Yubikey + Jumpcloud

This forum is for admins who are looking to build or expand their OpenVPN setup.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
OpenVpn Newbie
Posts: 1
Joined: Tue Jan 15, 2019 5:59 pm

Yubikey + Jumpcloud

Post by jrobuck » Tue Jan 15, 2019 6:13 pm


A recent requirement has surfaced from my company that we would like to use Yubikey + Jumpcloud + OpenVPN for our VPN needs. I was able to get this working but was curious if there are better solutions.

The set up looks like this:

1. A user opens Tunnelblick on their Mac and has their own crt/key
2. They are prompted for their Jumpcloud username/password
3. After entered we check their user/pass with Jumpcloud using a radius configuration
4. If it is successful I run a post auth script that sends back a challenge for their yubikey
5. Yubikey is returned back to the vpn server and then I use their authenticated uid to look up their client id and secret id in AWS Secrets Manager. Auth to Secrets Manager is handled by a role on the vpn instance
6. Using this python library yubico_client I then validate that everything checks out. If not I modify the return value of authret['status'] to "FAIL"

The things that I like:
1. Management is through AWS Console not SSH/Ansible
2. Low complexity at least from my point of view

The things I don't like:
1. This seems to be slow at least during testing. I am sure a lot of this is from reaching out to an AWS service but even tests with having the keys locally seemed slower than they should have been.
2. It feels like it is a hack and I am hoping there is a better way of doing this.

Any critiques or suggestions are greatly appreciated.

Post Reply