I have a working OpenVPN setup, which uses X.509 certificates for authentication. In order to implement two-factor authentication I want to enroll new keys/certificates on smartcards. Aventra MyEID was the card that worked smoothest with OpenSC and the CA enrollment process, so I started with this card.

On Linux the OpenVPN client (OpenVPN 2.4.0, opensc-pkcs11 0.16.0-3, libpkcs11-helper1 1.21-1 / Debian Stretch) freezes at the point where it should prompt for the PIN of the card. First I suspected a pinentry/askpass problem but when I played around with the pkcs11-id it already froze during the PKCS11 provider initialization (didn't respond to signals except kill -9).

On Windows the test client reached the point, where it contacts the card, but then displayed an error that sounds like this bug: https://bugzilla.redhat.com/show_bug.cgi?id=1516474

I got the Windows setup working, when I used the 2.3 version of the OpenVPN client, which gave me a working PKCS11 URI:

/usr/sbin/openvpn --show-pkcs11-ids (path-to-provider)

The 2.4 Version gives me different ID, which is not working. However when I use the pkcs11-id that the 2.3 version told me, it works as well.

My colleges have been evaluating other cards (Yubi and Nitrokey), but they also felt that the PCS11 interface of OpenVPN 2.4 wasn't working particularly well with these cards.

If anyone is running a reliable OpenVPN 2.4 setup with Smartards, could you share which cards you are using?

Best regards, Dirk