OpenVPN and two-factor authentication

Many people have used OpenVPN for a simple and effective VPN solution, but did you know that you can use it for real two-factor VPN authentication? How you do that depends on the two-factor solution you are using. There is support for PKCS11 token stores, and Windows CAPI, with patches submitted for OS X’s Keychain. In order to get the OS X patch into the testing/stable branch of OpenVPN, it needs more testers though (please help!). So, if your token supports one of the above, and most do, you can use OpenVPN as a (relatively) inexpensive two-factor VPN. The tokens are still rather expensive however 🙁

To use the CAPI functionality, add cryptoapicert “thumbprint” to the client’s command line or configuration file.

To use the KeyChain functionality, add keychaincert “thumbprint” to your configuration file or command line.

In both cases, thumbprint needs to be in quotes and is the MD5 or SHA1 hash of the certificate to use.
ex. “MD5: f8 72 98….”

To use the PKCS11 functionality, you use two options:
pkcs11-providers /usr/lib/pkcs11/ (or other path to the pkcs11 library)
and
pkcs11-id ‘serialized id‘
Where serialized id is a unique serial number that you can find by using the “openvpn –show-pkcs11-ids /usr/lib/pkcs11/” command

You’re now all set up to use two-factor authentication with OpenVPN on multiple operating systems. OpenVPN has more detailed information on the PKCS11 functionality at the HOWTO.