My company allows remote connection to some computers by OpenVPN, but you have to use SafeNet iKey 5100 token. There is small tutorial how can you install and configure OpenVPN with iKey 5100 token and how to modify windows *.ovpn files to be a Linux compatible.
Important note: OpenVPN contains bug and it doesn’t work with systemd and pkcs11 token. This is our case, Ubuntu 16.04 use systemd and SafeNet has pkcs11 API. This bug should be fixed in OpenVPN 2.5. You can find more informatinon at: https://community.openvpn.net/openvpn/ticket/538
[wp_ad_camp_1]
Required software installation
- Open terminal and run command
sudo apt-get install openvpn opensc
- Install SAC 9 version
sudo dpkg -i SafenetAuthenticationClient-9.0.43-0_amd64.deb
SafeNet iKey 5100 validation
- Open SafeNet authentication client
- Check your token info
- If you cannot see token info, restart your computer
Gets SafeNet iKey 5100 certificate ID
- Open terminal and run command
openvpn --show-pkcs11-ids /usr/lib/libeTPkcs11.so
- You should see similar output
Certificate DN: C=XX, L=City, O=Company, OU=DEV, CN=John Dove GVPN Serial: 431B6D0E0003000003AB Serialized id: SafeNet\x2C\x20Inc\x2E/eToken/0223253a/John\x20Dove\x205100/9C92935DE546178D
- We will use “Serialized id” attribute in our VPN.ovpn file
[wp_ad_camp_1]
OpenVPN configuration
- I received from my company these files for OpenVPN:
- VPN.ovpn – configuration file for Windows OpenVPN
- gvpn_ca.cer – CA certificate
- ta.key – key file
You should have similar files too
- Copy these files to “/etc/openvpn” folder
- Open /etc/openvpn/VPN.ovpn in editor e.g. by command
sudo nano /etc/openvpn/VPN.ovpn
- My original VPN.ovpn file looked like this
client dev tun proto udp remote 111.111.111.1 1111 resolv-retry infinite persist-key persist-tun redirect-gateway tls-remote ovpn.server.com redirect-gateway ca "C:\\Program Files\\OpenVPN\\config\\gvpn_ca.cer" cryptoapicert "SUBJ:John Dove GVPN" tls-auth ta.key 1 comp-lzo verb 4
- You should modify file to this (I modified only bold lines)
client dev tun proto udp remote 111.111.111.1 1111 resolv-retry infinite persist-key persist-tun redirect-gateway tls-remote ovpn.server.com redirect-gateway pkcs11-providers /usr/lib/libeTPkcs11.so pkcs11-id 'SafeNet\x2C\x20Inc\x2E/eToken/0223253a/John\x20Dove\x205100/9C92935DE546178D' tls-auth /etc/openvpn/ta.key 1 comp-lzo verb 4
"pkcs11-id" is "Serialized id" attribute from command "openvpn --show-pkcs11-ids /usr/lib/libeTPkcs11.so"
Connection to OpenVPN network
- In terminal run command
sudo openvpn --config /etc/openvpn/VPN.ovpn --ca /etc/openvpn/gvpn_ca.cer
- When you will see similar lines
Wed Apr 23 09:39:40 2014 us=105713 VERIFY X509NAME OK: /C=XX/L=City/O=Company/OU=central/CN=vpn.server.xx Wed Apr 23 09:39:40 2014 us=105725 VERIFY OK: depth=0, /C=XX/L=City/O=Company/OU=central/CN=vpn.server.xx Enter John Dove token Password:
write PIN password and hit ENTER
- When you will see lines
Wed Apr 23 09:40:23 2014 us=121821 /sbin/ip route add 177.1.0.0/18 via 192.20.2.214 Wed Apr 23 09:40:30 2014 us=511121 /sbin/ip route add 192.20.2.2/32 via 192.20.2.214 Wed Apr 23 09:40:37 2014 us=934387 Initialization Sequence Completed
you are successfully connected
[wp_ad_camp_1]