can you please start adding a masked openvpn-2.1 in portage? I've been using it in production for a few months now, and to me it also looks very much compatible with 2.0. it has some great features like smartcard support (works well with <=opensc0.9.6, but not with the latest opensc). I tried it with opensc-0.10.0 + engine_pkcs11-0.1.3 (from my overlay [1]) to no avail. [1] http://dev.gentoo.org/~kaiowas/portage_overlay/ thanks, peter
Created attachment 76655 [details] openvpn-2.1_beta8.ebuild
I don't want to add any beta software until 2.0.5-r2 is stable on all arches.
Created attachment 76930 [details] openvpn-2.1_beta8.ebuild I managed making openvpn work with opensc-0.10.0 and opensc-svn (latest trunk), so the DEPEND can be on dev-libs/opensc
FYI, I know have a ebuild for 2.1_beta14 in my overlay http://dev.gentoo.org/~uberlord/overlay/net-misc/openvpn/ However, it may not work with baselayouts<1.12 ..... Sorry about the delay ... I needed to get other stuff such as resolvconf-gentoo into portage which this new openvpn setup uses.
Created attachment 84613 [details] openvpn-2.1_beta14.ebuild 'I take your reality and replace it with my own' :) your beta14 patched so that smartcards can be used with it. please don't forget to add the smartcard related lines as well once you place the ebuild into portage. this feature is used on a daily basis here, and all openvpn versions from beta8 to the latest one performed well with it.
openvpn-2.1_beta14 is now in portage, package.masked
Hello, I saw your ebuild in portage. I wrote the smartcard interface of openvpn. I have some comments. There is no need for opensc dependency at all, please remove it. There is no need to disable/enable the smartcard use, it can be enabled by default, and since it has no dependencies it will work unless --disable-ssl was specified. easy-rsa package uses opensc's utilities. But I don't think that because of easy-rsa people needs to emerge it in every openvpn installation. Peter, I will be glad if you can send me the problem you have with new opensc, since I am not aware of it.
(In reply to comment #7) > Hello, > I saw your ebuild in portage. > I wrote the smartcard interface of openvpn. great job! it works great both in linux and windows. > I have some comments. > > There is no need for opensc dependency at all, please remove it. it is a run-time dependency. in order to use openvpn with a smartcard, one has to have /usr/lib/opensc-pkcs11.so, which is a file from opensc. > There is no need to disable/enable the smartcard use, it can be enabled by > default, and since it has no dependencies it will work unless --disable-ssl was specified. oh, I have not tested not adding it as a configure option. > easy-rsa package uses opensc's utilities. But I don't think that because of > easy-rsa people needs to emerge it in every openvpn installation. not everyone installing openvpn has the dependency. only those that has 'smartcard' as USE flag. > Peter, I will be glad if you can send me the problem you have with new opensc, > since I am not aware of it. thanks, but it has been fixed some time ago ;) I'm very happy of how this openvpn/opensc combination works.
(In reply to comment #8) > great job! it works great both in linux and windows. Thanks! >> There is no need for opensc dependency at all, please remove it. > it is a run-time dependency. in order to use openvpn with a smartcard, one has > to have /usr/lib/opensc-pkcs11.so, which is a file from opensc. NO NEED FOR THIS. People may install any PKCS#11 provider they wishe. OpenSC is just one example... (Although not very good one...) Please remove the dependency. Please remove the smartcard use flag. However, you can --disable-pkcs11 if use minimal, but I am not sure if it worth it. >> There is no need to disable/enable the smartcard use, it can be enabled by > oh, I have not tested not adding it as a configure option. So please remove. >> easy-rsa package uses opensc's utilities. But I don't think that because of >> easy-rsa people needs to emerge it in every openvpn installation. > not everyone installing openvpn has the dependency. only those that has > 'smartcard' as USE flag. No... For example... easy-rsa uses openssl in order to create certificates, and openssl is not a dependency with !minimal or !ssl, the same should be for easy-rsa opensc relationship -> no dependency at all. > I'm very happy of how this openvpn/opensc combination works. I am glad.
(In reply to comment #9) > NO NEED FOR THIS. People may install any PKCS#11 provider they wishe. OpenSC is > just one example... (Although not very good one...) > Please remove the dependency. > Please remove the smartcard use flag. I bet you love to hate opensc :) it looks like there are now at least 3 smartcard providers that work with openvpn, so we should indeed drop the depend on opensc. the user will have to find the provider that suits his needs best.
(In reply to comment #10) > I bet you love to hate opensc :) No... I just don't like if people don't implement standards correctly... And not replying for bug reports. > it looks like there are now at least 3 smartcard providers that work with > openvpn, so we should indeed drop the depend on opensc. > the user will have to find the provider that suits his needs best. True... But 3?!?!? I know of: (Linux) 1. OpenSC. 2. Aladdin. 3. Athena. 4. Muscle. 5. Siemense. 6. openCryptoki (Not sure, the developer checked but did not report any problems) Have you tried my openssh PKCS#11 patch? http://alon.barlev.googlepages.com
What happens if >1 provider is installed? How does openvpn select which one to use? Does this selection happen at compile time?
(In reply to comment #12) > What happens if >1 provider is installed? How does openvpn select which one > to use? Does this selection happen at compile time? No compile time!!! This is what PKCS#11 all about. It is a shared library that is loaded at runtime. The implementation of PKCS#11 in openvpn/openssh/qca/pkcs11-data supports many providers at the same time, to allow people with several types of smartcards to use the same configuration.
Oh... Petre... Have you tried kovpn-0.3_pre2? It works nice with the management interface!!! After some help to the developer it works well with the PKCS#11 requirements. So no root is required and you get popped up for credentials.
(In reply to comment #14) > Oh... Petre... Have you tried kovpn-0.3_pre2? It works nice with the management > interface!!! After some help to the developer it works well with the PKCS#11 > requirements. > So no root is required and you get popped up for credentials. > thanks, but I don't use libkde* (or libgnome*). but I do know someone that will like this.
I see you have not not removed the smartcard use yet. And when tested the baselayout integration I found that it does not work properly... It overwrites the /etc/resolv.conf and not just adds a new entries as expected. And when tunnel disconnects it does not return old definitions. Also dropping privileges is important! Please support it by modifying the up/down script - checking if uid/gid is not 0 then sudo self. Please reopen this bug so we and other users can keep track of it.
(In reply to comment #16) > I see you have not not removed the smartcard use yet. It's been removed now. The --enable-pcks11 configure flag is used when the minimal USE flag is not used. > > And when tested the baselayout integration I found that it does not work > properly... It overwrites the /etc/resolv.conf and not just adds a new entries > as expected. And when tunnel disconnects it does not return old definitions. Well, either provide a patch or emerge resolvconf-gentoo which will manage resolv.conf for you. > Also dropping privileges is important! > Please support it by modifying the up/down script - checking if uid/gid is not > 0 then sudo self. > Not going to happen for a few reasons 1) We would have to depend on sudo (which I don't like) 2) openvpn cannot change ip or route setup once privs are dropped > Please reopen this bug so we and other users can keep track of it. Please open a new bug as the initial bug has been fixed - 2.1 is in portage.
