This HOWTO is about modifying GNUTLS to make OpenConnect work with LuxTrust/Gemalto smartcards on GNU/Linux. It shows you how to patch the GNUTLS library, build and install the new package and how to invoke OpenConnect to make a successful connection to a remote VPN gateway.
This is written for Debian 10 aka Buster. The fix is simple, ugly but functionnal, and will probably break some other applications.
Install LuxTrust middleware and fix dependencies:
$ sudo dpkg -i Gemalto_Middleware_Debian_64bit_7.2.0-b04.deb luxtrust-middleware-1.2.1-64.deb
$ sudo apt install -f
$ git clone https://github.com/wllm-rbnt/luxtrust-openconnect.git
Prepare the compilation environment:
$ mkdir deb
$ cd deb
$ sudo apt install devscripts fakeroot build-essential
Add src targets to your APT source.list file:
deb-src http://deb.debian.org/debian buster main
deb-src http://deb.debian.org/debian-security/ buster/updates main
deb-src http://deb.debian.org/debian buster-updates main
Install GNUTLS build dependencies and sources:
$ sudo apt update
$ sudo apt build-dep libgnutls30
$ apt source libgnutls30
That last command will create a new directory named gnutls28-3.x.y
.
Don't be surprised, that IS the correct directory for libgnutls30
.
Apply the GNUTLS fix:
$ cd gnutls28-3.x.y
$ git apply path_to/luxtrust-openconnect/0001-Fix-LuxTrust-OpenConnect.patch
Add a local suffix to the version (e.g. -conostix
) and compile GNUTLS
(documentation build and tests disabled):
$ dch -l '-conostix'
$ dpkg-buildpackage -rfakeroot -b
This will most likely end with an error message about not having been able to sign the packages. That's to be expected and won't keep you from installing them in the next step.
We added a suffix to the package version so that we can easily hold or uninstall them in the future.
Install the produced packages and any missing dependencies:
$ sudo dpkg -i $(ls -1 ../*.deb | grep -v dbgsym | xargs)
$ sudo apt install -f
You might want to mark the recently marked packages as held to prevent a further apt ugprade
from upgrading to an unpatched version
$ sudo apt-mark hold `dpkg -l | awk '/conostix/{print $2"="$3}'`
If required, reinstall GNUTLS original packages from Debian's repositories (here's where the version suffix comes in handy):
$ sudo apt install $(dpkg -l | awk '/conostix/{gsub("-conostix","",$3);print $2"="$3}')
Install OpenConnect:
$ sudo apt install openconnect
Locate LuxTrust/Gemalto PKCS11 URIs associated with your smartcard:
$ p11tool --list-tokens
[...]
Token 5:
URL: pkcs11:model=Classic%20V3;manufacturer=Gemalto%20S.A.;serial=0123456789ABCDEF;token=GemP15-1
Label: GemP15-1
Type: Hardware token
Manufacturer: Gemalto S.A.
Model: Classic V3
Serial: 0123456789ABCDEF
[...]
Then list the certs on that token. What you're looking for are the certificate and the
private key that have User Cert Auth
as a label:
$ p11tool --login --list-all "pkcs11:model=Classic%20V3;manufacturer=Gemalto%20S.A.;serial=0123456789ABCDEF;token=GemP15-1"
Token 'GemP15-1' with URL 'pkcs11:model=Classic%20V3;manufacturer=Gemalto%20S.A.;serial=0123456789ABCDEF;token=GemP15-1' requires user PIN
Enter PIN: 012345
[...]
Object 6:
URL: pkcs11:model=Classic%20V3;manufacturer=Gemalto%20S.A.;serial=0123456789ABCDEF;token=GemP15-1;id=%00%01%02%03%04%05%06%07%08%09%0a%0b%0c%0d%0e%0f%10%11%12%13;object=User%20Cert%20Auth;object-type=cert
Type: X.509 Certificate
Label: User Cert Auth
ID: 00:01:02:03:04:05:06:07:08:09:0a:0b:0c:0d:0e:0f:10:11:12:13
[...]
Object 10:
URL: pkcs11:model=Classic%20V3;manufacturer=Gemalto%20S.A.;serial=0123456789ABCDEF;token=GemP15-1;id=%00%01%02%03%04%05%06%07%08%09%0a%0b%0c%0d%0e%0f%10%11%12%13;object=User%20Cert%20Auth;object-type=private
Type: Private key
Label: User Cert Auth
Flags: CKA_WRAP/UNWRAP; CKA_PRIVATE; CKA_SENSITIVE;
ID: 00:01:02:03:04:05:06:07:08:09:0a:0b:0c:0d:0e:0f:10:11:12:13
[...]
Launch OpenConnect with the right URIs (-c
for the cert, -k
for the key) and some debug options:
$ sudo /usr/sbin/openconnect --disable-ipv6 --printcookie --dump-http-traffic -v -c 'pkcs11:model=Classic%20V3;manufacturer=Gemalto%20S.A.;serial=0123456789ABCDEF;token=GemP15-1;id=%00%01%02%03%04%05%06%07%08%09%0a%0b%0c%0d%0e%0f%10%11%12%13;object=User%20Cert%20Auth;object-type=cert' -k 'pkcs11:model=Classic%20V3;manufacturer=Gemalto%20S.A.;serial=0123456789ABCDEF;token=GemP15-1;id=%00%01%02%03%04%05%06%07%08%09%0a%0b%0c%0d%0e%0f%10%11%12%13;object=User%20Cert%20Auth;object-type=private' https://subdomain.domain.tld
Tweak your routing table to suit your needs, and restore your original (pre-connection) resolv.conf if required:
$ sudo ip r del default
$ sudo ip r add <remote_subnet> dev tunX
$ sudo ip r add default via <original_local_network_gateway>
$ sudo cp /var/run/vpnc/resolv.conf-backup /etc/resolv.conf
where remote_subnet
is the network you're trying to reach on the VPN and
original_local_network_gateway
is your local gateway.