Connection loop with Yubikey 5
Posted: Tue Jan 19, 2021 12:09 am
Hi,
I'm trying to get a connection to my VPN Server (Pfsense Firewall) with Viscosity using Yubikey + Touch for authentication.
Settings are looking good to me. The pkcs11-provider path is set right and the certificate is set via the detect button.
If I try to connect to the vpn server, the yubikey starts to blink(waiting for touch) and viscosity shows status authenticate. After the touch, the conncetion gets closed and the whole process starts again.
So what am I missing?
Here is the log:
This OpenVPN-Config works under Windows 10 with OpenVPN Client 2.4.9 + Yubikey Touch
I'm trying to get a connection to my VPN Server (Pfsense Firewall) with Viscosity using Yubikey + Touch for authentication.
Settings are looking good to me. The pkcs11-provider path is set right and the certificate is set via the detect button.
If I try to connect to the vpn server, the yubikey starts to blink(waiting for touch) and viscosity shows status authenticate. After the touch, the conncetion gets closed and the whole process starts again.
So what am I missing?
Here is the log:
Code: Select all
2021-01-18 11:02:34: Viscosity Mac 1.9 (1556)
2021-01-18 11:02:34: Viscosity OpenVPN Engine Started
2021-01-18 11:02:34: Running on macOS 10.15.7
2021-01-18 11:02:34: ---------
2021-01-18 11:02:34: State changed to Connecting
2021-01-18 11:02:34: Checking reachability status of connection...
2021-01-18 11:02:34: Connection is reachable. Starting connection attempt.
2021-01-18 11:02:34: OpenVPN 2.4.9 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] built on Nov 10 2020
2021-01-18 11:02:34: library versions: OpenSSL 1.1.1h 22 Sep 2020, LZO 2.10
2021-01-18 11:02:34: PKCS#11: Adding PKCS#11 provider '/Library/OpenSC/lib/opensc-pkcs11.so'
2021-01-18 11:02:35: Resolving address: XXXXXXXXX
2021-01-18 11:02:35: Valid endpoint found: XXXXXXXXX:tcp4-client
2021-01-18 11:02:35: TCP/UDP: Preserving recently used remote address: [AF_INET]XXX.XXX:XX
2021-01-18 11:02:35: Attempting to establish TCP connection with [AF_INET]XXX.XXX.XX [nonblock]
2021-01-18 11:02:37: TCP connection established with [AF_INET]XXXXXXXX:XX
2021-01-18 11:02:37: TCPv4_CLIENT link local: (not bound)
2021-01-18 11:02:37: TCPv4_CLIENT link remote: [AF_INET]XXXXXXXX:XX
2021-01-18 11:02:37: State changed to Authenticating
2021-01-18 11:02:40: [XXXXX-server] Peer Connection Initiated with [AF_INET]XXXXXXXX:XX
2021-01-18 11:02:40: Opened utun device utun10
2021-01-18 11:02:40: /sbin/ifconfig utun10 delete
2021-01-18 11:02:40: NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
2021-01-18 11:02:40: /sbin/ifconfig utun10 XXXXXXXX:XX XXXXXXXX:XX netmask 255.255.255.0 mtu 1500 up
2021-01-18 11:02:40: Initialization Sequence Completed
2021-01-18 11:02:40: DNS mode set to Split
2021-01-18 11:02:40: WARNING: Split DNS is being used however no DNS domains are present. The DNS server/s for this connection may not be used. For more information please see: https://www.sparklabs.com/support/kb/article/warning-split-dns-is-being-used-however-no-dns-domains-are-present/
2021-01-18 11:02:40: Testing address: XXXXXXXX:XX Route points into VPN network
2021-01-18 11:02:40: Route: XXXXXXXX:XX/255.255.255.255 utun10
2021-01-18 11:02:40: Disconnecting connection as it is no longer reachable
2021-01-18 11:02:40: State changed to Disconnecting (Network Change)
2021-01-18 11:02:40: State changed to Connected
2021-01-18 11:02:40: SIGTERM[hard,] received, process exiting
2021-01-18 11:02:40: State changed to getrennt (Process Terminated)
This OpenVPN-Config works under Windows 10 with OpenVPN Client 2.4.9 + Yubikey Touch
Code: Select all
dev tun
persist-tun
persist-key
cipher AES-256-CBC
ncp-disable
auth SHA256
tls-client
client
resolv-retry infinite
remote XXXXXX tcp4
remote XXXXXX tcp4
connect-timeout 5
connect-retry-max 1
reneg-sec 0
verify-x509-name openvpn-server name
remote-cert-tls server
comp-lzo
tun-mtu 1500
auth-nocache
socket-flags TCP_NODELAY
ca XXXXXXXXXX-ca.crt
pkcs11-providers "C:\\PKCS11\\opensc-pkcs11.dll"
pkcs11-id 'piv_II/PKCS\x2315\x20emulated/XXXXXXXXXX/XXXXXXXXXXXXXXX/04'
tls-crypt XXXXXXXXX-tls.key