could not run the smoketest as it was not present on my VyOS-1.3.0-rc5 iso. Downloading and running the Python smoketest script gave me an error as well.

erkin set Is it a breaking change? to Unspecified (possibly destroys the router).Wed, Sep 1, 10:56 AM
erkin set Issue type to Feature (new functionality).