Authentication in OpenVPN using Rutoken EDS
OpenVPN is a cross-platform, flexible and convenient solution for organizing a VPN. For admission to the virtual network, built on the basis of OpenVPN, the client must log in. In OpenVPN, this can be done in 3 ways:
- by login and password
- by key and certificate in files
- by key and certificate on the “board” of a cryptographic USB token or smart card
The topic will show how to deploy a test VPN, as well as a corporate CA based on the open source XCA application. Using the CA, the key and certificate of the OpenVPN server will be created and the client token will be initialized. Then we configure the OpenVPN client so that the user can log in to OpenVPN using the Rootoken EDS.
I will raise the OpenVPN server and XCA on Ubuntu 11.10.
CA setup
First, install the system components necessary for the operation of the Rutoken EDS:
- CCID driver
sudo apt-get install libccid
- PC / SC
sudo apt-get install libpcsclite1 pcscd
sudo apt-get install xca
Run XCA:
sudo xca
You should create a new database File-> New Database.
Create a CA key: Private Keys-> New Key, newcakey, RSA, 1024.
Create a CA certificate:
Create an OpenVPN server key: Private Keys-> New Key, newserver, RSA, 1024.
Create an OpenVPN server certificate:
IMPORTANT! The OpenVPN server certificate must have a special extension (extendedKeyUsage - serverAuth)
Export the CA certificate to the ca.crt file, the server key to the server.key file, and the server certificate to the server.crt file so that they can be slipped into the OpenVPN server (Private Keys-> Export, Certificates-> Export).
Configure OpenVPN Server
Install openvpn:
sudo apt-get install openvpn
Create a file with the parameters DX:
openssl dhparam -out dh1024.pem 1024
Test OpenVPN server config (ATTENTION! Server config is for demonstration purposes only, do not take it as the basis of your server):
port 1194
proto tcp
dev tap
ca /home/vic/Desktop/ca.crt
cert /home/vic/Desktop/server.crt
key /home/vic/Desktop/server.key
dh /home/vic/Desktop/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
cipher BF-CBC
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
Run the OpenVPN server
sudo openvpn --config /home/vic/Desktop/demo.ovpn
It is clear that in a combat configuration the server will start as a daemon and the keys / certificates will not lie in home.
Initialization of the Rutoken EDS of the client
Now we can begin to what everything was up to - the initialization of the Rootoken digital signature to authorize the client in the VPN.
In order for XCA to learn how to work with a token, it needs to be given the PKCS # 11 library of this token. PKCS # 11 library for Linux with RSA support for Rootoken EDS can be downloaded here
So File-> Options
Attention! If you formatted Rutoken EDS using, for example, OpenSC utilities, then before starting Rutoken EDS should be formatted under Windows through the Control
Panel-> Rutoken Control Panel. First, you can change the PIN, Token-> Change PIN.
Let's create the RSA key “on board” Rutoken EDS:
Private Keys-> New Key
in Nam, enter newclientkey. Upon request, enter the correct PIN.
Now we issue the client a certificate with which he could log in to OpenVPN and write this certificate to the Rootoken EDS:
IMPORTANT! The OpenVPN client certificate must have a special extension (extendedKeyUsage - clientAuth)
XCA will offer to save the certificate for a token, you should agree.
OpenVPN Client Configuration
I have a user workstation - Windows 7. Since the Rutoken EDS works through a standard CCID driver, its driver does not need to be installed on Windows 7 (on XP it is necessary).
I installed the Windows OpenVPN and broke off. It turns out that openvpn.exe is collected under Windows without the support of the mechanism for connecting tokens through PKCS # 11. But I still found the correct openvpn.exe. It can be downloaded from the OpenSC project website www.opensc-project.org/downloads/users/alonbl/build , the third archive from the top at the time of writing. Unzip the archive and replace the files in the openvpn installation folder.
Client config:
client
dev tap
proto tcp
remote xxx.xxx.xxx.xxx 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca c:/Users/vic/Desktop/openvpn/ca.crt
pkcs11-providers c:/Users/vic/Desktop/openvpn/rtPKCS11ECP.dll
pkcs11-id 'Aktiv\x20Co\x2E/Rutoken\x20ECP/2ab17cca/Rutoken\x20ECP\x20\x3Cno\x20label\x3E/2C84962D1AF5792A'
pkcs11-pin-cache 300
comp-lzo
verb 3
In the pkcs11-providers parameter, specify the path to the PKCS # 11 library Rutoken EDS (the library for Windows with RSA support is available for download ).
In the pkcs11-id parameter, you should specify the value of the container ID in which the key and user certificate are stored on the Rutoken EDS. This ID can be obtained using the command:
openvpn --show-pkcs11-ids [путь к библиотеке PKCS#11 Рутокен ЭЦП]
It is more convenient to do this during the initialization of the token, and the user should be given a ready-made config, CA certificate, token and token PIN.
Establish a VPN connection. To do this, connect the Rootoken EDS, run with administrator rights in the command line:
openvpn --config [путь к файлу конфига]
Upon request, enter the PIN.
After the connection was established, I was able to ping the server at 10.8.0.1 virtual network.