Dear embedded enthusiasts,
I'm trying very hard to add smart card support in OpenVPN.
I'm using LEDE sdk on an Ubuntu 14.04 host.
Target binary should be [ar71xx] ELF 32-bit MSB executable MIPS32 rel2 version 1.
I've installed all sort of deps. on host system,
managed to pass the pkcs11-helper…OK check made by configure script,
poked around in package/network/services/openvpn/Makefile,
tried Voodoo rites, etc.
Would someone take a look at this issue?
Thank you!
This isn't OpenWrt specific, so you'll likely garnish far greater help and information from the OpenVPN community on the OpenVPN forum.
OpenVPN has supported smartcard login for years, and a google search should turn up some helpful info.
For a SmartCard, Common Access Card, etc., all that's being done is the certificate and key are being read and imported form the card. If I remember right, for our DoD CACs, we had to use pkcs11 and pkcs15 tools for the certs and keys.
Thank you @jknee00@JW0914 !
Fact is, I can actually use this form of authentication with OpenVPN built for a standard platform BUT I can't manage to build it from the Lede SKD! That's why I'm posting here.
With --enable-pkcs11 "make" option you can fire your VPN by inserting a smart card and a PIN number ("something I have + something I know").
My goal is to use this cool feature in MIPS based hardware.
Thanks again,
FT
My device is a Dragino with AR7xxx, so I had just to modify the
Target Profile (Dragino 2 (MS14)) --->
and obviously save .config.
Run both commands you suggested but it still complains:
cp: cannot stat '/home/qzu/openwrt/source/staging_dir/toolchain-mips_24kc_gcc-5.5.0_musl/lib/ld-musl-.so': No such file or directory
I don't currently have the time to troubleshoot why you're getting a non-expected outcome, so delete the source directory, then re-run the script, this time ensuring you select the target profile, then save the change, and finally, cancel the process once it begins the ...Compiling Image... step
I also forgot there's going to be some options for OpenVPN you're going to want to enable, so run MenuConfig with the following variable I set during the setup: wrt
Once in MenuConfig, navigate to: Network ==> VPN ==> openvpn-openssl and press [Y], then [Enter]
Enable all options under openssl-openvpn (14 in total), save the changes, then compile
Yes, I did that.
As I've mentioned before the only feature I'm not able to add is the PKCS11 support.
(In fact most of the options on this menu are useless in my use case...)
Thanks a lot and stay tuned!
I've never tried compiling a program prior to compiling a device image, so at worst, you may have to compile an image for your device to have all required toolchain files to be downloaded.
I'm not sure why this would be necessary, as make should auto download any additional files needed for the toolchain.
Depending on your processor and RAM specs, building a base image with nothing extra, other than openvpn-openssl, selected is generally a fairly fast process and may take an hour or so.