Page MenuHomeVyOS Platform
Create Task
Maniphest T56

Add pkcs11 support to OpenVPN interfaces
Closed, WontfixPublicENHANCEMENT
Actions

Description

It would be nice to have pkcs11 support when defining OpenVPN vtun interfaces. Currently it always requires cert-file and key-file directives.

Current situation example with cert-file and key-file (normal usage):

tls {
    ca-cert-file /config/auth/vpn/ca.crt
    cert-file /config/auth/vpn/vpn.crt
    key-file /config/auth/vpn/vpn.key
}

Possible example when using a token with pkcs11:

openvpn-option "--pkcs11-providers /usr/lib/libeToken.so"
 tls {
     ca-cert-file /config/auth/vpn/ca.crt
     pkcs11-id "'SafeNet, Inc./eToken/0123abcd/eToken PRO Java/10809016BCD13550'"
 }

Details

Difficulty level
Normal (likely a few hours)
Version
-
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Feature (new functionality)

Related Objects

Event Timeline

yun created this task.May 2 2016, 7:48 PM
syncer triaged this task as Wishlist priority.May 9 2016, 9:51 PM
syncer added projects: VyOS 2.0.x, VyOS 1.1.x.
syncer added subscribers: dmbaturin, syncer.

@dmbaturin this should be not hard to implement, correct?

yun added a comment.EditedMay 10 2016, 8:25 AM

I already have a working patch for my own setup, I attached it:

openvpn-pkcs11.patch4 KBDownload

Also needs to following new file:

$ cat /opt/vyatta/share/vyatta-cfg/templates/interfaces/openvpn/node.tag/tls/pkcs11-id/node.def
type: txt
help: PKCS11 Identifier

Patch is made for VyOS 1.1.7 (helium)

syncer added a comment.May 10 2016, 12:15 PM

@dmbaturin can you take a look and merge this patch ?

yun mentioned this in T65: auth-user-pass authentication in OpenVPN.May 11 2016, 7:46 PM
yun added a comment.Sep 2 2016, 2:47 PM

It would be nice if this was available in the next release. Happy to receive any feedback if I need to improve the patch.

syncer changed the edit policy from "Public (No Login Required)" to "Custom Policy".Aug 21 2017, 1:34 AM
syncer edited projects, added VyOS 1.2 Crux; removed VyOS 1.1.x, VyOS 2.0.x.
syncer set Version to -.
syncer edited subscribers, added: Maintainers; removed: syncer, dmbaturin.
syncer added a subscriber: UnicronNL.Aug 21 2017, 1:37 AM

@UnicronNL can you check patch and advise if that is something that we can include in 1.1.8

yun added a comment.Mar 29 2018, 8:30 PM

Is there any progress on this merge?

pasik added a subscriber: pasik.Oct 1 2018, 9:53 AM
syncer edited projects, added VyOS 1.2 Crux (VyOS 1.2.0-rc4); removed VyOS 1.2 Crux.Oct 13 2018, 10:09 AM
yun added a comment.Oct 13 2018, 12:05 PM

Now that we can add user-pass authenticaton so the configuration is accepted without cert and keyfile we can fool the configuration to make it accept and work with pkcs11 settings:

# dummy user and pass
set interfaces openvpn vtun1 authentication password 'y'
set interfaces openvpn vtun1 authentication username 'x'

#pkcs11 settings
set interfaces openvpn vtun1 openvpn-option '--pkcs11-providers /usr/lib/libeToken.so'
set interfaces openvpn vtun1 openvpn-option '--pkcs11-id SafeNet,\ Inc./eToken/0123abcd/SafeNet\ eToken\ 5110/10809016BCD13550'

Actually making tls cert-file and tls key-file fully optional would make it more clean, but this is a good workaround.

syncer assigned this task to hagbard.Oct 20 2018, 4:34 AM
syncer changed the subtype of this task from "Task" to "Enhancement".Oct 20 2018, 4:49 AM
syncer edited projects, added VyOS 1.2 Crux (VyOS 1.2.0-rc5); removed VyOS 1.2 Crux (VyOS 1.2.0-rc4).Oct 24 2018, 4:40 PM
syncer edited projects, added VyOS 1.2 Crux (VyOS 1.2.0-rc6); removed VyOS 1.2 Crux (VyOS 1.2.0-rc5).Oct 29 2018, 6:16 PM
dmbaturin edited projects, added VyOS 1.3 Equuleus; removed VyOS 1.2 Crux (VyOS 1.2.0-rc6).Nov 3 2018, 11:20 PM
dmbaturin set Why the issue appeared? to Will be filled on close.
yun added a comment.Nov 13 2018, 12:53 AM

Hi, I requested this feature, but due to the addition of username/password it can work as a good workaround.

See the solution i posted above.

For what it's worth, you may close this feature request.

hagbard closed this task as Wontfix.Jul 17 2019, 8:54 PM

closed as requested since there is no need for a new implementation.

c-po moved this task from Need Triage to Finished on the VyOS 1.3 Equuleus board.Nov 12 2019, 9:19 PM
yun added a comment.EditedJul 12 2021, 3:20 PM

The workaround stopped working after the OpenVPN configuration checks moved from Perl to Python. As this still applies to VyOS 1.3 this issue should be reopened, I can also create a new issue if that is preferred.

Old that allowed workaround by enabling username/password authentication as a dummy:
https://github.com/vyos/vyatta-openvpn/blob/current/lib/Vyatta/OpenVPN/Config.pm#L768

New (always requires tls-cert and tls-key):
https://github.com/vyos/vyos-1x/blob/current/src/conf_mode/interfaces-openvpn.py#L331

I still think making the cert-file and key-file directives optional and not mandatory is much better and cleaner. This change would also allow "username/password authentication only" again without any other modifications, next to pkcs11-id directives that someone can add via openvpn-option for advanced use.

c-po added a subscriber: c-po.Jul 12 2021, 6:56 PM

Hi @yun,

thanks for your detailed bisection of this issue. You mind submitting a GitHub PullRequest as per https://docs.vyos.io/en/equuleus/contributing/development.html?

yun added a comment.Jul 12 2021, 10:50 PM

PR submitted: https://github.com/vyos/vyos-1x/pull/917

c-po added a comment.Jul 17 2021, 5:20 PM

Unfortunately I had to revert this PR as it broke the smoketests and also triggered the following OpenVPN error:

Options error: You must define certificate file (--cert) or PKCS#12 file (--pkcs12)

yun added a comment.Jul 17 2021, 5:56 PM

Hmm. Can you point me to the smoketest that failed? I will investigate. Maybe it actually tests if the strict check are in place, because now cert-file and key-file are optional, but it should keep working if you configure it.

c-po added a comment.Jul 17 2021, 6:50 PM

You can find the test here: https://github.com/vyos/vyos-1x/blob/current/smoketest/scripts/cli/test_interfaces_openvpn.py

You can execute it on an installed VyOS ISO by executing: /usr/libexec/vyos/tests/smoke/cli/test_interfaces_openvpn.py

yun added a comment.EditedJul 17 2021, 9:19 PM

As I suspected, it check if the ConfigSession properly errors if "tls cert-file" and "tls key-file" are NOT defined (for server):

https://github.com/vyos/vyos-1x/blob/current/smoketest/scripts/cli/test_interfaces_openvpn.py#L259

I will refactor my PR without modifying the smoketests

yun added a comment.EditedJul 17 2021, 11:05 PM

I have made a second attempt of the PR: https://github.com/vyos/vyos-1x/pull/928
The original tls configuration checks are back, but it's only checked if no alternative authentication methods are configured.

Sadly, I could not run the smoketest as it was not present on my VyOS-1.3.0-rc5 iso. Downloading and running the Python smoketest script gave me an error as well.

erkin set Is it a breaking change? to Unspecified (possibly destroys the router).Sep 1 2021, 10:56 AM
erkin set Issue type to Feature (new functionality).
dmbaturin edited projects, added Invalid; removed VyOS 1.3 Equuleus.Sep 10 2021, 5:56 AM