OpenBSD ready for serious business

So since the beginning of the pandemic my employer has been looking for a way to send people back home doing work remotely. However the lack of laptops in the company (which is yet another story) has led them to loosen the rules for BYOD, which has been in place before. Everyone that can do it, got a yubi key (V5) for an openvpn certificate and a Jabra USB headset.

The howto includes, Windows, Mac OS and Linux, so I thought, hey, openvpn should run on OpenBSD, so I can do this!

Well yes, I can but only after hours later. For the OpenVPN config I needed to remove the line telling the server which cipher suites I can talk. Those mentioned there seem to mismatch libressl's capabilities. The defaults seem to be fine now.

As for the Yubi key I need to add my serial Number and a smart card provider to the config:

  pkcs11-providers /usr/local/lib/pkcs11/opensc-pkcs11.so
  pkcs11-id 'piv_II/PKCS\x2315\x20emulated/XXXXXXXXXXXXXX/changed/by/me'

Where do these come from? Well, install the opensc package (openvpn uses the -lite version as dependency, that's not what we need). Next enable the pcscd daemon or it will not see your Yubikey.

The yubikey shows up in dmesg as follows:

  uhidev0 at uhub5 port 1 configuration 1 interface 0 "Yubico YubiKey OTP+FIDO+CCID" rev 2.00/5.24 addr 2
  uhidev0: iclass 3/1
  ukbd0 at uhidev0: 8 variable keys, 6 key codes
  wskbd1 at ukbd0 mux 1
  wskbd1: connecting to wsdisplay0
  uhidev1 at uhub5 port 1 configuration 1 interface 1 "Yubico YubiKey OTP+FIDO+CCID" rev 2.00/5.24 addr 2
  uhidev1: iclass 3/0
  fido0 at uhidev1: input=64, output=64, feature=0
  ugen2 at uhub5 port 1 configuration 1 "Yubico YubiKey OTP+FIDO+CCID" rev 2.00/5.24 addr 2

So for this, we need to build openvpn with the support for pkcs11, so add CONFIGURE_ARGS+= --enable-pkcs11 to the port's Makefile. It will complain about a missing pkcs11-helper library. That's a little helper lib wrapping OpenSC API in an easier (I guess) way.

So where to get it? It is not packaged unfortunately, but it's on github:

  $ git clone https://github.com/OpenSC/pkcs11-helper

Then after calling the autotools dance: aclocal, autoconf, automake, autoheader, configure. Change the lib/common.h's definition of P_Z to '"%zd"'. Also for configure you need to --disable-slotevent and --disable-threading. The former as a dependency to the latter. And the threading seems to be broken on OpenBSD. If you experience segfaults when running the tests, that's why.

Build the thing with 'make' and install with make 'install'. Turn back to openvpn and build the package. Don't forget the --enable-pkcs11 flag...

After that you need to fill in the pkcs11-id from above by reading it:

  $ openvpn --show-pkcs11-ids /usr/loca/lib/pkcs/opensc-pkcs11.so
  openvpn --show-pkcs11-ids /usr/local/lib/pkcs11/opensc-pkcs11.so 
 
  The following objects are available for use.
  Each object shown below may be used as parameter to
  --pkcs11-id option please remember to use single quote mark.
  
  Certificate
      DN:             C=DE, ST=Bayern, O=ACME INC, CN=come.thing
      Serial:         9F
      Serialized id:  piv_II/PKCS\x2315\x20emulated/XXXXXXXXXXXXXX/changed/by/me

Don't forget the single quotes when pasting the id!

After that you should be able to run the openvpn client with your config. A password prompt will ask you for your key's password. In my case my admin has set this up for me, so I don't know how to do this on OpenBSD and for obvious reasons, I don't want to mess with it atm.

So now I got my device onto the company network! Yay! Next was the setup of the USB headset. This shows up like:

  uaudio0 at uhub0 port 1 configuration 1 interface 1 "GN Netcom A/S Jabra EVOLVE 20" rev 2.00/3.07 addr 2
  uaudio0: class v1, full-speed, sync, channels: 2 play, 1 rec, 6 ctls
  audio1 at uaudio0
  uhidev3 at uhub0 port 1 configuration 1 interface 3 "GN Netcom A/S Jabra EVOLVE 20" rev 2.00/3.07 addr 2
  uhidev3: iclass 3/0, 5 report ids
  uhid3 at uhidev3 reportid 1: input=2, output=0, feature=0
  uhid4 at uhidev3 reportid 2: input=2, output=2, feature=0
  uhid5 at uhidev3 reportid 4: input=2, output=2, feature=0
  uhid6 at uhidev3 reportid 5: input=32, output=32, feature=0

So fine, it's another audio device! Since we want to use the mic, we need to enable recording in the sysctl!

  $ doas sysctl kern.audio.record 1

After that tell sndiod to make use of the audio device:

  $ sndiod -f rsnd/1

After that I have been able to use the headset in chromium for jitsi and microsoft meet and google hangout successfully.

Code on this site is licensed under a 2 clause BSD license, everything else unless noted otherwise is licensed under a CreativeCommonsAttribution-ShareAlike3.0UnportedLicense