OpenVPN and Smartcards

[deboeck]

Hi,

I've been looking into OpenVPN as a solution to let road warriors connect to our corporate network. It's a nice piece of software with a lot of capabilities. Currently we're using certificates to authenticate the clients, and the clients private key is stored encrypted on his laptop.
Even though it's encrypted, my boss (whose a little paranoid), is a bit worried that a virus on the laptop might be able to obtain the private key and the password to decrypt it (through keylogging).
So I'm wondering if there's a way to combine the OpenVPN client on Windows (XP or 2000) with two-factor authentication. I'm thinking in the direction of a smartcard plus a pin-code. The private key would then be stored on the smartcard, and because the smartcard handles all the encryption, it would be virtually impossible to steal the private key.
Unfortunately, I can't find any information on how to do this.

Does anyone have experience with OpenVPN and Smartcards ?

Tia,

Steven

[Lightspeed]

I haven't used smart cards before, but I know that OpenVPN supports the use of CryptoAPI in Windows, through which it should also be possible to access certificates and private keys stored on smart cards. I am currently using the CryptoAPI option with OpenVPN on Windows XP, but only using it with certificates stored in the user's local windows certificate store.

The relevant line in the config is:

cryptoapicert "SUBJ:my.subject.name"

where the subject name is specified as a means for windows to figure out which certificate to use (I think other identifiers can be used as well). As far as I know, this method will automatically be able to make use of certificates on smart cards as well.

[deboeck]

@lightspeed

Thanks for the tip, I found the parameter in the openvpn man-page. Should have looked there first of course

Steven