I am currently setting up OpenVPN to provide company access to multiple clients. Our requirement is to use certificates, password protect the client keys, as well as using dual factor (MFA) authentication per client.
I have a bunch of Fortinet FortiToken 200 tokens laying around that I would like to use, but I can't find any information that shows how to use these tokens with something like OpenVPN. After looking around some more, I can't find any information that shows how one can use a physical token with OpenVPN either.
So my question is, how can I use a physical token with OpenVPN? I can't use something like Google Authenticator since we plan to have clients VPN in via their smartphones also. The OpenVPN PKCS#11 how-to documentation is very poorly written.
I'm starting to believe that if MFA is a requirement, OpenVPN is simply not a viable option at this point in time.
Thanks for your help.
Basically:
openvpn --show-pkcs11-ids /path/to/pkcs11/driver.so
In your config file, specify the module and serialized id for you key from the
--show-pkcs11-ids
output, e.g:pkcs11-providers /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so
pkcs11-id Gnome\x20Keyring/1\x2E0/1\x3AUSER\x3ADEFAULT/Gnome2\x20Key\x20Storage/417AEDAAB81FEF6AEBD1EC43D76A630CAAA4722A
(Make sure to escape any backslashing in the pkcs-id, e.g.
Gnome\x20Keyring
becomesGnome\\x20Keyring
.)