Skip to main content

Connect and Authorize Hardware Tokens

Abstract

OpenVPN Connect supports external certificates on PKCS#11 hardware tokens for VPN connections.

OpenVPN Connect supports external certificates on PKCS#11 hardware tokens for VPN connections. This page provides an overview of setting it up on your device. The instructions are applicable for Yubikey hardware tokens with PKCS#11 support, such as Yubikey 5 NFC. You can try the same steps with modules for hardware tokens of other vendors.

Tip

Support for PKCS#11 hardware tokens requires Windows or macOS and OpenVPN Connect 3.3 and newer.

Before you begin

Make sure you've already done the following:

  1. Installed OpenVPN Connect on Windows or macOS.

    Important

    Your profile should not contain <cert> and <key>. That way, you can assign an external certificate loaded on the hardware token.

  2. Installed the hardware token management software. (Refer to the Yubikey site: Releases.)

  3. Imported the private key and certificate pair on the hardware token. (Refer to the Yubikey site: key import.)

    Important

    Ensure you import the private key and certificate in the same slot on the token.

Locate and copy the vendor module

Find your operating system below and follow the steps.

macOS

  1. Locate the library: /usr/local/lib/libykcs11.x.x.x.dylib

    Example 1. 

    E.g., libykcs11.2.3.0.dylib — ensure it's a file, not a symlink.



  2. Open Terminal and execute this command to create a symlink to the library file:

ln -s /usr/local/lib/libykcs11.x.x.x1.dylib ~/.pkcs11_modules/libykcs11.dylib

1

Where x.x.x is the version of the file from step one.

Windows

  1. Add <Program Files>\Yubico\Yubico PIV Tool\bin to $PATH environment variable (System).

  2. Copy <Program Files>\Yubico\Yubico PIV Tool\bin\libykcs11.dll to <Program Files>\OpenVPN Connect\pkcs11_modules.

Assign an external certificate to the profile

For both macOS and Windows, exit out of OpenVPN Connect and then follow these steps:

  1. Launch OpenVPN Connect.

  2. Click or tap the Edit icon for the desired profile.

  3. Under Certificate and Key, click or tap Assign.

    Tip

    If Certificate and Key doesn't display, your connection profile already includes the certificate and key. Your profile should not contain <cert> and <key>.

  4. Click or tap Hardware Tokens and select the hardware token from the list.

  5. Click or tap Authorize and enter a PIN for the desired hardware token.

  6. After successful authorization, choose the certificate and key for connection with the profile.

  7. Click or tap Confirm.

  8. Save the profile configuration.

Connect with a profile and the hardware token

Now that you have a proper certificate and key assigned to the profile, you can plug in your hardware token and connect using your profile:

  1. Click or tap the profile toggle to connect.

  2. After a successful connection, OpenVPN Connect displays connection statistics.

Important

Keep the hardware token plugged in during the connection process.

In this section: