[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

[Openvpn-users] Windows system service with OpenSC

  • Subject: [Openvpn-users] Windows system service with OpenSC
  • From: "Richard Hartmann" <richih.nospam@xxxxxxxxxxxxxx>
  • Date: Tue, 5 Jun 2007 16:37:18 +0200

Hi all,

I have succeded in a PINless login in my setup. It is working fine if
I call it once I am logged into Windows.

As a reminder, my setup looks as follows:
Cert and private key are stored on an Aladdin eToken, which I am using
via OpenSC. I need to establish the VPN connection before the user is
presented with GINA, i.e. the login prompt of Windows.

My OpenVPN conf, aka aladdin3.ovpn:
proto tcp
dev tap

management 9999

remote vpn.globalways.net 443

ca "C:\\Dokumente und Einstellungen\\Administrator\\Desktop\\aladdin\\gw-ca.pem"
pkcs11-providers  "C:\\Programme\\Smart Card Bundle\\opensc-pkcs11.dll"
pkcs11-slot-type label
pkcs11-slot "OpenSC Card (Richard Hartmann)"
pkcs11-id-type subject
pkcs11-id "/C=de/ST=Bavaria/L=Munich/O=globalways GmbH & Co. KG/OU=IT
Security/CN=Richard Hartmann/emailAddress=rh@xxxxxxxxxxxxxx"

auth SHA1
cipher AES-256-CBC


My script to connect, called connect.bat (and yes, my PIN is 1234, atm :) ):
@echo on
start /B C:\Programme\OpenVPN\bin\openvpn --config
c:\Programme\sleep.exe 10
echo password "OpenSC Card (Richard Hartmann) token" 1234 |
c:\programme\netcat\nc.exe -w 5 9999

My Autoexnt.bat as per http://support.microsoft.com/kb/243486 :
@echo off

When i tail -f the server logs, I can see that the connection attempt
is made shortly after the GINA appears. I can also see that the
attempt times out, which makes me suspect that, for some reason,
netcat is unable to pass the PIN to OpenVPN.
I tried using --askpass, but OpenVPN does not seem to realize that it
could use the pass for the PIN instead of trying to decrypt the key
itself with it.
Unfortunately, there is pkcs11-pin-cache as an option, but not
pkcs11-pin-value. Making offering this as a compile time option along
the lines of --askpass file would probably be neat, at some point. It
is bad practice in most cases, but sometimes, you just need it.

I suspect that I might need to play around with the dependencies of my
Windows system service a bit, but I neither know how to do that nor
would I know what OpenVPN requires.

OpenVPN mailing lists