Ubuntu 16.04 64bit – OpenVPN and SafeNet iKey 5100 token

My company allows remote connection to some computers by OpenVPN, but you have to use SafeNet iKey 5100 token. There is small tutorial how can you install and configure OpenVPN with iKey 5100 token and how to modify windows *.ovpn files to be a Linux compatible.

ikey5100

Important note: OpenVPN contains bug and it doesn’t work with systemd and pkcs11 token. This is our case, Ubuntu 16.04 use systemd and SafeNet has pkcs11 API. This bug should be fixed in OpenVPN 2.5. You can find more informatinon at: https://community.openvpn.net/openvpn/ticket/538

[wp_ad_camp_1]

Required software installation

  1. Open terminal and run command
    sudo apt-get install openvpn opensc
  2. Install SAC 9 version
    sudo dpkg -i SafenetAuthenticationClient-9.0.43-0_amd64.deb

SafeNet iKey 5100 validation

  1. Open SafeNet authentication client
  2. Check your token info
    sac9_token_info
  3. If you cannot see token info, restart your computer

Gets SafeNet iKey 5100 certificate ID

  1. Open terminal and run command
    openvpn --show-pkcs11-ids /usr/lib/libeTPkcs11.so
  2. You should see similar output
    Certificate
     DN: C=XX, L=City, O=Company, OU=DEV, CN=John Dove GVPN
     Serial: 431B6D0E0003000003AB
     Serialized id: SafeNet\x2C\x20Inc\x2E/eToken/0223253a/John\x20Dove\x205100/9C92935DE546178D
  3. We will use „Serialized id“ attribute in our VPN.ovpn file

[wp_ad_camp_1]

OpenVPN configuration

  1. I received from my company these files for OpenVPN:
    • VPN.ovpn – configuration file for Windows OpenVPN
    • gvpn_ca.cer – CA certificate
    • ta.key – key file

    You should have similar files too

  2. Copy these files to “/etc/openvpn” folder
  3. Open /etc/openvpn/VPN.ovpn in editor e.g. by command
     sudo nano /etc/openvpn/VPN.ovpn
  4. My original VPN.ovpn file looked like this
    client
    dev tun
    proto udp
    remote 111.111.111.1 1111
    resolv-retry infinite
    persist-key
    persist-tun
    redirect-gateway
    tls-remote ovpn.server.com
    redirect-gateway
    ca "C:\\Program Files\\OpenVPN\\config\\gvpn_ca.cer"
    cryptoapicert "SUBJ:John Dove GVPN"
    tls-auth ta.key 1
    comp-lzo
    verb 4
  5. You should modify file to this (I modified only bold lines)
    client
    dev tun
    proto udp
    remote 111.111.111.1 1111
    resolv-retry infinite
    persist-key
    persist-tun
    redirect-gateway
    tls-remote ovpn.server.com
    redirect-gateway
    pkcs11-providers /usr/lib/libeTPkcs11.so
    pkcs11-id 'SafeNet\x2C\x20Inc\x2E/eToken/0223253a/John\x20Dove\x205100/9C92935DE546178D'
    tls-auth /etc/openvpn/ta.key 1
    comp-lzo
    verb 4
    
    "pkcs11-id" is  "Serialized id" attribute from command "openvpn --show-pkcs11-ids /usr/lib/libeTPkcs11.so"

Connection to OpenVPN network

  1. In terminal run command
     sudo openvpn --config /etc/openvpn/VPN.ovpn --ca /etc/openvpn/gvpn_ca.cer
  2. When you will see similar lines
    Wed Apr 23 09:39:40 2014 us=105713 VERIFY X509NAME OK: /C=XX/L=City/O=Company/OU=central/CN=vpn.server.xx
    Wed Apr 23 09:39:40 2014 us=105725 VERIFY OK: depth=0, /C=XX/L=City/O=Company/OU=central/CN=vpn.server.xx
    Enter John Dove token Password:
    

    write PIN password and hit ENTER

  3. When you will see lines
    Wed Apr 23 09:40:23 2014 us=121821 /sbin/ip route add 177.1.0.0/18 via 192.20.2.214
    Wed Apr 23 09:40:30 2014 us=511121 /sbin/ip route add 192.20.2.2/32 via 192.20.2.214
    Wed Apr 23 09:40:37 2014 us=934387 Initialization Sequence Completed

    you are successfully connected

[wp_ad_camp_1]

Napsat komentář

Vaše emailová adresa nebude zveřejněna. Vyžadované informace jsou označeny *