Until now I had to start a Windows virtual machine to be able to connect to vpn.etat.lu using my LuxTrust Smartcard. After a lot of research and trial-and-failure I was finally able to make it work on Linux.
Before you start: This currently only works with Ubuntu 13.10. On Ubuntu 14.04 there is an issue with the bundled gnutls version (at least I think so), but I didn’t have the time to backport/recompile it. If anyone has a solution, please let me know. (see update at the bottom of the post)
1. Install the requirements
apt-get install libusb++-0.1-4c2 libccid pcscd libpcsclite1 pcsc-tools openconnect p11-kit gnutls-bin
2. Go to https://www.luxtrust.lu/fr/simple/189 to download the LuxTrust “Middleware” for Ubuntu (but don’t install it yet)
3. Patch the Middleware:
dpkg-deb -x LuxTrust_Middleware_64bit_6.1-007.deb tmp
dpkg-deb --control LuxTrust_Middleware_64bit_6.1-007.deb tmp/DEBIAN
The following 4 bugfixes need to be applied to tmp/DEBIAN/postinst. I reported them in Octobre 2013 to LuxTrust but they obviously didn’t care.
(otherwise, the 1s will be concatenated to a string, looking like this: “0+1+1+1+1+1+1+1+1” etc. Using the $ notation, the expression is evaluated arithmetically)
if [ $LIBCTR > 0 ]; then
if [ $LIBCTR -gt 0 ]; then
Because “>” is for strings, while “-gt” is for numbers.
if [ ! -f /usr/lib/libsqlite3.so ]; then
if [ ! -e /usr/lib/libsqlite3.so ]; then
“-f” checks if the given path is a “regular” file, so it will fail on symlinks. “-e” will also pass on symlinks.
Because every postinst-script needs a return value.
4. Now, rebuild the .deb and install it:
dpkg -b tmp LuxTrust_Middleware_64bit_6.1-007.patched.deb
sudo dpkg -i LuxTrust_Middleware_64bit_6.1-007.patched.deb
5. (Optional) to use the SmartCard in Firefox go to “Preferences -> Advanced -> Certificats -> Security Devices”, click “Load” and enter the following:
Name: Gemalto PKCS#11 Module
6. To Use the Smartcard for your VPN connection to “vpn.etat.lu”.
create and edit “/etc/pkcs11/modules/gemalto.module” and add the following line:
Then check if the “Gemalto” device appears when using the following command:
Download the default VPN-Script for OpenConnect (this sets up routing information after the connection has been established) and make it executable.
chmod +x vpnc-script
Now, find your device URL (labeled “User Cert Auth”) using the following command and remove the “;object-type=xxx” part
You should now be able to connect to the VPN with the following command (using the URL from the previous command minus the “;object-type=xxx” part) for the “-c” option:
openconnect --script vpnc-script -c 'pkcs11:library-description=PKCS%2311%20Cryptoki%20Multiplexer;library-manufacturer=Gemplus;model=Classic%20V3;manufacturer=Gemalto%20S.A.;serial=...;token=GemP15-1;id=...;object=User%20Cert%20Auth' https://vpn.etat.lu
Done. OpenConnect will ask for your PIN and then initiate a VPN connection.
As mentioned at the beginning of the article, this doesn’t work on Ubuntu 14.04. You will get the message “Internal error in memory allocation.”
Update for Ubuntu 14.10
The OpenConnect package from Ubuntu 14.10 is broken. You need to recompile it. First: uninstall the OpenConnect package:
sudo apt-get remove openconnect
Then: Download and recompile openconnect from source:
sudo apt-get install build-essential libtool automake pkg-config libxml2-dev
git clone git://git.infradead.org/users/dwmw2/openconnect.git
sudo make install