VPN - Futurex Documentation

A Virtual Private Network (VPN) creates a secure, encrypted connection over a less secure network, such as the public internet. It allows users to send and receive data as if their computing devices were directly connected to a private network, thereby providing enhanced security, privacy, and access to restricted resources.

VPN integrations

Integrating a VPN with CryptoHub provides a robust framework for securing the cryptographic keys and certificates that underpin the VPN’s security. This ensures the confidentiality, integrity, and authenticity of the data transmitted over the VPN. VPN integrations handle several important tasks, including:

Securing cryptographic keys: Protect the private keys used for VPN authentication and data encryption within a FIPS-validated hardware boundary.
Managing the key lifecycle: Automate the generation, rotation, and revocation of cryptographic keys used by VPN gateways and clients.
Enforcing security policies: Define and enforce policies for cryptographic operations, ensuring that all VPN connections adhere to organizational security requirements.
Authenticating VPN clients: Strengthen client authentication by storing client certificates and keys on a hardware token or a centralized key management server.
Simplifying certificate management: Streamline the issuance, renewal, and revocation of digital certificates for VPN infrastructure and users.
Centralizing audit and logging: Provide a unified audit trail of all cryptographic operations and key management activities related to the VPN.
Enhancing performance: Offload cryptographic operations from the VPN gateway to a dedicated HSM, improving performance and reducing latency.

OpenVPN PKCS #11 integration options

This section covers the differences between OpenVPN’s server-side (Access Server) and client-side (Connect) PKCS #11 integrations.

Server-side integration: Access Server + CryptoHub

OpenVPN Access Server can integrate with Futurex CryptoHub to protect the VPN infrastructure’s most sensitive cryptographic material:

Server private key – The key that proves the VPN server’s identity
Certificate Authority (CA) signing key (optional) – The key used to issue client certificates

Security Benefit: Even if an attacker completely compromises the Access Server host system, they cannot extract or misuse the protected private keys. The keys never leave the HSM, and all cryptographic operations occur within the secure boundary of the CryptoHub device.

Client-side integration: OpenVPN Connect v3.3+ + CryptoHub

OpenVPN Connect (the client application) can integrate with CryptoHub’s PKCS #11 file to protect individual user credentials:

Client certificate private key – The key that authenticates the user to the VPN

Security Benefit: Even if a user’s laptop is compromised by malware, the attacker cannot extract the VPN credentials to use elsewhere. The private key remains on the hardware token and requires physical possession plus PIN entry.

Key differences and independence

Characteristic	Access Server + CryptoHub	Connect v3.3+ + CryptoHub
What’s Protected	Access Server’s key`server.key` and (optionally) CA signing key `ca.key`	Client’s key `futurex-private.key`
Deployment Scope	Single deployment protecting centralized infrastructure	Per-user deployment on individual devices
Primary Threat	Server compromise exposing infrastructure keys	Endpoint compromise exposing user credentials
Connection Impact	Transaprent to all connecting clients	CryptoHub FxPKCS11 library must be present in the correct directory and linked on Connect v3.3+ before the connection
What is given to Connect client application	Client `.ovpn` file Client P12 file (client private key + public key certificate bundle)	Client `.ovpn` file Futurex PKCS #11 module: fxpkcs11.dll (Windows) libfxpkcs11.dylib (Mac)

Common use cases

Server-side only (Most Common)
- Implementation: Access Server integrated with CryptoHub via PKCS #11
- Client Authentication: OpenVPN Connect with .ovpn file and client P12 file
- Ideal for: Organizations that need to meet compliance requirements for protecting infrastructure keys (PCI DSS, FIPS 140-2, etc.), but have acceptable risk tolerance for standard client authentication
Client-side only
- Implementation: Standard Access Server with CryptoHub-backed client keys via PKCS #11
- Client Authentication: OpenVPN Connect with .ovpn file and CryptoHub PKCS #11 library (Windows: fxpkcs11.dll or Mac: libfxpkcs11.dylib)
- Ideal for: Organizations that require hardware-backed client authentication (e.g., high-security environments, zero-trust architectures) but have acceptable risk tolerance for standard server key management
Defense in Depth (Maximum security)
- Implementation: Access Server integrated with CryptoHub and CryptoHub-backed client keys accessible via PKCS #11
- Client Authentication: OpenVPN Connect with .ovpn file and CryptoHub PKCS #11 library (Windows: fxpkcs11.dll or Mac: libfxpkcs11.dylib)
- Ideal for: Organizations with the highest security requirements where both server and client private keys must be hardware-protected (defense, finance, critical infrastructure)

Integrations

The following guide helps you leverage the full capabilities of your VPN infrastructure, providing step-by-step instructions and best practices for seamless integration with VPN systems: OpenVPN Access Server

​VPN integrations

​OpenVPN PKCS #11 integration options

​Server-side integration: Access Server + CryptoHub

​Client-side integration: OpenVPN Connect v3.3+ + CryptoHub

​Key differences and independence

​Common use cases

​Integrations