OpenVPN OTP with a Yubikey

Using a OTP for VPN connections is a pretty cool security concept. It can be a little difficult in OpenVPN as the renegotiation stage requires an auth to succeed for the renegotiation to complete. If you’re using a OTP, you have to supply a new OTP – somewhat breaking the experience.

From version 2.4.3 of OpenVPN onwards, this is now possible using a ‘token’ after the initial auth takes place – and using the new token for all auth requirements during a renegotiation.

I wrote a script to use with OpenVPN that uses tokens to allow using a Yubikey using YubiCloud OTP auth – without using PAM or any other complex authentication system.

To implement, download my yubikey-auth-tokens script and place it in /etc/openvpn on your OpenVPN server.

Edit the script and add your username and YubiKey ID into the %yubikeys definition. You can change the $tokenstore variable to somewhere that the OpenVPN server can write to. By default, this is /etc/openvpn/jail/token_store.bin

Now add the following to your OpenVPN server configuration file:
script-security 2
client-connect /etc/openvpn/yubikey-auth-tokens
client-disconnect /etc/openvpn/yubikey-auth-tokens
auth-user-pass-verify /etc/openvpn/yubikey-auth-tokens via-file
client-cert-not-required

If all goes well, use the username and YubiKey specified to connect.

Happy VPN’ing 🙂

Revised 2018-02-17
Rob Johnson has graciously dug further into the YubiOTP API documentation and found that “the API can do more thorough validation using the secret key. I’ve added a nonce, signature and various other aspects to validate that the response came from Yubico and is current.”. I have updated the script with his revised version. Thanks Rob!