OpenVPN OTP with a Yubikey

Using a OTP for VPN connections is a pretty cool security concept. It can be a little difficult in OpenVPN as the renegotiation stage requires an auth to succeed for the renegotiation to complete. If you’re using a OTP, you have to supply a new OTP – somewhat breaking the experience.

From version 2.4.3 of OpenVPN onwards, this is now possible using a ‘token’ after the initial auth takes place – and using the new token for all auth requirements during a renegotiation.

I wrote a script to use with OpenVPN that uses tokens to allow using a Yubikey using YubiCloud OTP auth – without using PAM or any other complex authentication system.

To implement, download my yubikey-auth-tokens script and place it in /etc/openvpn on your OpenVPN server.

Edit the script and add your username and YubiKey ID into the %yubikeys definition. You can change the $tokenstore variable to somewhere that the OpenVPN server can write to. By default, this is /etc/openvpn/jail/token_store.bin

Now add the following to your OpenVPN server configuration file:

script-security 2
client-connect /etc/openvpn/yubikey-auth-tokens
client-disconnect /etc/openvpn/yubikey-auth-tokens
auth-user-pass-verify /etc/openvpn/yubikey-auth-tokens via-file
client-cert-not-required

If all goes well, use the username and YubiKey specified to connect.

Happy VPN’ing 🙂