OpenVPN smart card support [PKCS11]

geepsee · February 25, 2018, 8:37am

Close but no cigar.

Added this line in package/network/services/openvpn/Makefile, under CONFIGURE_VARS stanza

PKG_CONFIG_PATH=/usr/lib/x86_64-linux-gnu/pkgconfig

and fixed some incorrect relative paths in some .c files but LD exits with error:

ld: cannot find -lpkcs11-helper

sob

JW0914 · February 25, 2018, 3:02pm

I got the same error when I tried compiling with --enable-pkcs11 in the Makefile, however I haven't had time to troubleshoot further.

I'm not sure if that's referring to an error host side or target side, but there is a pkcs11 library that isn't enabled, so I would try enabling that in MenuConfig (iirc: libraries ==> libpkcs11)
- If that doesn't solve it, and it is a target side error, you may have to play around in the Makefule, specifying it as a dependency

geepsee · February 25, 2018, 3:54pm

Hello!
In the menu I've searched with "/" key and enabled anything PKCS11-related (I know, it's sooo unprofessional!)

but the one you mentioned isn't present in my case!
I've also tried to set it as a dependency in the Makefile, but always being warned that the dep. couldn't be satisfied...
Thanks for you patience.
F.

JW0914 · February 25, 2018, 4:07pm

What device are your building for?

geepsee · February 25, 2018, 4:10pm

Target Profile (Dragino 2 (MS14)) --->

JW0914 · February 25, 2018, 4:12pm

What is the Target System

geepsee · February 25, 2018, 4:13pm

Atheros AR7xxx/AR9xxx

JW0914 · February 25, 2018, 4:15pm

Libraries ==> libpkcs11-spy

geepsee · February 25, 2018, 4:16pm

Sorry... I've tried it already
Really flagged ANYTHING that could be related with hardware token support!

JW0914 · February 25, 2018, 4:19pm

You stated the above in relation to that package.

I don't have the time to troubleshoot this, so at this point, I'd recommend searching the OpenVPN forum and/or creating a thread there with a link to this thread.

What you ultimately need from the OpenVPN site is their Makefile options to determine what's required for this specific option to be cross-compiled.

geepsee · February 26, 2018, 12:16pm

Thank you @JW0914, OpenVPN forum is definetely the right place to go.
I've appreciated your effort.
Bye

geepsee · March 10, 2018, 8:56am

@JW0914
OpenVPN forum didn't help out.
I've opened a feature request here:
https://bugs.openwrt.org/index.php?do=details&task_id=1413
Thanks again

JW0914 · March 10, 2018, 2:06pm

It's not so much that OpenWrt doesn't support it, but that the Makefile is missing some options required for cross-compiling OpenVPN with support for PKCS11.

Since you stated this works fine on a standard platform:
- Have you looked at the Makefile on a platform this works on and compared that Makefile to OpenWrt's?
- Have you tried cross compiling for LEDE on a platform shown to support PKCS11?
  - I'd recommend cross compiling for LEDE using Ubuntu (i.e. you're not using a buildroot, but are using an Ubuntu cross compiler to compile for the MIPS toolchain version you require).

jknee00 · March 11, 2018, 6:28pm

anybody knew how to look for local port to bind for openvpn "lport"

geepsee · March 12, 2018, 9:46am

@jknee00
"port" directive in server.conf
for example:
port 1194

geepsee · March 12, 2018, 10:19am

@JW0914
Thank you very much. Here's my checklist:

make a fresh install and a snapshot of Ubuntu 16 in a VM
compile OpenVPN with PKCS11 support on the host
study the makefile
install Lede SDK
compare both makefiles
make world

I will keep you updated.
Cheers,
Francesco

geepsee · March 12, 2018, 1:15pm

@JW0914
If you want to take a look at the Makefile (of the host), here it is:
https://rfididattica.flnet.org/Makefile

kleinsmk · September 26, 2018, 12:30pm

Did you ever figure this out ? I’m interested as well in having smart card support for open vpn.