Using YubiKey with OpenVPN Connect
OpenVPN Connect supports YubiKey hardware security keys for two distinct use cases: storing client certificates and private keys on the YubiKey using PKCS#11, and using the YubiKey as a hardware TOTP token for MFA. This page explains both use cases and links to setup instructions for end users and administrators.
OpenVPN Connect integrates with YubiKey hardware security keys to strengthen VPN authentication beyond software-only credentials.
Depending on how your VPN is configured, you can use a YubiKey to:
Generate one-time passcodes for multi-factor authentication (MFA), or
Store your client certificate and private key so they never leave the device.
These use cases are supported with:
Self-managed OpenVPN server configurations
Support and setup steps may vary depending on your environment.
Note
YubiKey usage needs to be configured by your VPN administrator. If you're unsure which setup applies to you, contact your IT administrator.
Use YubiKey as a TOTP MFA token
Who this is for
End users required to use MFA for VPN access.
Administrators configuring TOTP-based MFA.
What it does
Time-based One-Time Password (TOTP), as defined in RFC 6238, generates a short-lived numeric code that is required in addition to your username and password.
OpenVPN Connect supports TOTP when enabled by your VPN service.
Using a YubiKey instead of a software authenticator means:
The TOTP secret is stored on a physical device.
The secret can't be extracted or synced.
Risk from backups, cloud sync, or malware is reduced.
When connecting:
Enter your credentials.
Provide a one-time password when prompted. You can generate the code:
Using the Yubico Authenticator app, or
Directly from the YubiKey (if configured for TOTP output).
Learn more
End users: Use YubiKey as a TOTP MFA Token with OpenVPN Connect
Administrators:
Tutorial: Use TOTP Hardware Tokens for MFA in Access Server (YubiKey)
CloudConnexa supports standard TOTP 2FA, which is compatible with the Yubico Authenticator app. See Set Two-Factor Authentication (2FA) for Users for configuration steps.
For self-managed servers, refer to your platform's MFA configuration documentation.
Store client certificates on a YubiKey (PKCS#11)
Who this is for
End users issued a YubiKey for certificate-based VPN authentication.
Administrators configuring PKCS#11-based authentication for their VPN environment.
What it does
PKCS#11 support allows OpenVPN Connect to use a client certificate and private key stored on a YubiKey instead of in software.
Because the private key is generated on and never leaves the device:
It can't be exported.
It can't be extracted by malware.
Authentication requires physical possession of the YubiKey and the correct PIN.
This approach is well-suited for high-security environments where protecting private keys is critical.
Compatibility
YubiKey 5 Series and other models with PKCS#11 support.
OpenVPN Connect 3.3+: RSA certificates.
OpenVPN Connect 3.5+: ECC certificates.
Learn more
End users: Connect and Authorize Hardware Tokens
Administrators:
Access Server — Tutorial: PKCS#11 Hardware Tokens for VPN Connections (Yubikey)
For self-managed servers, configure PKCS#11 in your OpenVPN server and client profiles.
Passkeys and YubiKey
YubiKey devices also support passkeys based on FIDO2/WebAuthn standards. These are commonly used for passwordless authentication with supported identity providers.
OpenVPN Connect doesn't directly use passkeys for VPN authentication. However, passkeys may be used when:
Your VPN uses web-based authentication (SAML or similar).
Your organization integrates with an identity provider that supports passkeys.
In this case, authentication happens in the browser or in an external flow, and OpenVPN Connect relies on the result of that authentication.
Note
Passkey support depends on your identity provider and VPN configuration, not on OpenVPN Connect itself.
Platform notes
CloudConnexa supports a passkey stored on a YubiKey for signing in to the administration portal.
Access Server can use passkeys when integrated with a SAML identity provider. In this setup, MFA is configured on the IdP side, and a YubiKey can be used as a passkey during the authentication process.