YubiKey OpenVPN
The following section describes how to configure OpenVPN on Rocky 9.1 - Rocky 9.3 LInux with an Idem Key Plus, TrustKey G310, or Yubikey 5 NFC FIPS.
OpenVPN using a .p12 file loaded onto a Security Key is similar to regular OpenVPN on a Linux terminal. However, the client configuration file will be slightly different. It will look similar to this:
clientNotice at the bottom that there is a pkcs11-providers field and a pkcs11-id field. These two fields and their contents will cause the OpenVPN client to request authentication using a specific Security Key.
dev tun
proto tcp
remote 192.168.1.1 1194
resolv-retry infinite
nobind
persist-key
persist-tun
comp-lzo
verb 4
auth-nocache
cipher AES-256-GCM
tls-auth ta.key 1
ca cacert.pem
pkcs11-providers /usr/lib64/libykcs11.so.2.3.1
pkcs11-id 'Yubico\x20\x28www\x2Eyubico\x2Ecom\x29/YubiKey\x20YK5/17047506/YubiKey\x20PIV\x20\x2317047506/02'
sudo openvpn –show-pkcs11-ids /usr/lib64/libykcs11.so.2.2.0
If the ID that this command gives you is not in the same format as the pkcs11-id above, then you may have to use a different version of OpenVPN to get it. OpenVPN 2.3.18 was used to get the above ID.