Product Documentation

YubiKey OpenVPN

 

The following section describes how to configure OpenVPN on Rocky 9.1 - Rocky 9.3 LInux with an Idem Key Plus, TrustKey G310, or Yubikey 5 NFC FIPS.

 

 

  1. OpenVPN using a .p12 file loaded onto a Security Key is similar to regular OpenVPN on a Linux terminal. However, the client configuration file will be slightly different. It will look similar to this:

    client
    dev tun
    proto tcp
    remote 192.168.1.1 1194
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    comp-lzo
    verb 4
    auth-nocache
    cipher AES-256-GCM
    tls-auth ta.key 1
    ca cacert.pem
    pkcs11-providers /usr/lib64/libykcs11.so.2.3.1
    pkcs11-id 'Yubico\x20\x28www\x2Eyubico\x2Ecom\x29/YubiKey\x20YK5/17047506/YubiKey\x20PIV\x20\x2317047506/02'
    Notice at the bottom that there is a pkcs11-providers field and a pkcs11-id field. These two fields and their contents will cause the OpenVPN client to request authentication using a specific Security Key.

  2. The pkcs11-providers field should be filled in by the location of the Security Key provider’s PKCS 11 .so file. For YubiKey, the path should be /usr/lib64/libykcs11.so.2.2.0, and the file can be obtained by installing Yubico PIV Tool for Linux.

  3. The pkcs11-id field will be filled in by the id of the Security Key. In order to obtain this, insert the Security Key into the computer and run this command in the terminal:
    sudo openvpn –show-pkcs11-ids /usr/lib64/libykcs11.so.2.2.0
    If the ID that this command gives you is not in the same format as the pkcs11-id above, then you may have to use a different version of OpenVPN to get it. OpenVPN 2.3.18 was used to get the above ID.
  4. After getting the pkcs11-id field and filling it in with the appropriate value, you can now use the configuration file to connect to the VPN.