Ubuntu 16.04 64bit – OpenVPN and SafeNet iKey 5100 token

Vladislav Korecký Linux

My company allows remote connection to some computers by OpenVPN, but you have to use SafeNet iKey 5100 token. There is small tutorial how can you install and configure OpenVPN with iKey 5100 token and how to modify windows *.ovpn files to be a Linux compatible.

ikey5100

Important note: OpenVPN contains bug and it doesn’t work with systemd and pkcs11 token. This is our case, Ubuntu 16.04 use systemd and SafeNet has pkcs11 API. This bug should be fixed in OpenVPN 2.5. You can find more informatinon at: https://community.openvpn.net/openvpn/ticket/538

[wp_ad_camp_1]

Required software installation

  1. Open terminal and run command 
    sudo apt-get install openvpn opensc
  2. Install SAC 9 version 
    sudo dpkg -i SafenetAuthenticationClient-9.0.43-0_amd64.deb

SafeNet iKey 5100 validation

  1. Open SafeNet authentication client
  2. Check your token info
    sac9_token_info
  3. If you cannot see token info, restart your computer

Gets SafeNet iKey 5100 certificate ID

  1. Open terminal and run command 
    openvpn --show-pkcs11-ids /usr/lib/libeTPkcs11.so
  2. You should see similar output 
    Certificate
 DN: C=XX, L=City, O=Company, OU=DEV, CN=John Dove GVPN
 Serial: 431B6D0E0003000003AB
 Serialized id: SafeNet\x2C\x20Inc\x2E/eToken/0223253a/John\x20Dove\x205100/9C92935DE546178D
  3. We will use “Serialized id” attribute in our VPN.ovpn file

[wp_ad_camp_1]

OpenVPN configuration

  1. I received from my company these files for OpenVPN:
    • VPN.ovpn – configuration file for Windows OpenVPN
    • gvpn_ca.cer – CA certificate
    • ta.key – key file

    You should have similar files too

  2. Copy these files to “/etc/openvpn” folder
  3. Open /etc/openvpn/VPN.ovpn in editor e.g. by command 
     sudo nano /etc/openvpn/VPN.ovpn
  4. My original VPN.ovpn file looked like this 
    client
dev tun
proto udp
remote 111.111.111.1 1111
resolv-retry infinite
persist-key
persist-tun
redirect-gateway
tls-remote ovpn.server.com
redirect-gateway
ca "C:\\Program Files\\OpenVPN\\config\\gvpn_ca.cer"
cryptoapicert "SUBJ:John Dove GVPN"
tls-auth ta.key 1
comp-lzo
verb 4
  5. You should modify file to this (I modified only bold lines) 
    client
dev tun
proto udp
remote 111.111.111.1 1111
resolv-retry infinite
persist-key
persist-tun
redirect-gateway
tls-remote ovpn.server.com
redirect-gateway
pkcs11-providers /usr/lib/libeTPkcs11.so
pkcs11-id 'SafeNet\x2C\x20Inc\x2E/eToken/0223253a/John\x20Dove\x205100/9C92935DE546178D'
tls-auth /etc/openvpn/ta.key 1
comp-lzo
verb 4

    "pkcs11-id" is  "Serialized id" attribute from command "openvpn --show-pkcs11-ids /usr/lib/libeTPkcs11.so"

Connection to OpenVPN network

  1. In terminal run command 
     sudo openvpn --config /etc/openvpn/VPN.ovpn --ca /etc/openvpn/gvpn_ca.cer
  2. When you will see similar lines 
    Wed Apr 23 09:39:40 2014 us=105713 VERIFY X509NAME OK: /C=XX/L=City/O=Company/OU=central/CN=vpn.server.xx
Wed Apr 23 09:39:40 2014 us=105725 VERIFY OK: depth=0, /C=XX/L=City/O=Company/OU=central/CN=vpn.server.xx
Enter John Dove token Password:

    write PIN password and hit ENTER

  3. When you will see lines 
    Wed Apr 23 09:40:23 2014 us=121821 /sbin/ip route add 177.1.0.0/18 via 192.20.2.214
Wed Apr 23 09:40:30 2014 us=511121 /sbin/ip route add 192.20.2.2/32 via 192.20.2.214
Wed Apr 23 09:40:37 2014 us=934387 Initialization Sequence Completed

    you are successfully connected

[wp_ad_camp_1]

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.