使用OpenVPN的Viscosity客户端配置¶
Compatible Nitrokeys |
|||||||
|---|---|---|---|---|---|---|---|
✓ active |
⨯ inactive |
⨯ inactive |
✓ active |
⨯ inactive |
✓ active |
✓ active |
⨯ inactive |
This guide will show to configure Viscosity client to connect to an OpenVPN instance, using a Nitrokey Pro 2 (or Nitrokey Storage 2), and PKCS#11 authentication.
先决条件¶
在本指南中,你将需要一个为客户安装和配置的OpenVPN远程服务器。在本文件中,我们使用了安装在Debian 10服务器上的OpenVPN 2.49。
To read about how to configure OpenVPN to authenticate with Nitrokey Pro, you might consult the following documentation, as we will just cover the way to configure the Viscosity client in this guide.
你还将需要以下东西。
一个Nitrokey Pro 2或Nitrokey Storage 2
Client's private key
client.keyloaded on the NitrokeyClient's certificate
client.crtloaded on the NitrokeyThe Certificate Authority file, i.e.
CA.crtfile used for your OpenVPN setupOptional: The shared secret key file, i.e.
ta.key
For more information on PKCS#11 key management with OpenVPN, please consult OpenVPN's documentation.
使用方法¶
启动Viscosity并创建一个新的连接 "openVPN"(你可以随心所欲地命名它)
在连接上点击右键并点击编辑
Add your server's IP address and configure the port according to your configuration.
在认证下,在``Type`向下滚动到``SSL/TLS Client (PKCS11)``。
为你的连接选择CA文件
点击供应商字段旁边的添加按钮,选择``PKCS#11``模块作为你的Nitrokey。可以指定多个供应商,例如,我们将使用``OpenSC``。
On macOS, the most common location for modules to be found is in the /usr/lib directory. Please refer to the documentation included with your driver software for the location to use. OpenSC's module can be found at
/Library/OpenSC/lib/opensc-pkcs11.soOn Windows, the most common location for libraries is either in
C:\Program FilesorC:\Windows\System32. OpenSC libraries are generally located atC:\Program Files\OpenSC Project\OpenSC\pkcs11. There may be more than one library available here, you can try each one or simply add both.从检索的下拉菜单中选择一种检索方法
如果这台电脑上只使用一个硝基钥匙,请选择``Use certificate name below``。如果硝基钥匙目前已经连接到电脑上,点击``Detect``按钮,让粘度自动填入名称栏。否则这个字段可以手动完成。
If in doubt, or if more than one Nitrokey may be used (i.e. multiple users), then select
Prompt for certificate name.
如果``Prompt for certificate name``被选中,Viscosity将自动检测Nitrokey上所需的密钥,使用指定的PKCS#11模块/s。从发现的任何设备中选择,或者输入``serialized id``的名称来手动使用。同样,如果需要,应该提示用户输入密码/PIN。
点击 "保存 "按钮,从主界面连接。
参考文献¶
笔记¶
Viscosity不是免费的,因此你在使用免费版本时可能会遇到问题。
我们正在考虑使用`Pritunl <https://client.pritunl.com/>`__作为一个免费和开放的替代方案。