2015. július 17., péntek

OpenVPN and eToken5100 SafeNet token

SafeNet ePass USB token is a PKI authenticator tool. It's fully supported in, of course, Windows operation systems and, also, in Linuxes. A neat but expensive toy. It also can be used with OpenVPN. With Windows. But you will never find any documentation on how to make these two guys work together in Linux! Except for this blog. Follow these steps on a Debian/Ubuntu system: (this worked in a 12.* Ubuntu+Gnome, not tested with newer ones.)
apt-get update
apt-get upgrade
apt-get install openvpn libhal1 hal-info
unzip the stock driver, unzip the .iso and find your proper .deb or .rpm version. In my case, I installed:
dpkg -i SafenetAuthenticationClient-9.0.43-0_amd64.deb
Run your client tool to check if the token works (and you know your password):

Make your sudo system unsecure, lol: (only this line needs to be modificated)
This is needed because we want to use a simple way to run openvpn by root privileges. Don't forget to restart sudo. And here comes the tricky part. Find the hardware id of your token in the command line with:
openvpn --show-pkcs11-ids
Then, your client.config must look like this: (only the bold lines matters:)

dev tun
proto udp
remote your.server.com 2001
resolv-retry infinite
ca /etc/openvpn/ca.crt
ns-cert-type server
verb 3
script-security 2

# for the sake of proper DNS working
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

# this is the connection with the token
pkcs11-providers /usr/lib/libeTPkcs11.so

# your ID goes here
pkcs11-id 'EnterSafe/PKCS\x2315/0250184313021110/ftsafe\x20\x28User\x20PIN\x29/5F4DD36B4A23533FC9BDBB2AC7372236E48F99E5'
or, for example:

pkcs11-id 'SafeNet\x2C\x20Inc\x2E/eToken/0223127c/John\x20token/FC67BBDD7AD8EACD'

Important: don't run the openvpn as a service because you won't see the authentication promt! Instead, in a command line do:
/usr/sbin/openvpn --config /etc/openvpn/client.conf
Entering password
Succesfully typed and connected, you will see:
Do not close this terminal x-window because the vpn process will die immediately. But the tun interface somehow remains up, so you had better create a "stopopenvpn" script and use it to clean up the processes and interfaces. In my case, that was a
x-terminal-emulator -e "sudo su -c /bin/vpndown"
command, the it called this simple vpndown script in a new window
echo "Please wait..."
killall -9 openvpn

The VPN started with a user friendly desktop icon:
x-terminal-emulator -e "/bin/vpnup"
command. That called:
if $(ifconfig|grep tun); then echo "OPENVPN already started, please stop it first. (click -> stopvpn)"
sleep 5
exit 1
sudo su -c "/usr/sbin/openvpn --config /etc/openvpn/client.conf"
echo "Closing interface......"
sleep 5  

The funniest part is the echo Closing interface because that runs only if the openvpn itself is already terminated by the stopvpn in the other window. That is an elegant way to keep the user informed what's going on.
An alternative way to make the connection up without typing anything could be done by the help of the interactive shell expect:
apt-get install except
cat startvpn
spawn sudo su -c "/usr/sbin/openvpn --config /etc/openvpn/client.conf"
expect "Enter John token Password:\r"
send "MyL1ttleP4ssword\r"

Nincsenek megjegyzések:

Megjegyzés küldése