[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] PKCS#11 and OpenVPN as daemon

  • Subject: Re: [Openvpn-users] PKCS#11 and OpenVPN as daemon
  • From: Alon Bar-Lev <alon.barlev@xxxxxxxxx>
  • Date: Fri, 30 Dec 2005 16:28:00 +0200

Ondra Medek wrote:

I use USB token for the OpenVPN client to authenticate. I have OpenVPN
2.1beta7 on Linux. If the client runs in the foreground, then is everything
OK. But if I start the client in the background, then it asks me to insert
the token, but does not ask me for PIN, the client tries to unsuccessfully
connect to the server and logs:

Fri Dec 30 14:35:36 2005 TLS Error: Unroutable control packet received from (si=3 op=P_CONTROL_V1)

The only solution is to use management interaface, as I was told at
openvpn-devel mailing list. I don't know if this is a bug or expected
behaviour, so I rather write it here.


After daemonize, openvpn cannot interact with the user. You can make openvpn to ask for PIN before daemonize using the pkcs11-cert-private option.

Just to explain why you you get a prompt for card insert and not for card PIN: When openvpn starts it validate that it can create ssl context, for that it needs to find the certificate, since this is a public object it does not require PIN. Then openvpn daemonize and performs the key negotiation, now it needs to access a private object so it asks for PIN, since it cannot interact with the user it fails. The pkcs11-cert-private consider the certificate as a private object so it asks for PIN at early stage.

The preferred way to communicate with the daemon is via the management interface. You can use the script that I've sent you.

Best Regards,
Alon Bar-Lev.

Openvpn-users mailing list