*Result*: OpenVPN TLS-Crypt-V2 Key Wrapping with Hardware Security Modules

*The control channel protection of OpenVPN using the tls-crypt-v2 mechanism provides, among other, post-quantum security of the VPN tunnel. With tls-crypt-v2, a user sends a wrapped, pre-shared client key to the server when establishing a tunnel. If the server wrapping key is compromised, all client keys need to be renewed. This paper explores methods of implementing the functionality of tls-crypt-v2 using Hardware Security Modules, making the server key challenging to extract. For this purpose, the Java Card technology, YubiKey cryptographic tokens, and the PKCS#11 interface are analyzed, and example implementations are showcased. The technologies are integrated with OpenVPN using its plugin capability. The results show that while hardware security modules can be used to handle tls-crypt-v2, improving security, they are slow compared to the OpenVPN implementation, leading to a potentially substantial increase in Denial-of-Service attack surface.*