Authentication in OpenVPN using Rutoken EDS

OpenVPN is a cross-platform, flexible and convenient VPN solution. For admission to a virtual network based on OpenVPN, the client must log in. In OpenVPN, this can be done in 3 ways:

• by login and password
• by key and certificate in files
• by key and certificate on the “board” of a cryptographic USB token or smart card

The latter method is the safest. The topic will describe the authorization in OpenVPN using the Rutoken EDS USB cryptographic token. Rutoken EDS is securely protected by PIN-code from unauthorized access and is blocked when the attempts to enter a PIN-code are exhausted, so the attacker will not get into VPN even if the token is stolen. In addition, GOST and RSA algorithms are hardware implemented in Rutoken EDS, so authentication is performed "on board" the token. Thanks to this, the private key never leaves the token and cannot be stolen from the computer’s RAM using Trojans.

The topic will show how to deploy a test VPN, as well as a corporate CA based on the open source XCA application. With the help of the CA, the key and certificate of the OpenVPN server will be created and the client token will be initialized. Then we configure the OpenVPN client in such a way that the user can log in to OpenVPN using the Rutoken EDS.


OpenVPN server and XCA will be raised on Ubuntu 11.10.
')

CA Setup

To begin with, we will install the system components necessary for the work of Rutoken EDS:

• CCID driver
  

  sudo apt-get install libccid 

  
  
• PC / SC
  

   sudo apt-get install libpcsclite1 pcscd 

Install the XCA:

 sudo apt-get install xca 

Run XCA:

 sudo xca 

You should create a new database File-> New Database.

Create a key CA: Private Keys-> New Key, newcakey, RSA, 1024.
Create certificate CA:






Create the OpenVPN server key: Private Keys-> New Key, newserver, RSA, 1024.
Create an OpenVPN server certificate:




IMPORTANT! OpenVPN server certificate must have a special extension (extendedKeyUsage - serverAuth)


We export the CA certificate into the ca.crt file, the server key into the server.key file and the server certificate into the server.crt file so that they can be sent to the OpenVPN server (Private Keys-> Export, Certificates-> Export).

OpenVPN server setup

Install openvpn:

 sudo apt-get install openvpn 

Create a file with DH parameters:

  openssl dhparam -out dh1024.pem 1024 

Test OpenVPN server config (ATTENTION! Server config is intended only for demonstration, it is not necessary to take it as the basis of your server):

 port 1194 proto tcp dev tap ca /home/vic/Desktop/ca.crt cert /home/vic/Desktop/server.crt key /home/vic/Desktop/server.key dh /home/vic/Desktop/dh1024.pem server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt keepalive 10 120 cipher BF-CBC comp-lzo persist-key persist-tun status openvpn-status.log verb 3 

Let's run the OpenVPN server

 sudo openvpn --config /home/vic/Desktop/demo.ovpn 

It is clear that in the combat configuration the server will run as a daemon and the keys / certificates will not lie in the home.

Initialization of Rutoken EDS client

Now you can get down to what it was all about - the initialization of the Rutoken EDS to authorize the client in the VPN.

In order for XCA to learn how to work with a token, he needs to be given the PKCS # 11 library of this token. PKCS # 11 for Linux with RSA support for Rutoken EDS can be downloaded here

So, File-> Options


Attention! If you formatted a Rutoken EDS using, for example, OpenSC utilities, then before starting work, the Rutoken EDS should be formatted under Windows using the Control Panel-> Rutoken Control Panel

For starters, you can change PIN, Token-> Change PIN.

Create an RSA key "on board" Rutoken EDS:
Private Keys-> New Key

in Name we introduce newclientkey. Upon request, enter the correct PIN.

Now we will issue a certificate to the client, with which he would be able to log in to OpenVPN, and we will write this certificate to Rutoken EDS:





IMPORTANT! The OpenVPN client certificate must have a special extension (extendedKeyUsage - clientAuth)


XCA will offer to keep the certificate on the token, you should agree.

Setting up an OpenVPN client

I have a user's workplace - Windows 7. Since the Rutoken EDS works through the standard CCID driver, then it is not necessary to install its drivers on Windows 7 (it is necessary on XP).

I installed OpenVPN and broke off. It turns out openvpn.exe under Windows is going without the support of the mechanism to connect tokens through PKCS # 11. But I did find the correct openvpn.exe. It can be downloaded on the site of the OpenSC project www.opensc-project.org/downloads/users/alonbl/build , the third archive from the top at the time of this writing. Unzip the archive and replace the files in the openvpn installation folder.

Client config:

 client dev tap proto tcp remote xxx.xxx.xxx.xxx 1194 resolv-retry infinite nobind persist-key persist-tun ca c:/Users/vic/Desktop/openvpn/ca.crt pkcs11-providers c:/Users/vic/Desktop/openvpn/rtPKCS11ECP.dll pkcs11-id 'Aktiv\x20Co\x2E/Rutoken\x20ECP/2ab17cca/Rutoken\x20ECP\x20\x3Cno\x20label\x3E/2C84962D1AF5792A' pkcs11-pin-cache 300 comp-lzo verb 3 

In the pkcs11-providers parameter, you must specify the path to the PKCS # 11 library Rutoken EDS (the library for Windows with RSA support is available for download ).

In the pkcs11-id parameter, specify the value of the container ID in which the user’s key and certificate are stored on the Rutoken EDS. This ID can be obtained using the command:

 openvpn --show-pkcs11-ids [   PKCS#11  ] 

It is more convenient to do this when the token is initialized, and the user to issue a ready-made config, CA certificate, token, and token PIN.

Establish a VPN connection. To do this, you should connect the Rutoken EDS, run as administrator in the command line:

 openvpn --config [   ] 

Upon request, you must enter your PIN.

After the connection was established, I was able to ping the server at the address 10.8.0.1 of the virtual network.