Product Documentation

    YubiKey OpenVPN

     

    The following section describes how to configure OpenVPN on Rocky 9.1 LInux with an Idem Key Plus, TrustKey G310, or Yubikey 5 NFC FIPS.

     

     

    1. OpenVPN using a .p12 file loaded onto a Security Key is similar to regular OpenVPN on a Linux terminal. However, the client configuration file will be slightly different. It will look similar to this:

      client
      dev tun
      proto tcp
      remote 192.168.1.1 1194
      resolv-retry infinite
      nobind
      persist-key
      persist-tun
      comp-lzo
      verb 4
      auth-nocache
      cipher AES-256-GCM
      tls-auth ta.key 1
      ca cacert.pem
      pkcs11-providers /usr/lib64/libykcs11.so.2.3.1
      pkcs11-id 'Yubico\x20\x28www\x2Eyubico\x2Ecom\x29/YubiKey\x20YK5/17047506/YubiKey\x20PIV\x20\x2317047506/02'
      Notice at the bottom that there is a pkcs11-providers field and a pkcs11-id field. These two fields and their contents will cause the OpenVPN client to request authentication using a specific Security Key.

    2. The pkcs11-providers field should be filled in by the location of the Security Key provider’s PKCS 11 .so file. For YubiKey, the path should be /usr/lib64/libykcs11.so.2.2.0, and the file can be obtained by installing Yubico PIV Tool for Linux.

    3. The pkcs11-id field will be filled in by the id of the Security Key. In order to obtain this, insert the Security Key into the computer and run this command in the terminal:
       
      sudo openvpn –show-pkcs11-ids /usr/lib64/libykcs11.so.2.2.0
      If the ID that this command gives you is not in the same format as the pkcs11-id above, then you may have to use a different version of OpenVPN to get it. OpenVPN 2.3.18 was used to get the above ID.
    4. After getting the pkcs11-id field and filling it in with the appropriate value, you can now use the configuration file to connect to the VPN.