Secure-enclave bound key in tunnelblick via management-external-key

45 views
Skip to first unread message

Timofey “ne_bknn” Mischenko

unread,
Jun 5, 2025, 7:21:55 AMJun 5
to tunnelblick-discuss
Hello. I am in a very long journey towards hardware-bound tls keys for openvpn. Recently, I made a huge progress - I implemented all of the crypto/secure enclave logic in a standalone Swift program and delegated signing operations to it via `--management-external-key`. It works nicely with raw openvpn. Unfortunately, it does not work with  tunnelblick, because tunnelblick uses its own management interface. Bummer.

Would you be interested in a PR where this logic is transfered to tunnelblick's manager? So we can generate key on SE via tunnelblick GUI, issue CSR, import signed certificate and allow openvpn to sign tls challenge via management interface (by providing `--management-external-key`). 

I am considering implementing this and whether you are interested in it/willing to merge such a thing is a huge factor. 

Tunnelblick Developer

unread,
Jun 8, 2025, 11:23:11 AMJun 8
to tunnelblick-discuss
Thanks, this sounds like a great idea!

However, I'm concerned about the complexity and long-term maintenance of such a PR. Tunnelblick has had trouble in the past with accepting complex PRs and with maintaining complex code added in PRs. The latter may not apply to you and I don't mean to imply it would, but complex PRs are difficult for us to absorb.

I'm not saying no, but here's an alternative that might work for you: To add to Tunnelblick the ability to "pass through" the --management-external-key commands to a separate-from-Tunnelblick, stand-alone program such as yours. That wouldn't include the key generation / CSR / import sequence that you describe, but it would allow alternatives, such as having keys stored in physical devices or in the Keychain, to be very easily implemented. I think it would be pretty quick and easy for me to add that to Tunnelblick.

It could be implemented in Tunnelblick by having "forced preferences" (a Tunnelblick thing: a preference that can only be set/modified/deleted by a computer administrator) that would be the path to a Unix socket and the path to a read-only-by-root password file, mimicking the arguments to OpenVPN's --management option. Tunnelblick would connect to the socket and send the password, and then send any rsa-sig and/or certificate commands that come from OpenVPN to Tunnelblick to the socket, and the socket's output to Tunnelblick would be passed by Tunnelblick back to OpenVPN. I don't think a user-facing interface in the Tunnelblick GUI would be needed or desired, but that's a separate issue.

Would this work for you? What are your thoughts?
 
Of course, anyone else is encouraged to chime in, too!


Reply all
Reply to author
Forward
0 new messages