OpenVPN added the support of external certificates on #PKCS11 hardware tokens for VPN connections to OpenVPN Connect for Windows and macOS in version 3.3.

This document provides an overview of setting up this feature on your device. Instructions below are applicable for Yubikey hardware tokens with #PKCS11 support such as Yubikey 5 NFC. You can try the same steps with modules for hardware tokens of other vendors.

Import profile into OpenVPN Connect

Import a profile or configuration file from your VPN server into OpenVPN Connect:

  1. Launch OpenVPN Connect.
  2. In the Import Profile screen, enter the URL for your VPN server or click File to import a .OVPN profile. If you have existing profiles in OpenVPN Connect, click the Add icon to import another profile.

Note: your profile should not contain <cert> and <key>. Only in this case, you will have the possibility to assign an external certificate located on the hardware token.

Install hardware token management software

Refer to the Yubikey site to download hardware token management software: Releases

For other vendors, refer to their documentation to install hardware token management software.

Import private key and certificate pair on the hardware token

Refer to the Yubikey website for instruction on importing the private key and certificate pair on the hardware token: key import

Note: The private key and certificate must be imported in the same slot on the token.

Locate and copy vendor module

macOS

  1. Locate the library: /usr/local/lib/libykcs11.dylib/
  2. Copy to a new folder ~/.pkcs11_modules/

Windows

  1. Add <Program Files>\Yubico\Yubico PIV Tool\bin to $PATH environment variable (System)
  2. Copy <Program Files>\Yubico\Yubico PIV Tool\bin\libykcs11.dll to <Program Files>\OpenVPN Connect\pkcs11_modules

Finally, for both macOS and Windows, relaunch OpenVPN Connect.

Assign external certificate to the profile

  1. Launch OpenVPN Connect.
  2. Click the pencil icon to edit the desired profile.
  3. In the “Certificate” section choose “Assign”.
  4. On the next window, click the Hardware Tokens tab.
  5. If your hardware token is plugged in, its name displays in the list.
  6. Click Authorize.
  7. Enter a PIN for the desired hardware token.
  8. After successful authorization, choose the certificate and key for connection with the profile.
  9. Click Confirm.
  10. Save profile configuration.

Connect

With a proper certificate and key assigned to the profile, and the hardware token plugged in, you can connect using this profile. Note: keep the hardware token plugged in during the connection process.