Connecting to VPN via yubikey on ubuntu

Not long ago I encountered the problem of connecting to a VPN using a hardware USB token. I was provided with instructions, but it turned out that they were only relevant for Windows, and I have Ubuntu on my laptop.

Before I was able to successfully connect to the server, a sufficient amount of time and a certain amount of nerve cells were spent. So, if you find yourself in a similar situation, my experience may help you.

So, the initial data:

• USB token with pre-installed certificates

• Connection configuration file with extension .visz(these are generated by Velocity – vpn client for Windows and MacOS)

• Ubuntu 22.04 on the client (my) computer

What specific questions arose:

1. How to use the provided configuration to connect?

2. How can I enable the system to see smart cards?

3. How to actually connect to a VPN?

In reality, I solved them in exactly that order. But it’s easier to go a little differently. First install drivers for hardware keys, and only then implement the connection.

Installing libraries

We will need several libraries to work with tokens:

sudo apt updat
sudo apt install opensc opensc-pkcs11 pcscd

• opensc, opensc-pkcs11: a set of libraries and utilities for accessing smart cards and tokens

• pcscd: resource manager that coordinates communication with tokens or smart card readers

Next, install openvpn:

sudo apt-get install openvpn

Checking if everything works

Let’s find out the ID of the container in which the key and certificate are stored on the smart card:

openvpn --show-pkcs11-ids

Copy Serialized id the certificate we need.

If openvpn --show-pkcs11-ids says that there are no slots, you need to check the smart card connection:

opensc-tool -l

If the answer is that the key card is missing, you need to check whether the daemon is running pcscd:

sudo service pcscd status

and enable it if necessary:

sudo service pcscd start

Setting up openvpn configuration

The next step is to return to the configuration provided to us (.visz).

Unpack as .tar.gz to a suitable folder and open the file config.conf.

Making a replacement {path} in line pkcs11-providers {path}:

pkcs11-providers /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so

Add the following line:

pkcs11-id '{Serialized id из прошлого пункта}'

Save the file.

Let’s connect

sudo openvpn --config config.conf

Enter your pin when prompted. That’s it, we’re online.

Note

A logical step would be to launch pcscd as a service:

sudo systemctl enable pcscd

But Ubuntu includes smart card login, which I didn’t need. Perhaps there is some way to bypass this point, but I solved the problem with a simple command in .bash_aliaseswhich I launch if I want to connect to VPN.

alias vpn="cd ~/.vpn; sudo service pcscd start; sudo openvpn --config config.conf"

PS Some materials I relied on when searching for a solution: