Skip to main content

Tutorial: Add Duo Two-Factor Authentication to Access Server

Abstract

Follow these instructions to add Duo two-factor authentication to your users’ Access Server logins.

Overview

Adding Duo 2FA to Access Server provides your business with added security features. You’ll provide remote, encrypted connections for users and more secure authentication. By adding Duo’s authentication service through this integration, you extend the functionality. You add the ability for more authentication options, such as 2FA through SMS text, validation over a voice call, and push notifications with the Duo app.

Access Server also has built-in TOTP MFA support.

Important

If you using Duo MFA, you can't also enable TOTP MFA as it will cause user authentication problems.

When you add Duo 2FA to Access Server, your users' logins will be more secure. The diagram shows how the authentication flows with the setup.

duo-post-auth.jpg
  1. The user signs in with OpenVPN Connect.

  2. Access Server authenticates username and password (primary auth).

  3. Access Server notifies DUO via HTTPS API to begin the 2FA procedure.

  4. DUO sends secondary auth via the user’s chosen method.

  5. The user sends a correct response.

  6. DUO sends an authentication response back to Access Server.

  7. OpenVPN connection established.

  • A Duo account.

  • An installed Access Server.

  1. Sign in to the Duo Admin Panel and click Applications.

  2. Click Protect an Application, then find OpenVPN Access Server and click Protect.

    Protect-an-Application.jpg
    • Access Server is added to your Duo-protected applications.

  3. Note the integration key, secret key, and API key that are displayed for a future step in the configuration.

Next, you’ll download the post-auth script from Duo’s GitHub repository. Then you’ll add your integration key, secret key, and API hostname from the application configuration within your Duo Admin panel (noted above).

  1. Download the Duo OpenVPN Access Server package from the duo_openvpn_as GitHub repository.

  2. Extract the Duo OpenVPN Access Server package.

  3. Open the duo_openvpn_as.py script with a text editor.

  4. Find the section where you fill in your integration credentials and enter your integration key, secret key, and API hostname:

    # Fill in your integration credentials on the following three lines:
    IKEY = 'DUO_INTEGRATION_KEY_HERE'
    SKEY = 'DUO_INTEGRATION_SECRET_KEY_HERE'
    HOST = 'DUO_API_HOSTNAME_HERE'
  5. Move or upload the duo_openvpn_as.py script to the Access Server scripts folder (/usr/local/openvpn_as/scripts/) on your server.

  6. Connect to your Access Server console and get root privileges.

  7. Load the script and restart the Access Server service:

    cd /usr/local/openvpn_as/scripts/
    ./sacli --key "auth.module.post_auth_script" --value_file="/usr/local/openvpn_as/scripts/duo_openvpn_as.py" ConfigPut
    ./sacli start
  8. Test your setup by signing in as a VPN user.

    Tip

    It would be good to test with both a user who is already enrolled in Duo authentication and one who is yet to enroll.

Duo also provides additional documentation on its website: OpenVPN Access Server DocumentationOpenVPN Access Server FAQ page, and OpenVPN Knowledge Base articles.

If you no longer use Duo for your users and need to remove the integration, follow these steps:

  1. Connect to your Access Server console and get root privileges.

  2. Remove the Duo setup:

    cd /usr/local/openvpn_as/scripts/
    ./sacli --key "auth.module.post_auth_script" ConfigDel
  3. Reload the service to commit the changes:

    ./sacli start