1

I am currently setting up OpenVPN to provide company access to multiple clients. Our requirement is to use certificates, password protect the client keys, as well as using dual factor (MFA) authentication per client.

I have a bunch of Fortinet FortiToken 200 tokens laying around that I would like to use, but I can't find any information that shows how to use these tokens with something like OpenVPN. After looking around some more, I can't find any information that shows how one can use a physical token with OpenVPN either.

So my question is, how can I use a physical token with OpenVPN? I can't use something like Google Authenticator since we plan to have clients VPN in via their smartphones also. The OpenVPN PKCS#11 how-to documentation is very poorly written.

I'm starting to believe that if MFA is a requirement, OpenVPN is simply not a viable option at this point in time.

Thanks for your help.

lobi
  • 1,021
  • 2
  • 14
  • 26

1 Answers1

2

Basically:

  1. Install a pkcs#11 driver for you token (ask your token manufacturer if they don't supply one).
  2. Tell openvpn to use that driver, and list the available keys on the token:
    • openvpn --show-pkcs11-ids /path/to/pkcs11/driver.so

  3. In your config file, specify the module and serialized id for you key from the --show-pkcs11-ids output, e.g:

    pkcs11-providers /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so
    pkcs11-id Gnome\x20Keyring/1\x2E0/1\x3AUSER\x3ADEFAULT/Gnome2\x20Key\x20Storage/417AEDAAB81FEF6AEBD1EC43D76A630CAAA4722A

(Make sure to escape any backslashing in the pkcs-id, e.g. Gnome\x20Keyring becomes Gnome\\x20Keyring.)

Steffan Karger
  • 504
  • 2
  • 3
  • Requirements changed; we are not using physical tokens, so I can't test this out. However, I am marking this down as an Answer. – lobi Nov 13 '15 at 20:55