OpenVPN client on Windows with Yubikey and OpenSC

Posted on One min read

OpenVPN+Yubikey+OpenSC

Tested with OpenVPN v2.4.3 64-bit on Windows 10 Pro build 1703.

This article assumes that you already have a working OpenVPN server that uses X.509 certificates, i.e. that you have a CA infrastructure in place and that you can login to OpenVPN using your X.509 certificate.

  1. Download and install OpenVPN
  2. Download and install OpenSC
  3. (Optional) If you haven’t installed the VPN certificate on your Yubikey, download and install YubiKey Manager. I have placed my VPN certificate in the Authentication slot.
  4. Insert your Yubikey containing your VPN certificate into your computer.
  5. Run the following command to get your serialized id: openvpn --show-pkcs11-ids path\to\opensc-pkcs11.dll
  6. Get the “Serialized id” from the certificate that you want to use together with OpenVPN.
  7. Edit your OpenVPN client configuration file that points to your certificate and key and replace it with key/values for PKCS11.
  8. Comment out: cert and key
  9. Add: pkcs11-providers path\\to\\opensc-pkcs11.dll pkcs11-id 'serialized id from --show-pkcs11-ids'
  10. Try to connect with the OpenVPN client, if everything works a dialog box should pop up asking you for your PIN-code.