Simply insert your Yubikey to an USB-slot and connect to your 2FA-VPN.
Windows (experimental, see below)
yubi-oath-vpn /connection=<OpenVPN configuration name> [/slot=user@example.com]
Linux
yubi-oath-vpn --connection=<connection name> [--slot=user@example.com]
Will start the program and connect as soon as the Yubikey is inserted (and not already connected)
If the slot argument is omitted, the first slot is used.
- Extract all files to a single directory in you User directory
- Press
Win+R, typeshell:startup, hit enter. - Right-click inside the folder, select
New>Shortcutand enter the path to the extracted executable (yubi-oath-vpn-win_amd64.exe) - Edit the location and add
/connection <OpenVPN configuration name>to the target
You can locate your OpenVPN configurations in %USERPROFILE%\OpenVPN\config\.
The configurations must have the extension ovpn, use the filename without extension as <OpenVPN configuration name>
Example:
client.ovpn becomes /connection client
- Copy yubi-oath-vpn binary to $HOME/Apps/yubi-oath-vpn, make sure it's executable
- Adjust and copy the file yubi-oath-vpn.service to $HOME/.config/systemd/user/yubi-oath-vpn.service
- Copy yubi-oath-vpn binary to $HOME/Apps/yubi-oath-vpn, make sure it's executable
- Adjust and copy the file yubi-oath-vpn.desktop to $HOME/.config/autostart/yubi-oath-vpn.desktop
- The Yubikey must have a password
- Only works with OpenVPN
- VPN must use tun device
- Must be the only tun device
- VPN must use TOTP
- nmcli is required to bring up the VPN
- Consider the current version experimental
- OpenVPN GUI must be installed
- Make sure you connected at least once manually and save the credentials
- Log files must be written to
%USERPROFILE%\OpenVPN\config - Log files must not be appended to
- Storing passwords must be allowed (this is asked during installation)
- The connection status is currently not checked, thus the connection window is always presented when plugin in the YubiKey
We use Yubikeys for two factor authentication against our VPN. We have a Bash script with similar functionality, but the tools (ykman, yubioath) keep changing and dbus-monitor was behaving differently depending on Linux distribution.
Only tested against one Yubikey 4 and one Yubikey 5 version. It's my first go project. Expect bugs and low code quality. That being said it's in active use for several years on different systems and seems to work just fine.