OpenVPN/openvpn3-linux
9
20
Fork
You've already forked openvpn3-linux
9

Does OpenVPN 3 client supports certificate stored on YubiKey PIV? #75

Open
opened 2025年08月29日 00:34:15 +02:00 by dazo · 0 comments
Owner
Copy link

Issue is migrated from GitHub*


I have a fully working X509 certificate stored on the YubiKey 5 PIV. This is verified on Windows, as I can connect to server without issues.

When testing on Ubuntu 22.04, and using regular openvpn with configuration adjusted with pkcs11-id and pkcs11-providers (referring to opensc .so) I get connected as well, after providing my credentials and YubiKey PIN, however the traffic does not flow, but that is some conflict with ubuntu network manager and openvpn.

When Using openvpn3-linux client , after providing credentials I don't get asked for the PIN of YubiKey and the process is stacked somewhere at beginning.

Does openvpn3 client supports certificate stored on hardware key at all? I cannot find any reference in the documentation, but searching through code I do see some mentions of PIV, PKCS11 and similar indicating that there might be a support or at least partial support.


Author (GitHub user): Marko Mrvelj (@mmrvelj )
Created: 2023年07月03日T07:44:54Z - Updated: 2025年08月28日T19:56:57Z
GitHub issue: https://github.com/OpenVPN/openvpn3-linux/issues/196

COMMENTS

2023年07月03日T10:47:07Z - @dsommers

No, PKCS#11 support is not available in OpenVPN 3 Linux yet. It's on our todo-list, but the demand for it is currently not high enough to give make it a higher priority.

In general it is quite tricky to get a good user experience on Linux with PKCS#11. Yes, it can be made to work. But I have much higher goals, to reach a user experience which is comparable to Windows and macOS where it just works "out of the box". I don't want end users to really need to care much about the lower level "PKCS11 providers" aspects and such things. The end user should just indicate that "this profile uses a Yubikey" and basically that's all needed to be configured. The client should then ask for the token to be inserted/made available when not visible on the system.

However, achieving this goal will take quite some efforts though.

When I designed the various D-Bus APIs, I expected this to be quite simpler - as I expected there to be more generic interfaces available. But it turned out that it's mostly the lower level interfaces which is available, which is not really that non-tech end-user friendly. And those approaches are tricky, as you too often experience "exclusive access" restrictions. I use Yubikey's myself, for PGP stuff - and even mixing PGP and PKCS#11 when GnuPG/scdaemon is involved. I would love to have several of my OpenVPN keys available on YubiKeys as well.


2024年04月03日T12:29:44Z - @SherZCHR

Hi :)
I watched this discussion about the pkcs11 on openvpn3 client. Have you a future version with this feature ? Or any date to know when we can use pkcs11 with this client.
It should be very useful in many projects !

Thanks :)


2024年04月06日T19:40:05Z - @dsommers

@SherZCHR We're aware if the usefulness. It is on our "todo list", but we don't have an ETA currently.

It will require quite some work, since Linux doesn't have a reasonable PKCS#11 platform interface; each PKCS#11 application will typically fight for exclusive access to the token - and that will not work so well with in an OpenVPN context - especially if the same hardware token is used for more than just OpenVPN. And there are some ugliness if you also use it with gpg, as that is tricky to get to work with the pcscd service in parallel.

When this gets on the top of the todo list, we want to ensure the user experience is as flawless and user friendly as possible and not just implement a proof-of-concept hack and call it a day.

Issue is migrated from GitHub* ------ I have a fully working X509 certificate stored on the YubiKey 5 PIV. This is verified on Windows, as I can connect to server without issues. When testing on Ubuntu 22.04, and using regular openvpn with configuration adjusted with `pkcs11-id` and `pkcs11-providers` (referring to opensc .so) I get connected as well, after providing my credentials and YubiKey PIN, however the traffic does not flow, but that is some conflict with ubuntu network manager and openvpn. When Using openvpn3-linux client , after providing credentials I don't get asked for the PIN of YubiKey and the process is stacked somewhere at beginning. Does openvpn3 client supports certificate stored on hardware key at all? I cannot find any reference in the documentation, but searching through code I do see some mentions of PIV, PKCS11 and similar indicating that there might be a support or at least partial support. ------ Author (GitHub user): **Marko Mrvelj** (**[@mmrvelj](https://github.com/mmrvelj)**) Created: **2023年07月03日T07:44:54Z** - Updated: **2025年08月28日T19:56:57Z** GitHub issue: https://github.com/OpenVPN/openvpn3-linux/issues/196 ## COMMENTS > **[2023年07月03日T10:47:07Z](https://github.com/OpenVPN/openvpn3-linux/issues/196#issuecomment-1617904340) - [@dsommers](https://github.com/dsommers)** > > No, PKCS#11 support is not available in OpenVPN 3 Linux yet. It's on our todo-list, but the demand for it is currently not high enough to give make it a higher priority. > > In general it is quite tricky to get a good user experience on Linux with PKCS#11. Yes, it can be made to work. But I have much higher goals, to reach a user experience which is comparable to Windows and macOS where it just works "out of the box". I don't want end users to really need to care much about the lower level "PKCS11 providers" aspects and such things. The end user should just indicate that "this profile uses a Yubikey" and basically that's all needed to be configured. The client should then ask for the token to be inserted/made available when not visible on the system. > > However, achieving this goal will take quite some efforts though. > > When I designed the various D-Bus APIs, I expected this to be quite simpler - as I expected there to be more generic interfaces available. But it turned out that it's mostly the lower level interfaces which is available, which is not really that non-tech end-user friendly. And those approaches are tricky, as you too often experience "exclusive access" restrictions. I use Yubikey's myself, for PGP stuff - and even mixing PGP and PKCS#11 when GnuPG/scdaemon is involved. I would love to have several of my OpenVPN keys available on YubiKeys as well. ----- > **[2024年04月03日T12:29:44Z](https://github.com/OpenVPN/openvpn3-linux/issues/196#issuecomment-2034476520) - [@SherZCHR](https://github.com/SherZCHR)** > > Hi :) > I watched this discussion about the pkcs11 on openvpn3 client. Have you a future version with this feature ? Or any date to know when we can use pkcs11 with this client. > It should be very useful in many projects ! > > Thanks :) ----- > **[2024年04月06日T19:40:05Z](https://github.com/OpenVPN/openvpn3-linux/issues/196#issuecomment-2041176330) - [@dsommers](https://github.com/dsommers)** > > @SherZCHR We're aware if the usefulness. It is on our "todo list", but we don't have an ETA currently. > > It will require quite some work, since Linux doesn't have a reasonable PKCS#11 platform interface; each PKCS#11 application will typically fight for exclusive access to the token - and that will not work so well with in an OpenVPN context - especially if the same hardware token is used for more than just OpenVPN. And there are some ugliness if you also use it with `gpg`, as that is tricky to get to work with the `pcscd` service in parallel. > > When this gets on the top of the todo list, we want to ensure the user experience is as flawless and user friendly as possible and not just implement a proof-of-concept hack and call it a day.
Sign in to join this conversation.
No Branch/Tag specified
master
releaseprep/v27.1
dev/core-update-wip
dev/cb89-inactive-fix
releaseprep/v26
dev/gh-issue-14-asio-include-dir
v27.1
v27.1_rc1
v27
v26
v25
v24.1
v24
v23
v22_dev
v21
v20
v19_beta
v19_betaRC1
v18_beta
v18_betaRC3
v18_betaRC2
v18_betaRC
v17_betaUb2204
v17_beta
v16_beta
v15_beta
v14_beta
v13_beta
v12_beta
v11_beta
v10_beta
v9_beta
v8_beta
v7_beta
v6_beta
v5_beta
v4_beta
v3_beta
v2_beta
v1_beta
Labels
Clear labels
Access Server
Issue related to connecting/integration with OpenVPN Access Server
addon-aws
openvpn3-service-aws / net.openvpn.v3.aws, AWS-VPC integration add-on
addon-devposture
openvpn3-service-devposture / net.openvpn.v3.devposture, Device Posture Check (DPC) service
Awaiting external feedback
Feedback from an external party is needed to continue investigation
build
Issue is related to the build system (meson) or general compilation issues
cli-openvpn2
OpenVPN 2 compat wrapper utility
cli-openvpn3
openvpn3 command line
cli-openvpn3-admin
openvpn3-admin command line
cli-openvpn3-as
OpenVPN Access Server profile download utility
Cloud Connexa
Issue related to connecting to the Cloud Connexa service
common
Shared code across modules
Development done
A fix has been applied to git master
distro-support
OS distribution support
duplicate
This is a duplicate issue of another issue ticket.
Enhancement
Proposal for an enhancement
GitHub
Issue transfered from GitHub
Infrastructure
Issue related to the infrastructure for builds, package repositories, etc
Investigating
The issue is being investigated by a project developer
OpenVPN 3 Core
Issue needs to be resolved in the OpenVPN 3 Core Library
openvpn3-systemd
systemd integration (openvpn3-session@.service, helper tools)
python
The openvpn3 Python module
service-backendstart
openvpn3-service-backendstart / net.openvpn.v3.backends, VPN client service starter
service-client
openvpn3-service-client / net.openvpn.v3.backends.be$PID, Backend VPN client service
service-configmgr
openvpn3-service-configmgr / net.openvpn.v3.configuration, Configuration Profile Manager
service-log
openvpn3-service-log / net.openvpn.v3.log, Log collector service
service-netcfg
openvpn3-service-netcfg / net.openvpn.v3.netcfg, Network Configuration Manager
service-sessionmgr
openvpn3-service-sessionmgr / net.openvpn.v3.sessions, VPN sessions manager
Support
Issue is a support question, not a bug
tests programs
Issue is related to code in src/tests
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
OpenVPN/openvpn3-linux#75
Reference in a new issue
OpenVPN/openvpn3-linux
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?