Product Documentation

    YubiKey OpenVPN

    The following section describes how to configure OpenVPN on Rocky 9.1 - Rocky 9.3 Linux with an Idem Key Plus, TrustKey G310, or Yubikey 5 NFC FIPS.

     

     

    1. Login to the machine as root. Install the packages that are required to build the PIV Tool. You will have to enable crb and epel-release.

       
      dnf config-manager --set-enabled crb 

      dnf install epel-release

      dnf install gcc gcc-c++ cmake libtool openssl-devel pkgconf check check-devel pcsc-lite pcsc-lite-devel gengetopt help2man zlib-devel openvpn
    2. Download the latest release of the Yubico PIV Tool from Yubico's website. Choose the option that ends with .tar.tgz. Untar the file and cd into the folder it creates. In this document, the latest version of the Yubico PIV Tool was 2.7.2.

       
      cd yubico-piv-tool-2.7.2
    3. Run the following commands to build the pkcs-11 provider. 

       
      mkdir build; cd build
      cmake ..
      make
      sudo make install
    4. Create and edit the strongkey.conf file.
       
      vi /etc/ld.so.conf.d/strongkey.conf
    5. In the strongkey.conf file, put the following string as its content:
       
      /usr/local/lib64
    6. Run the ldconfig command to create the correct links.
       
      ldconfig
    7. OpenVPN using a .p12 file loaded onto a Security Key is similar to regular OpenVPN on a Linux terminal. However, the client configuration file will be slightly different. It will look similar to this:
      client
      dev tun
      proto tcp
      remote 192.168.1.1 1194
      resolv-retry infinite
      nobind
      persist-key
      persist-tun
      comp-lzo
      verb 4
      auth-nocache
      cipher AES-256-GCM
      tls-auth ta.key 1
      ca cacert.pem
      pkcs11-providers /usr/lib64/libykcs11.so.2.3.1
      pkcs11-id 'Yubico\x20\x28www\x2Eyubico\x2Ecom\x29/YubiKey\x20YK5/17047506/YubiKey\x20PIV\x20\x2317047506/02'
      Notice at the bottom that there is a pkcs11-providers field and a pkcs11-id field. These two fields and their contents will cause the OpenVPN client to request authentication using a specific Security Key.
    8. The pkcs11-providers field should be filled in by the location of the Security Key provider’s PKCS 11 .so file. For YubiKey, the path should be /usr/lib64/libykcs11.so.2.2.0, and the file can be obtained by installing Yubico PIV Tool for Linux.

    9. The pkcs11-id field will be filled in by the id of the Security Key. In order to obtain this, insert the Security Key into the computer and run this command in the terminal:
       
      sudo openvpn –show-pkcs11-ids /usr/lib64/libykcs11.so.2.2.0
      If the ID that this command gives you is not in the same format as the pkcs11-id above, then you may have to use a different version of OpenVPN to get it. OpenVPN 2.3.18 was used to get the above ID.
    10. After getting the pkcs11-id field and filling it in with the appropriate value, you can now use the configuration file to connect to the VPN.