This howto is for using openvpn with crypto token. OpenVPN from pkgsrc doesn't support tokens by default, but you can use this simple patch to use them. Additionally, you'll need:
- security/pcsc-lite for accessing tokens
- security/ccid is you are using USB tokens
- wip/pkcs11-helper to allow use of pkcs11 in openvpn
- wip/opensc to add certificates and initialize tokens and for pkcs11 engine for openvpn.
I won't write now how to initialize token and add certs, I'll just describe client process.
You have to get patch and use it:
/usr/pkgsrc:# wget -O - http://morr.pl/netbsd/net-openvpn-pkcs11.patch | patch
/usr/pkgsrc:# cd net/openvpn && make install clean
Then you should build pcsc-lite:
/usr/pkgsrc/net/openvpn:# cd ../../security/pcsc-lite && make install clean
If you are using USB token, you will need ccid too:
/usr/pkgsrc/security/pcsc-lite:# cd ../../security/ccid && make install clean
After that, you'll only need to run /usr/pkg/sbin/pcscd (unfortunatelly there isn't rc.d script yet) and you're almost done!
You have to know your token ID. You can get it using:
~:# openvpn --show-pkcs11-ids /usr/pkg/lib/opensc-pkcs11.so
and copying "Serialized id" to your openvpn config in "pkcs11-id" entry. Another entry is needed for this to run:
And that all! Of course you have to configure rest of openvpn, like "client", "dev" or "remote", but that is normal openvpn configuration. After running
~:# openvpn --config my.ovpn
Wed Jan 28 00:49:08 2009 OpenVPN 2.1_rc13 i386--netbsdelf [SSL] [LZO2] [PKCS11] built on Jan 27 2009
Wed Jan 28 00:49:08 2009 PKCS#11: Adding PKCS#11 provider '/usr/pkg/lib/opensc-pkcs11.so'
and after a while you'll be asked for PIN to certs on token:
Enter CryptoCard PKI (PIN1) token Password:
After you'll enter the PIN, vpn connection will be established.
If you have any question, feel free to ask. ;-) If there will be demand, I'll write about adding certs to token using pkcs11-tool.