Connecting to VPN via yubikey on ubuntu
Not long ago I encountered the problem of connecting to a VPN using a hardware USB token. I was provided with instructions, but it turned out that they were only relevant for Windows, and I have Ubuntu on my laptop.
Before I was able to successfully connect to the server, a sufficient amount of time and a certain amount of nerve cells were spent. So, if you find yourself in a similar situation, my experience may help you.
So, the initial data:
USB token with pre-installed certificates
Connection configuration file with extension
.visz
(these are generated by Velocity – vpn client for Windows and MacOS)Ubuntu 22.04 on the client (my) computer
What specific questions arose:
How to use the provided configuration to connect?
How can I enable the system to see smart cards?
How to actually connect to a VPN?
In reality, I solved them in exactly that order. But it’s easier to go a little differently. First install drivers for hardware keys, and only then implement the connection.
Installing libraries
We will need several libraries to work with tokens:
sudo apt updat
sudo apt install opensc opensc-pkcs11 pcscd
opensc, opensc-pkcs11: a set of libraries and utilities for accessing smart cards and tokens
pcscd: resource manager that coordinates communication with tokens or smart card readers
Next, install openvpn:
sudo apt-get install openvpn
Checking if everything works
Let’s find out the ID of the container in which the key and certificate are stored on the smart card:
openvpn --show-pkcs11-ids
Copy Serialized id
the certificate we need.
If openvpn --show-pkcs11-ids
says that there are no slots, you need to check the smart card connection:
opensc-tool -l
If the answer is that the key card is missing, you need to check whether the daemon is running pcscd:
sudo service pcscd status
and enable it if necessary:
sudo service pcscd start
Setting up openvpn configuration
The next step is to return to the configuration provided to us (.visz
).
Unpack as .tar.gz
to a suitable folder and open the file config.conf
.
Making a replacement {path}
in line pkcs11-providers {path}
:
pkcs11-providers /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
Add the following line:
pkcs11-id '{Serialized id из прошлого пункта}'
Save the file.
Let’s connect
sudo openvpn --config config.conf
Enter your pin when prompted. That’s it, we’re online.
Note
A logical step would be to launch pcscd
as a service:
sudo systemctl enable pcscd
But Ubuntu includes smart card login, which I didn’t need. Perhaps there is some way to bypass this point, but I solved the problem with a simple command in .bash_aliases
which I launch if I want to connect to VPN.
.bash_aliases
alias vpn="cd ~/.vpn; sudo service pcscd start; sudo openvpn --config config.conf"
PS Some materials I relied on when searching for a solution: