{"id":56,"date":"2017-01-19T22:10:16","date_gmt":"2017-01-19T22:10:16","guid":{"rendered":"http:\/\/immerhax.com\/?p=56"},"modified":"2017-01-19T22:10:16","modified_gmt":"2017-01-19T22:10:16","slug":"openvpn-with-yubikey-4-and-pin-code","status":"publish","type":"post","link":"https:\/\/immerhax.com\/?p=56","title":{"rendered":"OpenVPN with Yubikey 4 and PIN code"},"content":{"rendered":"

After buying a Yubikey 4, I wanted to see what this little sucker could do, besides being used as U2F two-factor thingy for Gmail and so on, so I found out it could be used as a smartcard, meaning I could save X.509\/PEM keys and certificates inside it, which I again could use for my OpenVPN connections! Happiness was in my face, until I found out that OpenVPN and PKCS11 with PIN codes is currently somewhat broken on some systems (including my Ubuntu 16.04), as I need to enter the PIN via the OpenVPN Management interface due to some broken systemd-ask-password thing. This severely complicates my setup, as I usually just start the OpenVPN connection via the terminal by something like “sudo openvpn <configfile>” which was suddenly not possible, or at least I then needed to do a lot more… So after thinking (whoa) and googling some, I came up with this small bash script utilizing netcat and some piping to automate this whole shebang. The script requires that the OpenVPN client configuration has these lines:<\/p>\n

auth-retry nointeract\r\nmanagement 127.0.0.1 8888\r\nmanagement-query-passwords\r\n<\/pre>\n
So we start a management interface locally on port 8888 and query passwords here. The script then looks like this:<\/p>\n
\r\n#!\/bin\/bash\r\n\r\nUSER=`whoami`\r\nMGM_PORT=8888\r\n\r\nif [ \"$USER\" != 'root' ]; then\r\n    echo \"Must be run with superuser priviledges\"\r\nfi\r\n\r\nif [ -z $1 ]; then\r\n    echo \"Usage: $0 < vpn-config >\"\r\n    exit 1\r\nfi\r\n\r\nprintf \"OpenVPN PKCS11 PIN wrapper\\n\"\r\n\r\nread -s -p \"Enter PIN: \" PINCODE\r\n\r\nprintf \"\\nStarting OpenVPN\\n\"\r\n\r\n\/usr\/sbin\/openvpn $1 > \/dev\/null &\r\n\r\nOPENVPN_PID=$!\r\n\r\n# Give OpenVPN a chance to get somewhere \r\nsleep 2\r\n\r\nPIPE=\/tmp\/ovpn_pkcs11_fifo\r\n\r\ntrap \"rm -f $PIPE\" EXIT\r\n\r\nif [[ ! -p $PIPE ]]; then\r\n   mkfifo $PIPE\r\nfi\r\n\r\n# Start nc with a 2 second delay\r\n(sleep 2 && nc localhost $MGM_PORT) > $PIPE &\r\n\r\nSUBSTRING=\r\n\r\nwhile true\r\ndo\r\n   if read LINE < $PIPE; then\r\n      if [[ $LINE == *\"PASSWORD\"* ]]; then\r\n         SUBSTRING=$(echo $LINE | cut -d \"'\" -f 2)\r\n         break\r\n      fi\r\n   fi\r\ndone\r\n\r\necho \"password '$SUBSTRING' '$PINCODE'\" | nc localhost $MGM_PORT > \/dev\/null\r\n\r\nprintf \"Write 'quit' to kill OpenVPN instance: \"\r\n\r\nwhile read LINE; do\r\n   if [ \"$LINE\" == \"quit\" ]; then\r\n      kill $OPENVPN_PID\r\n      exit 0\r\n   fi\r\ndone\r\n<\/pre>\n","protected":false},"excerpt":{"rendered":"
After buying a Yubikey 4, I wanted to see what this little sucker could do, besides being used as U2F two-factor thingy for Gmail and so on, so I found out it could be used as a smartcard, meaning I could save X.509\/PEM keys and certificates inside it, which I again could use for my … Continue reading OpenVPN with Yubikey 4 and PIN code<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-56","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/immerhax.com\/index.php?rest_route=\/wp\/v2\/posts\/56","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/immerhax.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/immerhax.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/immerhax.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/immerhax.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=56"}],"version-history":[{"count":10,"href":"https:\/\/immerhax.com\/index.php?rest_route=\/wp\/v2\/posts\/56\/revisions"}],"predecessor-version":[{"id":66,"href":"https:\/\/immerhax.com\/index.php?rest_route=\/wp\/v2\/posts\/56\/revisions\/66"}],"wp:attachment":[{"href":"https:\/\/immerhax.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=56"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/immerhax.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=56"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/immerhax.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=56"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}