|
|
Ondra Medek wrote:
Hi,
I use USB token for the OpenVPN client to authenticate. I have OpenVPN
2.1beta7 on Linux. If the client runs in the foreground, then is everything
OK. But if I start the client in the background, then it asks me to insert
the token, but does not ask me for PIN, the client tries to unsuccessfully
connect to the server and logs:
Fri Dec 30 14:35:36 2005 TLS Error: Unroutable control packet received from 127.0.0.1:1194 (si=3 op=P_CONTROL_V1)
The only solution is to use management interaface, as I was told at
openvpn-devel mailing list. I don't know if this is a bug or expected
behaviour, so I rather write it here.
Hello,
After daemonize, openvpn cannot interact with the user. You
can make openvpn to ask for PIN before daemonize using the
pkcs11-cert-private option.
Just to explain why you you get a prompt for card insert and
not for card PIN: When openvpn starts it validate that it
can create ssl context, for that it needs to find the
certificate, since this is a public object it does not
require PIN. Then openvpn daemonize and performs the key
negotiation, now it needs to access a private object so it
asks for PIN, since it cannot interact with the user it
fails. The pkcs11-cert-private consider the certificate as a
private object so it asks for PIN at early stage.
The preferred way to communicate with the daemon is via the
management interface. You can use the script that I've sent you.
Best Regards,
Alon Bar-Lev.
____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users
|