openvpn icon indicating copy to clipboard operation
openvpn copied to clipboard
verified publisher icon OpenVPN

PKCS11 no longer works in newer version

Open amin1best opened this issue 1 year ago • 16 comments

Hi, Is there a plan to support Trusted Platform Module (TPM) in the next release? Thanks.

amin1best avatar Feb 20 '24 15:02 amin1best

On what platform and on what capacity? It might be already support or not depending what you actually are looking for. E.g. https://github.com/tpm2-software/tpm2-openssl should already work with OpenVPN.

schwabe avatar Feb 20 '24 18:02 schwabe

I used tpm2-pkcs11 in old versions, but it does not work in the new version of OpenVPN. Would it be possible for you to explain step by step how I can use tpm2-openssl in OpenVPN or at least guide me.

amin1best avatar Feb 22 '24 06:02 amin1best

pkcs11 is should be supported in the old and new version. And also say what old and new version are. So if it doesn't work anymore that is a regression. But you need to provide more input here. Give us a log from the old version and the new version, so we can have an idea what is different. As for helping with tmp2-openssl, I never used that myself, so I cannot help there. But OpenSSL providers work in general, so that one should also work.

schwabe avatar Feb 22 '24 07:02 schwabe

I think the problem is not OpenVPN and tpm2-pkcs11 doesn't work with OpenSSL 3. The new version means the version of OpenVPN that has migrated to OpenSSL 3. To use tpm2-pkcs11 in OpenVPN, I used the following command:

openvpn --config ./openvpn.config --ca ./connection.crt --pkcs11-providers /usr/lib/x86_64-linux-gnu/libtpm2_pkcs11.so.1 --pkcs11-id "$URL"

The question is, what command should I use in OpenVPN to use tpm2-openssl? Or with what command in general how to introduce TPM to OpenVPN? Even without PKCS11. ​

amin1best avatar Feb 22 '24 10:02 amin1best

The question is, what command should I use in OpenVPN to use tpm2-openssl? Or with what command in general how to introduce TPM to OpenVPN? Even without PKCS11.

As tpm2-openssl can encapsulate the key in a pem file with TSS2 PRIVATE KEY header, I think you can just use the key and corresponding cert as you would do with normal key and cert files in pem format. However, you will need to add --providers tpm2 default to the comand line or in the config file.

Here is a minimal example (untested)

$ cat client.conf
client
dev tun
providers tpm2 default
ca ca.crt
cert mycert.crt
key mykey.pem  # this is a TSS2 PRIVATE KEY protected by TPM
remote myserver.foo.bar

$ sudo openvpn --config client.conf

selvanair avatar Feb 22 '24 18:02 selvanair