OpenVPN can use smart cards instead of --key/cert which works great for me via --pkcs11-id '...' with values from 'openvpn --show-pkcs11-ids | grep id:' on the client and no further config; the server needs no changes.
See openvpn(8) "PKCS#11 / SmartCard options" for more. New dependency: Information for inst:pkcs11-helper-1.30.0 Comment: library with PKCS Required by: openvpn-2.6.12p0 Description: pkcs11-helper allows using multiple PKCS#11 providers at the same time, enumerating available token certificates, or selecting a certificate directly by serialized id, handling card removal and card insert events, handling card re-insert to a different slot, supporting session expiration and much more all using a simple API. pkcs11-helper is not designed to manage card content, since object attributes are usually vendor specific, and 99% of application need to access existing objects in order to perform signature and decryption. Maintainer: Klemens Nanni <k...@openbsd.org> WWW: https://github.com/OpenSC/pkcs11-helper It can use different TLS implementations - I explictly enabled LibreSSL alone and left OpenVPN's FLAVOR=mbedtls unchanged as I don't use that. Feedback? OK? Index: Makefile =================================================================== RCS file: /cvs/ports/net/openvpn/Makefile,v diff -u -p -r1.130 Makefile --- Makefile 21 Dec 2024 11:38:33 -0000 1.130 +++ Makefile 30 Dec 2024 23:16:33 -0000 @@ -26,6 +26,8 @@ CONFIGURE_ENV= CPPFLAGS="-I${LOCALBASE}/ LDFLAGS="-L${LOCALBASE}/lib ${LDFLAGS}" CONFIGURE_ARGS+=--with-openssl-engine=no +SEPARATE_BUILD= Yes + DEBUG_PACKAGES= ${BUILD_PACKAGES} FLAVORS= mbedtls @@ -36,7 +38,14 @@ LIB_DEPENDS+= security/polarssl CONFIGURE_ARGS+= --with-crypto-library=mbedtls WANTLIB += mbedcrypto mbedtls mbedx509 pthread .else -WANTLIB += crypto ssl +REVISION= 0 +LIB_DEPENDS+= security/pkcs11-helper +# dlopen()s p11-kit-proxy.so +BUILD_DEPENDS+= security/p11-kit +RUN_DEPENDS+= security/p11-kit +CONFIGURE_ARGS+= --enable-pkcs11 +WANTLIB += pthread pkcs11-helper +WANTLIB += crypto ssl pkcs11-helper .endif SAMPLES_DIR= ${PREFIX}/share/examples/openvpn
pkcs1-helper.tgz
Description: application/compressed-tar
