Ubuntu 16.04 64bit – OpenVPN and SafeNet iKey 5100 token

My company allows remote connection to some computers by OpenVPN, but you have to use SafeNet iKey 5100 token. There is small tutorial how can you install and configure OpenVPN with iKey 5100 token and how to modify windows *.ovpn files to be a Linux compatible.

ikey5100

Important note: OpenVPN contains bug and it doesn’t work with systemd and pkcs11 token. This is our case, Ubuntu 16.04 use systemd and SafeNet has pkcs11 API. This bug should be fixed in OpenVPN 2.5. You can find more informatinon at: https://community.openvpn.net/openvpn/ticket/538

[wp_ad_camp_1]

Required software installation

  1. Open terminal and run command
    sudo apt-get install openvpn opensc
  2. Install SAC 9 version
    sudo dpkg -i SafenetAuthenticationClient-9.0.43-0_amd64.deb

SafeNet iKey 5100 validation

  1. Open SafeNet authentication client
  2. Check your token info
    sac9_token_info
  3. If you cannot see token info, restart your computer

Gets SafeNet iKey 5100 certificate ID

  1. Open terminal and run command
    openvpn --show-pkcs11-ids /usr/lib/libeTPkcs11.so
  2. You should see similar output
    Certificate
     DN: C=XX, L=City, O=Company, OU=DEV, CN=John Dove GVPN
     Serial: 431B6D0E0003000003AB
     Serialized id: SafeNet\x2C\x20Inc\x2E/eToken/0223253a/John\x20Dove\x205100/9C92935DE546178D
  3. We will use “Serialized id” attribute in our VPN.ovpn file

[wp_ad_camp_1]

OpenVPN configuration

  1. I received from my company these files for OpenVPN:
    • VPN.ovpn – configuration file for Windows OpenVPN
    • gvpn_ca.cer – CA certificate
    • ta.key – key file

    You should have similar files too

  2. Copy these files to “/etc/openvpn” folder
  3. Open /etc/openvpn/VPN.ovpn in editor e.g. by command
     sudo nano /etc/openvpn/VPN.ovpn
  4. My original VPN.ovpn file looked like this
    client
    dev tun
    proto udp
    remote 111.111.111.1 1111
    resolv-retry infinite
    persist-key
    persist-tun
    redirect-gateway
    tls-remote ovpn.server.com
    redirect-gateway
    ca "C:\\Program Files\\OpenVPN\\config\\gvpn_ca.cer"
    cryptoapicert "SUBJ:John Dove GVPN"
    tls-auth ta.key 1
    comp-lzo
    verb 4
  5. You should modify file to this (I modified only bold lines)
    client
    dev tun
    proto udp
    remote 111.111.111.1 1111
    resolv-retry infinite
    persist-key
    persist-tun
    redirect-gateway
    tls-remote ovpn.server.com
    redirect-gateway
    pkcs11-providers /usr/lib/libeTPkcs11.so
    pkcs11-id 'SafeNet\x2C\x20Inc\x2E/eToken/0223253a/John\x20Dove\x205100/9C92935DE546178D'
    tls-auth /etc/openvpn/ta.key 1
    comp-lzo
    verb 4
    
    "pkcs11-id" is  "Serialized id" attribute from command "openvpn --show-pkcs11-ids /usr/lib/libeTPkcs11.so"

Connection to OpenVPN network

  1. In terminal run command
     sudo openvpn --config /etc/openvpn/VPN.ovpn --ca /etc/openvpn/gvpn_ca.cer
  2. When you will see similar lines
    Wed Apr 23 09:39:40 2014 us=105713 VERIFY X509NAME OK: /C=XX/L=City/O=Company/OU=central/CN=vpn.server.xx
    Wed Apr 23 09:39:40 2014 us=105725 VERIFY OK: depth=0, /C=XX/L=City/O=Company/OU=central/CN=vpn.server.xx
    Enter John Dove token Password:
    

    write PIN password and hit ENTER

  3. When you will see lines
    Wed Apr 23 09:40:23 2014 us=121821 /sbin/ip route add 177.1.0.0/18 via 192.20.2.214
    Wed Apr 23 09:40:30 2014 us=511121 /sbin/ip route add 192.20.2.2/32 via 192.20.2.214
    Wed Apr 23 09:40:37 2014 us=934387 Initialization Sequence Completed

    you are successfully connected

[wp_ad_camp_1]

9 thoughts to “Ubuntu 16.04 64bit – OpenVPN and SafeNet iKey 5100 token”

  1. I was recommended this web site through my cousin. I
    aam no longer cesrtain whether thi put up iis written by means of him as nobody else recognize shch exact apprdoximately
    my problem. You are wonderful! Thank you!

  2. After lookkng into a handful of the blog articles
    on your website, I truhly likoe your technique of writing a blog.
    I saved as a favorite it to my bookmark site lisdt and will be checking back soon. Please check ouut my
    website ttoo and let me knoow how you feel.

  3. I think this is among the most significant info for
    me. And i am glad reading your article. But should remark
    onn some general things, The web site style is ideal, the articles is reaqlly great :
    D. Good job, cheers

  4. Grewt site you have here but I was curious about if you knew of any community forums that cover the same topics discussed in this article?
    I’d really like to be a part of group where I can gett opinions fro other
    knowledgeable individuals that share thee same interest.
    If you have any suggestions, please let me know.

    Thanks!

  5. I’m very haappy to uncover his site. I need to to thank you for ones time due too this fantastic read!!

    I definitely really liked every part off it and i aloso have you book-marked to see new informatiion on your website.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.