Viscosity Client Configuration with OpenVPN#
This guide will show to configure Viscosity client to connect to an OpenVPN instance, using a Nitrokey Pro 2 (or Nitrokey Storage 2), and PKCS#11 authentication.
Prerequisites#
For this guide, you will need an OpenVPN remote server installed and configured for clients. For the purpose of this document, we have used OpenVPN 2.49 installed on a Debian 10 server.
To read about how to configure OpenVPN to authenticate with Nitrokey Pro, you might consult the following documentation, as we will just cover the way to configure the Viscosity client in this guide.
You will also need the following:
A Nitrokey Pro 2 or Nitrokey Storage 2
Client’s private key
client.key
loaded on the NitrokeyClient’s certificate
client.crt
loaded on the NitrokeyThe Certificate Authority file, i.e.
CA.crt
file used for your OpenVPN setupOptional: The shared secret key file, i.e.
ta.key
For more information on PKCS#11
key management with OpenVPN, please consult OpenVPN’s documentation.
Usage#
Start Viscosity and create a new connection “openVPN” (you can name it as you wish)
Right click on the connection and click edit
Add your server’s IP address and configure the port according to your configuration.
Under authentication, In
Type
scroll down toSSL/TLS Client (PKCS11)
Select the CA file for your connection
Optional: Select the
ta.key
in theTLS-Auth
sectionClick the Add button next to the Providers field and select the
PKCS#11
module for your Nitrokey. Multiple providers can be specified, and for instance we will useOpenSC
.On macOS, the most common location for modules to be found is in the /usr/lib directory. Please refer to the documentation included with your driver software for the location to use. OpenSC’s module can be found at
/Library/OpenSC/lib/opensc-pkcs11.so
On Windows, the most common location for libraries is either in
C:\Program Files
orC:\Windows\System32
. OpenSC libraries are generally located atC:\Program Files\OpenSC Project\OpenSC\pkcs11
. There may be more than one library available here, you can try each one or simply add both.Choose a retrieval method from the Retrieval drop down menu
If only one Nitrokey will ever be used on this computer, select
Use certificate name below
. If the Nitrokey is currently connected to the computer, click theDetect
button for Viscosity to automatically fill in the Name field. Otherwise this field can be completed manually.If in doubt, or if more than one Nitrokey may be used (i.e. multiple users), then select
Prompt for certificate name
.
If
Prompt for certificate name
was selected, Viscosity will automatically detect the required key on the Nitrokey, using the specified PKCS#11 module/s. Select from any of the found devices, or enter the name of theserialized id
to use manually. Again, the user should be prompted for a password/PIN if required.Click the Save button and connect from your the main interface
References#
Notes#
Viscosity is not free, and thus you might run into issues in using the free version.
We are considering the usage of Pritunl as a free and open alternative.