OpenVPN OTP with a Yubikey
Using a OTP for VPN connections is a pretty cool security concept. It can be a little difficult in OpenVPN as the renegotiation stage requires an auth to succeed for the renegotiation to complete. If you’re using a OTP, you have to supply a new OTP - somewhat breaking the experience.
From version 2.4.3 of OpenVPN onwards, this is now possible using a ‘token’ after the initial auth takes place - and using the new token for all auth requirements during a renegotiation.
I wrote a script to use with OpenVPN that uses tokens to allow using a Yubikey using YubiCloud OTP auth - without using PAM or any other complex authentication system.
To implement, download my yubikey-auth-tokens script and place it in /etc/openvpn on your OpenVPN server.
Edit the script and add your username and YubiKey ID into the %yubikeys
definition. You can change the $tokenstore
variable to somewhere that the OpenVPN server can write to. By default, this is /etc/openvpn/jail/token_store.bin
Now add the following to your OpenVPN server configuration file:
1
2
3
4
5
script-security 2
client-connect /etc/openvpn/yubikey-auth-tokens
client-disconnect /etc/openvpn/yubikey-auth-tokens
auth-user-pass-verify /etc/openvpn/yubikey-auth-tokens via-file
client-cert-not-required
If all goes well, use the username and YubiKey specified to connect.
Happy VPN’ing :)
Revised 2018-02-17 Rob Johnson has graciously dug further into the YubiOTP API documentation and found that “the API can do more thorough validation using the secret key. I’ve added a nonce, signature and various other aspects to validate that the response came from Yubico and is current.”. I have updated the script with his revised version. Thanks Rob!