Authentication in OpenVPN using Rutoken EDS

    image
    OpenVPN is a cross-platform, flexible and convenient solution for organizing a VPN. For admission to the virtual network, built on the basis of OpenVPN, the client must log in. In OpenVPN, this can be done in 3 ways:
    • by login and password
    • by key and certificate in files
    • by key and certificate on the “board” of a cryptographic USB token or smart card
    The latter method is the safest. The topic will describe authorization in OpenVPN using a cryptographic USB token Rutoken EDS. The Rutoken EDS is reliably protected by a PIN code from unauthorized access and is blocked when all attempts to enter a PIN code have been exhausted, so an attacker will not get into the VPN even if the token is stolen. In addition, the GOST and RSA algorithms are hardware implemented in Rutoken EDS, therefore authentication is performed “on board” the token. Thanks to this, the private key never leaves the token and it is impossible to steal it from the computer’s RAM using trojans.

    The topic will show how to deploy a test VPN, as well as a corporate CA based on the open source XCA application. Using the CA, the key and certificate of the OpenVPN server will be created and the client token will be initialized. Then we configure the OpenVPN client so that the user can log in to OpenVPN using the Rootoken EDS.


    I will raise the OpenVPN server and XCA on Ubuntu 11.10.

    CA setup


    First, install the system components necessary for the operation of the Rutoken EDS:
    • CCID driver
      sudo apt-get install libccid
      

    • PC / SC
      sudo apt-get install libpcsclite1 pcscd
      
    Install XCA:
    sudo apt-get install xca
    

    Run XCA:
    sudo xca
    

    You should create a new database File-> New Database.

    Create a CA key: Private Keys-> New Key, newcakey, RSA, 1024.
    Create a CA certificate:
    image

    image

    image

    Create an OpenVPN server key: Private Keys-> New Key, newserver, RSA, 1024.
    Create an OpenVPN server certificate:

    image
    image

    IMPORTANT! The OpenVPN server certificate must have a special extension (extendedKeyUsage - serverAuth)
    image

    Export the CA certificate to the ca.crt file, the server key to the server.key file, and the server certificate to the server.crt file so that they can be slipped into the OpenVPN server (Private Keys-> Export, Certificates-> Export).

    Configure OpenVPN Server


    Install openvpn:
    sudo apt-get install openvpn
    

    Create a file with the parameters DX:
     openssl dhparam -out dh1024.pem 1024
    

    Test OpenVPN server config (ATTENTION! Server config is for demonstration purposes only, do not take it as the basis of your server):
    port 1194
    proto tcp
    dev tap
    ca /home/vic/Desktop/ca.crt
    cert /home/vic/Desktop/server.crt
    key /home/vic/Desktop/server.key  
    dh /home/vic/Desktop/dh1024.pem
    server 10.8.0.0 255.255.255.0
    ifconfig-pool-persist ipp.txt
    keepalive 10 120
    cipher BF-CBC
    comp-lzo
    persist-key
    persist-tun
    status openvpn-status.log
    verb 3
    

    Run the OpenVPN server
    sudo openvpn --config  /home/vic/Desktop/demo.ovpn
    

    It is clear that in a combat configuration the server will start as a daemon and the keys / certificates will not lie in home.

    Initialization of the Rutoken EDS of the client


    Now we can begin to what everything was up to - the initialization of the Rootoken digital signature to authorize the client in the VPN.

    In order for XCA to learn how to work with a token, it needs to be given the PKCS # 11 library of this token. PKCS # 11 library for Linux with RSA support for Rootoken EDS can be downloaded here

    So File-> Options
    image

    Attention! If you formatted Rutoken EDS using, for example, OpenSC utilities, then before starting Rutoken EDS should be formatted under Windows through the Control

    Panel-> Rutoken Control Panel. First, you can change the PIN, Token-> Change PIN.

    Let's create the RSA key “on board” Rutoken EDS:
    Private Keys-> New Key
    image
    in Nam, enter newclientkey. Upon request, enter the correct PIN.

    Now we issue the client a certificate with which he could log in to OpenVPN and write this certificate to the Rootoken EDS:

    image

    image

    IMPORTANT! The OpenVPN client certificate must have a special extension (extendedKeyUsage - clientAuth)
    image

    XCA will offer to save the certificate for a token, you should agree.

    OpenVPN Client Configuration


    I have a user workstation - Windows 7. Since the Rutoken EDS works through a standard CCID driver, its driver does not need to be installed on Windows 7 (on XP it is necessary).

    I installed the Windows OpenVPN and broke off. It turns out that openvpn.exe is collected under Windows without the support of the mechanism for connecting tokens through PKCS # 11. But I still found the correct openvpn.exe. It can be downloaded from the OpenSC project website www.opensc-project.org/downloads/users/alonbl/build , the third archive from the top at the time of writing. Unzip the archive and replace the files in the openvpn installation folder.

    Client config:
    client
    dev tap
    proto tcp
    remote xxx.xxx.xxx.xxx 1194
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    ca c:/Users/vic/Desktop/openvpn/ca.crt
    pkcs11-providers c:/Users/vic/Desktop/openvpn/rtPKCS11ECP.dll
    pkcs11-id 'Aktiv\x20Co\x2E/Rutoken\x20ECP/2ab17cca/Rutoken\x20ECP\x20\x3Cno\x20label\x3E/2C84962D1AF5792A'
    pkcs11-pin-cache 300
    comp-lzo
    verb 3
    


    In the pkcs11-providers parameter, specify the path to the PKCS # 11 library Rutoken EDS (the library for Windows with RSA support is available for download ).

    In the pkcs11-id parameter, you should specify the value of the container ID in which the key and user certificate are stored on the Rutoken EDS. This ID can be obtained using the command:
    openvpn --show-pkcs11-ids [путь к библиотеке PKCS#11 Рутокен ЭЦП]
    

    It is more convenient to do this during the initialization of the token, and the user should be given a ready-made config, CA certificate, token and token PIN.

    Establish a VPN connection. To do this, connect the Rootoken EDS, run with administrator rights in the command line:
    openvpn --config [путь к файлу конфига]
    

    Upon request, enter the PIN.

    After the connection was established, I was able to ping the server at 10.8.0.1 virtual network.

    Also popular now: