Using a OTP for VPN connections is a pretty cool security concept. It can be a little difficult in OpenVPN as the renegotiation stage requires an auth to succeed for the renegotiation to complete. If you’re using a OTP, you have to supply a new OTP – somewhat breaking the experience.
From version 2.4.3 of OpenVPN onwards, this is now possible using a ‘token’ after the initial auth takes place – and using the new token for all auth requirements during a renegotiation.
To implement, download my yubikey-auth-tokens script and place it in /etc/openvpn on your OpenVPN server.
Edit the script and add your username and YubiKey ID into the
%yubikeys definition. You can change the
$tokenstore variable to somewhere that the OpenVPN server can write to. By default, this is /etc/openvpn/jail/token_store.bin
Now add the following to your OpenVPN server configuration file:
auth-user-pass-verify /etc/openvpn/yubikey-auth-tokens via-file
If all goes well, use the username and YubiKey specified to connect.
Happy VPN’ing 🙂