I hope you can all help.
I am having trouble opening an OpenVPN client connection to a linksys router lrt214 that supports Openvpn server from my Centos 7 client (kernel 4.19.7-1.el7.elrepo.x86_64). I have my certificates and private key on a Yubikey 5.
On my client I have Openvpn version openvpn.x86_64 2.4.6-1.el7. When I install the appropriate ca/certificate/private key on to the client in /etc/openvpn/client/keys.ovpn file and execute the connection using openvpn --config /etc/openvpn/client/keys.ovpn, the tunnel opens and everything works fine. The tun device opens correctly, appropriate routes and ip's are added and the initialisation sequence completes successfully as below. This would indicate that the ovpn file has all of the correct settings and details.
Tue Jan 22 15:20:55 2019 TUN/TAP device tun0 opened
Tue Jan 22 15:20:55 2019 TUN/TAP TX queue length set to 100
Tue Jan 22 15:20:55 2019 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Tue Jan 22 15:20:55 2019 /sbin/ip link set dev tun0 up mtu 1500
Tue Jan 22 15:20:55 2019 /sbin/ip addr add dev tun0 local 172.32.0.6 peer 172.32.0.5
Tue Jan 22 15:20:55 2019 /sbin/ip route add 10.1.0.0/24 via 172.32.0.5
Tue Jan 22 15:20:55 2019 /sbin/ip route add 172.32.0.0/24 via 172.32.0.5
Tue Jan 22 15:20:55 2019 Initialization Sequence Completed
The output of ip ad for a successfully connection when the keys/certs are installed on the client and not on the yubikey is
12: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
link/none
inet 172.32.0.6 peer 172.32.0.5/32 scope global tun0
valid_lft forever preferred_lft forever
inet6 fe80::e1f9:8d1c:aceb:db54/64 scope link flags 800
valid_lft forever preferred_lft forever
To allow the centos client openvpn to read the certs/keys on the yubikey I have modified the above ovpn file and removed the cert and private keys sections and replaced them with
pkcs11-id piv_II/PKCS\\x2315\\x20emulated/00000000/Client1/04
pkcs11-providers /usr/lib64/opensc-pkcs11.so
When I now execute the openvpn --client /etc/openvpn/client/keys.ovpn command the output from this shows the failure to create ip address and routes.
(output from openvpn command)
Thu Jan 24 11:11:20 2019 us=686764 TUN/TAP device tun0 opened
Thu Jan 24 11:11:20 2019 us=686867 TUN/TAP TX queue length set to 100
Thu Jan 24 11:11:20 2019 us=686928 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Thu Jan 24 11:11:20 2019 us=686994 /sbin/ip link set dev tun0 up mtu 1500
HANGS HERE...........
The output from ip ad to look at the tun device settings shows it has not been allocated any routers or ip address (but the router shows it is connected)
10: tun0: <POINTOPOINT,MULTICAST,NOARP> mtu 1500 qdisc noop state DOWN group default qlen 100
link/none
/var/log/messages for a failed connection shows only this.
Jan 24 11:51:08 hklapp01 NetworkManager[5406]: <info> [1548301868.5356] manager: (tun0): new Tun device (/org/freedesktop/NetworkManager/Devices/12)
Hope this provides someone with enough detail for help
many thanks
BD