OpenVPN added the support of external certificates on PKCS#11 hardware tokens for VPN connections to OpenVPN Connect for Windows and macOS in version 3.3.
This document provides an overview of setting up this feature on your device. Instructions below are applicable for Yubikey hardware tokens with PKCS#11 support such as Yubikey 5 NFC. You can try the same steps with modules for hardware tokens of other vendors.
Import profile into OpenVPN Connect
Import a profile or configuration file from your VPN server into OpenVPN Connect:
- Launch OpenVPN Connect.
- In the Import Profile screen, enter the URL for your VPN server or click File to import a .OVPN profile. If you have existing profiles in OpenVPN Connect, click the Add icon to import another profile.
Note: your profile should not contain <cert> and <key>. Only in this case, you will have the possibility to assign an external certificate located on the hardware token.
Install hardware token management software
Refer to the Yubikey site to download hardware token management software: Releases
For other vendors, refer to their documentation to install hardware token management software.
Import private key and certificate pair on the hardware token
Refer to the Yubikey website for instruction on importing the private key and certificate pair on the hardware token: key import
Note: The private key and certificate must be imported in the same slot on the token.
Locate and copy vendor module
macOS
- Locate the library:
/usr/local/lib/libykcs11.x.x.x.dylib
E.g.: libykcs11.2.3.0.dylib - it should be a file, not a symlink. - Open Terminal and execute this command to create a symlink to the library file:
ln -s /usr/local/lib/libykcs11.x.x.x.dylib ~/.pkcs11_modules/libykcs11.dylib
Where x.x.x is the version of the file from step 1.
Windows
- Add
<Program Files>\Yubico\Yubico PIV Tool\bin to $PATH environment variable (System) - Copy
<Program Files>\Yubico\Yubico PIV Tool\bin\libykcs11.dll to<Program Files>\OpenVPN Connect\pkcs11_modules
Finally, for both macOS and Windows, relaunch OpenVPN Connect.
Assign external certificate to the profile
- Launch OpenVPN Connect.
- Click the pencil icon to edit the desired profile.
- In the “Certificate” section choose “Assign”.
- On the next window, click the Hardware Tokens tab.
- If your hardware token is plugged in, its name displays in the list.
- Click Authorize.
- Enter a PIN for the desired hardware token.
- After successful authorization, choose the certificate and key for connection with the profile.
- Click Confirm.
- Save profile configuration.
Connect
With a proper certificate and key assigned to the profile, and the hardware token plugged in, you can connect using this profile. Note: keep the hardware token plugged in during the connection process.