OpenVPN client on Windows with Yubikey and OpenSC

OpenVPN+Yubikey+OpenSC

Tested with OpenVPN v2.4.8 64-bit on Windows 10 Pro build 1909.

This article assumes that you already have a working OpenVPN server that uses X.509 certificates, i.e. that you have a CA infrastructure in place and that you can login to OpenVPN using your X.509 certificate.

  1. Download and install OpenVPN
  2. Download and install OpenSC
  3. (Optional) If you haven't installed the VPN certificate on your Yubikey, download and install YubiKey Manager. I have placed my VPN certificate in the Authentication slot.
  4. Insert your Yubikey containing your VPN certificate into your computer.
  5. Run the following command to get your serialized id:
    openvpn --show-pkcs11-ids path\to\opensc-pkcs11.dll
  6. Convert the PKCS11 ID manually if using OpenVPN v2.4.8 - the ID generated differs from what OpenVPN actually wants when looking for the certificate.
  7. Example: My ID looks like this: pkcs11:model=PKCS%2315%20emulated;token=am;manufacturer=piv_II;serial=12a3e4556598765e;id=%01
  8. What OpenVPN wants is this: piv_II/PKCS\x2315\x20emulated/12a3e4556598765e/am/01
    • The conversion can be done by replacing/copying information from the serialized id string to the “what OpenVPN wants” string. As we can see the value of the token, the serial and the id are copied.
  9. Edit your OpenVPN client configuration file that points to your certificate and key and replace it with key/values for PKCS11.
  10. Comment out the following lines:
    cert and key
  11. Add the following lines:
    pkcs11-providers path\to\opensc-pkcs11.dll
    pkcs11-id 'serialized id from --show-pkcs11-ids'
  12. Try to connect with the OpenVPN client, if everything works a dialog box should pop up asking you for your PIN-code.