OpenVPN has added the support of external certificates on PKCS #11 hardware tokens for VPN connections to OpenVPN Connect for Windows and macOS in version 3.3, which means you can now integrate with a hardware authentication device such as Yubikey.
Public-Key Cryptography Standards (PKCS) #11 is a standard used by application software, such as OpenVPN Connect, to access cryptographic tokens like smart cards. The PKCS #11 standard specifies an API, called "Cryptoki," pronounced “crypto-key.” Cryptoki is short for cryptographic token interface. As a cross-platform, vendor-independent free standard, PKCS#11 provides a common way for software to integrate using cryptographic tokens.
OpenVPN Connect uses the Personal Identity Verification (PIV) card interface supported by YubiKey for the integration. PIV can use the PKCS#11 common interface with private key and certificate pairs for authentication. This adds a layer of security to your VPN client connections.
Benefits of Layering Security
Multiple layers are essential for security because they create a multi-faceted defense. Security layers limit access, making it difficult for hackers to infiltrate business' data. Every layer does not provide perfect protection on its own, but together they become a formidable defense.
With a layered-security approach, several things happen. First, detected threats are eliminated early so they won't pose a danger or block authentic attempts to enter the system. This rapid capture and validation process means less downtime, and enables your team to continue to be productive. It also reduces the need for a person to go into the system to manually clear an item. The proper defense at the right time within a layered approach offers your company a chance to continue to operate at full capacity, while your defense mechanisms are in place doing the work you need them to do.
Getting started with OpenVPN Connect and PKCS #11
Refer to our overview for setting up this PKCS #11 integration with OpenVPN Connect. Instructions are applicable for Yubikey hardware tokens with PKCS #11 support, such as Yubikey 5 NFC. You can try the same steps with modules for hardware tokens of other vendors.
The security integration with Yubikey will be a valuable new way to layer security. The OpenVPN Connect 3.3 release also includes configuration through the command line, captive portal detection, network loss detection, and more updates and bug fixes.