Add Duo Two-Factor Authentication to OpenVPN Access Server

OpenVPN Access Server is a Business VPN built on the OpenVPN open source project. Adding Duo 2FA to Access Server provides your business with added security features. You’ll provide remote, encrypted connections for users as well as more secure authentication. By adding Duo’s authentication service through this integration, you extend the functionality. You add the ability for more authentication options such as 2FA through SMS text, validation over a voice call, and push notifications with the Duo app.

OpenVPN Access Server also supports MFA using Google Authenticator. Note: If you using Duo MFA, you cannot also enable Google MFA as it will cause user authentication problems.

Follow these instructions to add Duo two-factor authentication to your users’ OpenVPN Access Server logins.

Get Started

When you add Duo 2FA to OpenVPN Access Server, your users will have increased security for their logins. The diagram shows how the authentication flows with the setup.

duo 2fa flow for access server
  1. User signs in with OpenVPN Connect.
  2. OpenVPN Access Server authenticates username and password (primary auth).
  3. OpenVPN Access Server notifies DUO via HTTPS API to begin 2FA procedure.
  4. DUO sends secondary auth via user’s chosen method.
  5. User sends correct response.
  6. DUO sends authentication response back to Access Server.
  7. OpenVPN connection established.

You’ll need both a Duo account and an installation of OpenVPN Access Server.

Duo Admin Setup

  1. Sign in to the Duo Admin Panel and click Applications.
  2. Click Protect an Application, then find OpenVPN Access Server and click Protect.
    Protect an Application
  3. OpenVPN Access Server is added to your Duo-protected applications. You’ll need the integration key, secret key, and API key that display for a future step in the configuration.
    access server added to Duo-protected applications
  4. Download the Duo OpenVPN Access Server package from the duo_openvpn_as GitHub repository.

Setup Post-Auth Script

Next, you’ll configure the post-auth script downloaded from Duo’s GitHub repository. This is where you’ll add your integration key, secret key, and API hostname from the Application configuration within your Duo Admin panel (noted above).

  1. Extract the Duo OpenVPN Access Server package.
  2. Open the script with a text editor.
  3. Find the section where you fill in your integration credentials and enter your integration key, secret key, and API hostname:
    duo api hostname
  4. Move or upload the script to the OpenVPN Access Server scripts folder (/usr/local/openvpn_as/scripts/) on your server.
  5. As a root user, use the sacli tool to set as your post-auth script:
    cd /usr/local/openvpn_as/scripts/ ./sacli --key "auth.module.post_auth_script" --value_file="/usr/local/openvpn_as/scripts/" ConfigPut
  6. Reload the service to commit the changes:
    ./sacli start
  7. Test your setup. (It would be good to test with both a user that has already enrolled in Duo authentication and one that has not.) To do this, sign in as a regular VPN user through your Client Web UI for your OpenVPN Access Server.

Duo also provides additional documentation on their website: OpenVPN Access Server Documentation, OpenVPN Access Server FAQ page, and OpenVPN Knowledge Base articles.

Removing Duo authentication

If you no longer use Duo for your users and need to remove the integration, follow these steps:

  1. As a root user on your OpenVPN Access Server (connected through SSH or terminal) use the sacli tool to remove the Duo setup:
    cd /usr/local/openvpn_as/scripts/ ./sacli --key "auth.module.post_auth_script" ConfigDel
  2. Reload the service to commit the changes:
    ./sacli start