Skip to content

OpenVPN-GOST-lib

Latest
Latest
Compare
Choose a tag to compare
@SergeyOgly SergeyOgly released this 28 Aug 02:47
· 12 commits to master since this release
0.0.1
c1bf669
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.

Библиотеки (для windows x32/x64) для замены стандартных в продукте OpenVPN (https://openvpn.net/community-downloads/)
Используются для реализации ГОСТ шифрования (gost-engine v1.1.0.3) и модифицированный pkcs11-helper v1.26.0 для поддержки считывателей RuToken c ГОСТ сертификатами 2001, 2012_256, 2012_512.
Порядок установки:

  1. Устанавливаем драйвера Рутокен (https://www.rutoken.ru/support/download/windows/)
  2. Устанавливаем OpenVPN (тестировалось с версией 2.4.9)
  3. Устанавливаем системную переменную OPENSSL_ENGINES=Каталог_установки_OpenVPN\bin
    Например OPENSSL_ENGINES=c:\openvpn\bin\ (c:\openvpn - каталог OpenVPN)
  4. Копируем поверх gost.dll и libpkcs11-helper-1.dll в Каталог_установки_OpenVPN\bin\
  5. Проверяем из командной строки:
C:\Program Files\openvpn\bin>openssl.exe engine gost -c -t
(gost) Reference implementation of GOST engine
 [gost89, gost89-cnt, gost89-cnt-12, gost89-cbc, grasshopper-ecb, grasshopper-cbc, grasshopper-cfb, grasshopper-ofb, grasshopper-ctr, md_gost94, gost-mac, md_gost12_256, md_gost12_512, gost-mac-12, gost2001, gost-mac, gost2012_256, gost2012_512, gost-mac-12]
     [ available ]
  1. Пример client.ovpn:
client
verb 3
nobind
dev tap
remote openvpn.server
<ca>
-----BEGIN CERTIFICATE-----
....
-----END CERTIFICATE-----
</ca>
auth-nocache
### TLS
remote-cert-tls server
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
...
-----END OpenVPN Static key V1-----
</tls-auth>
key-direction 1
###cipher section
engine gost
cipher grasshopper-cbc
tls-cipher GOST2012-GOST8912-GOST8912
auth md_gost12_512
ncp-disable
###network section
persist-key
persist-tun
proto udp
port 1194
dhcp-option DOMAIN domain.ru
dhcp-option DNS 192.168.0.1
###Rutoken support
pkcs11-providers 'rtpkcs11ecp.dll'
pkcs11-id 'pkcs11:model=Rutoken%20ECP;token=...=Aktiv%20Co.;serial=346abfb;id=2020'
  1. Идентификатор pkcs-id смотрим командой:
C:\Program Files\OpenVPN\bin>openvpn.exe --show-pkcs11-ids rtPKCS11ECP.dll
The following objects are available for use.
Each object shown below may be used as parameter to
--pkcs11-id option please remember to use single quote mark.
Certificate
       DN:             C=RU, ST=28 .., O=TEST ORG, CN=stunnel, L=ZEYA
       Serial:         66600000000000001F
       Serialized id:  pkcs11:model=Rutoken%20ECP;token=Rutoken%20ECP%20%3cno%20label%3e;manufacturer=Aktiv%20Co.;serial=346abfb;id=2020
Assets 3
Loading