OpenVPN client on Windows with Yubikey and OpenSC
OpenVPN+Yubikey+OpenSC
Tested with OpenVPN v2.4.8 64-bit on Windows 10 Pro build 1909.
This article assumes that you already have a working OpenVPN server that uses X.509 certificates, i.e. that you have a CA infrastructure in place and that you can login to OpenVPN using your X.509 certificate.
- Download and install OpenVPN
- Download and install OpenSC
- (Optional) If you haven’t installed the VPN certificate on your Yubikey, download and install YubiKey Manager. I have placed my VPN certificate in the Authentication slot.
- Insert your Yubikey containing your VPN certificate into your computer.
- Run the following command to get your serialized id:
openvpn --show-pkcs11-ids path\to\opensc-pkcs11.dll
- Convert the PKCS11 ID manually if using OpenVPN v2.4.8 - the ID generated differs from what OpenVPN actually wants when looking for the certificate.
- Example: My ID looks like this:
pkcs11:model=PKCS%2315%20emulated;token=am;manufacturer=piv_II;serial=12a3e4556598765e;id=%01
- What OpenVPN wants is this:
piv_II/PKCS\x2315\x20emulated/12a3e4556598765e/am/01
- The conversion can be done by replacing/copying information from the serialized id string to the “what OpenVPN wants” string. As we can see the value of the
token
, theserial
and theid
are copied.
- The conversion can be done by replacing/copying information from the serialized id string to the “what OpenVPN wants” string. As we can see the value of the
- Edit your OpenVPN client configuration file that points to your certificate and key and replace it with key/values for PKCS11.
- Comment out the following lines:
cert
andkey
- Add the following lines:
pkcs11-providers path\to\opensc-pkcs11.dll
pkcs11-id 'serialized id from --show-pkcs11-ids'
- Try to connect with the OpenVPN client, if everything works a dialog box should pop up asking you for your PIN-code.