Does OpenVPN 3 client supports certificate stored on YubiKey PIV?

[mmrvelj]

I have a fully working X509 certificate stored on the YubiKey 5 PIV. This is verified on Windows, as I can connect to server without issues.

When testing on Ubuntu 22.04, and using regular openvpn with configuration adjusted with pkcs11-id and pkcs11-providers (referring to opensc .so) I get connected as well, after providing my credentials and YubiKey PIN, however the traffic does not flow, but that is some conflict with ubuntu network manager and openvpn.

When Using openvpn3-linux client , after providing credentials I don't get asked for the PIN of YubiKey and the process is stacked somewhere at beginning.

Does openvpn3 client supports certificate stored on hardware key at all? I cannot find any reference in the documentation, but searching through code I do see some mentions of PIV, PKCS11 and similar indicating that there might be a support or at least partial support.

[dsommers]

No, PKCS#11 support is not available in OpenVPN 3 Linux yet. It's on our todo-list, but the demand for it is currently not high enough to give make it a higher priority.

In general it is quite tricky to get a good user experience on Linux with PKCS#11. Yes, it can be made to work. But I have much higher goals, to reach a user experience which is comparable to Windows and macOS where it just works "out of the box". I don't want end users to really need to care much about the lower level "PKCS11 providers" aspects and such things. The end user should just indicate that "this profile uses a Yubikey" and basically that's all needed to be configured. The client should then ask for the token to be inserted/made available when not visible on the system.

However, achieving this goal will take quite some efforts though.

When I designed the various D-Bus APIs, I expected this to be quite simpler - as I expected there to be more generic interfaces available. But it turned out that it's mostly the lower level interfaces which is available, which is not really that non-tech end-user friendly. And those approaches are tricky, as you too often experience "exclusive access" restrictions. I use Yubikey's myself, for PGP stuff - and even mixing PGP and PKCS#11 when GnuPG/scdaemon is involved. I would love to have several of my OpenVPN keys available on YubiKeys as well.

[SherZCHR]

Hi :)
I watched this discussion about the pkcs11 on openvpn3 client. Have you a future version with this feature ? Or any date to know when we can use pkcs11 with this client.
It should be very useful in many projects !

Thanks :)

[dsommers]

@SherZCHR We're aware if the usefulness. It is on our "todo list", but we don't have an ETA currently.

It will require quite some work, since Linux doesn't have a reasonable PKCS#11 platform interface; each PKCS#11 application will typically fight for exclusive access to the token - and that will not work so well with in an OpenVPN context - especially if the same hardware token is used for more than just OpenVPN. And there are some ugliness if you also use it with gpg, as that is tricky to get to work with the pcscd service in parallel.

When this gets on the top of the todo list, we want to ensure the user experience is as flawless and user friendly as possible and not just implement a proof-of-concept hack and call it a day.