OpenVPN smart card support [PKCS11]

Dear embedded enthusiasts,
I'm trying very hard to add smart card support in OpenVPN.
I'm using LEDE sdk on an Ubuntu 14.04 host.
Target binary should be [ar71xx] ELF 32-bit MSB executable MIPS32 rel2 version 1.
I've installed all sort of deps. on host system,
managed to pass the pkcs11-helper…OK check made by configure script,
poked around in package/network/services/openvpn/Makefile,
tried Voodoo rites, etc.

Would someone take a look at this issue?
Thank you!

Not seems to raise much interest!
Somebody with deep knowledge on OpenVPN compilation please stand up!
Cheers,
F.

can you enlighten me with smart card support,,,maybe i could help you!!!

2 Likes

This isn't OpenWrt specific, so you'll likely garnish far greater help and information from the OpenVPN community on the OpenVPN forum.

  • OpenVPN has supported smartcard login for years, and a google search should turn up some helpful info.
    • For a SmartCard, Common Access Card, etc., all that's being done is the certificate and key are being read and imported form the card. If I remember right, for our DoD CACs, we had to use pkcs11 and pkcs15 tools for the certs and keys.
2 Likes

Thank you @jknee00 @JW0914 !
Fact is, I can actually use this form of authentication with OpenVPN built for a standard platform BUT I can't manage to build it from the Lede SKD! That's why I'm posting here.
With --enable-pkcs11 "make" option you can fire your VPN by inserting a smart card and a PIN number ("something I have + something I know").
My goal is to use this cool feature in MIPS based hardware.
Thanks again,
FT

I've never used the SDK, as I've always utilized a buildroot. It may be quicker for you to utilize this script to auto create a buildroot in Ubuntu:

  1. Once it begins the step ...Compiling Image..., press CTRL+C to cancel the image build process.

  2. Change --disable-pkcs11 to --enable-pkcs11 in:
    <buildroot>/package/network/services/openvpn/Makefile

  3. Once the changes are saved, issue (from within the buildroot directory):
    make package/network/services/openvpn/compile

Thank you!
But the toolchain is missing!
So step 3 fails immediately

Did you select the device it's being made for when it auto opened menuconfig?

  • In order for the toolchain to be downloaded into the staging directory, the device you're building for must be selected and saved via menuconfig.

You mean the very first option of menuselect?

Target System (Atheros AR7xxx/AR9xxx) --->

Yes... you must select the processor your device utilizes, then the device itself.

  • Once this is done, save the change and exit menuconfig,
  • Verify the toolchain directory exist:
    find "$HOME/openwrt/source/staging_dir" -maxdepth 1 -name "toolchain-*"
    
  • Then issue:
    TOOLCHAIN="$(find $HOME/openwrt/source/staging_dir -maxdepth 1 -name "toolchain-*")" && sed -i "s|STAGING_DIR=/home/user/openwrt/source/staging_dir/toolchain|STAGING_DIR=$TOOLCHAIN|g" ~/.bashrc && export PATH="$PATH:$TOOLCHAIN/bin:$HOME/openwrt/source/staging_dir/host/bin" && source ~/.bashrc
    

My device is a Dragino with AR7xxx, so I had just to modify the
Target Profile (Dragino 2 (MS14)) --->
and obviously save .config.
Run both commands you suggested but it still complains:

cp: cannot stat '/home/qzu/openwrt/source/staging_dir/toolchain-mips_24kc_gcc-5.5.0_musl/lib/ld-musl-.so': No such file or directory

I don't currently have the time to troubleshoot why you're getting a non-expected outcome, so delete the source directory, then re-run the script, this time ensuring you select the target profile, then save the change, and finally, cancel the process once it begins the ...Compiling Image... step

Thank you very much.
I'll try harder!
See you soon

I also forgot there's going to be some options for OpenVPN you're going to want to enable, so run MenuConfig with the following variable I set during the setup: wrt

  • Once in MenuConfig, navigate to: Network ==> VPN ==> openvpn-openssl and press [Y], then [Enter]
    • Enable all options under openssl-openvpn (14 in total), save the changes, then compile

Yes, I did that.
As I've mentioned before the only feature I'm not able to add is the PKCS11 support.
(In fact most of the options on this menu are useless in my use case...)
Thanks a lot and stay tuned!

I've never tried compiling a program prior to compiling a device image, so at worst, you may have to compile an image for your device to have all required toolchain files to be downloaded.

  • I'm not sure why this would be necessary, as make should auto download any additional files needed for the toolchain.

  • Depending on your processor and RAM specs, building a base image with nothing extra, other than openvpn-openssl, selected is generally a fairly fast process and may take an hour or so.

So I can now give a

make -j5

and hope?

That's right.

ACK!

Have a good night.

Hello @JW0914!
Nope...

make -j1 V=s

dies with
configure: error: PKCS11 enabled but libpkcs11-helper is missing.
If I try to install this dependency on Ubuntu host with:

sudo apt-get install libpkcs11*

I see that it sets up this (among others):

Setting up libpkcs11-helper1:amd64 (1.11-1) ...
Setting up libpkcs11-helper1-dev (1.11-1) ...

Maybe this trailing "1" on package name breaks things?
And if this would be the case, how can I fix?
Thanks again,
F.