Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Failed to import profile with Yubikey 5 for key storage

    Scheduled Pinned Locked Moved OpenVPN
    1 Posts 1 Posters 460 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      johnvirg
      last edited by johnvirg

      I am using a pfSense server as a VPN endpoint. The pfSense is the CA and issued the cert and key for the user account. If I import the config with certs and keys, everything works perfectly. Windows OpenVPN Connect v3.3.6 by the way.

      I set up a Yubikey 5 NFC to store the cert/key pair exported from the pfSense user account. I successfully imported it onto the Yubikey under PIV.

      I am able to see the token and authenticate with a pin as expected. It seems to show the cert as the first item on the key.

      Everything looks right. I export the .ovpn and try to import it. Based on the OpenVPN Connect instructions (https://openvpn.net/vpn-server-resources/support-of-pkcs11-physical-tokens-for-openvpn-connect/), it should prompt me to locate the cert/key upon import. It does not. It just gives me this:

      87f2e8ca-1619-4e43-a206-a86a15625865-image.png

      It looks like it's trying to find it on my local computer and never asks me where to look. Is there a setting somewhere or ovpn config line I am missing (that pfSense is failing to create). Redacted opvpn is below. Thanks for any help on this.

      dev tun
      persist-tun
      persist-key
      data-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC
      data-ciphers-fallback AES-256-CBC
      auth SHA1
      tls-client
      client
      resolv-retry infinite
      remote ********** 1194 udp4
      setenv opt block-outside-dns
      lport 0
      verify-x509-name "**********" name
      pkcs12 ********************.p12
      tls-auth ********************-tls.key 1
      remote-cert-tls server
      explicit-exit-notify
      
      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.