OPENVPN CLOUD IS LIVE: TRY TODAY FOR FREE

Add Duo Two-Factor Authentication to OpenVPN Access Server

OpenVPN Access Server is a Business VPN built on the OpenVPN open source project. Adding Duo 2FA to Access Server provides your business with added security features. You’ll provide remote, encrypted connections for users as well as more secure authentication. OpenVPN Access Server supports MFA using Google Authenticator. By adding Duo’s authentication service through this integration, you extend the functionality. You add the ability for more authentication options such as 2FA through SMS text, validation over a voice call, and push notifications with the Duo app.

Follow these instructions to add Duo two-factor authentication to your users’ OpenVPN Access Server logins.

Get Started

When you add Duo 2FA to OpenVPN Access Server, your users will have increased security for their logins. The diagram below shows how the authentication flows with the setup.
duo 2fa flow for access server

  1. OpenVPN Connect initiates login
  2. OpenVPN Access Server authenticates username and password (primary auth)
    Optional: Authenticate with PAM, LDAP, or RADIUS directories
  3. Access Server notifies DUO via HTTPS API to begin 2FA procedure
  4. DUO sends secondary auth via user’s chosen method
  5. Authentication response sent back to Access Server
  6. OpenVPN connection established

You’ll need both a Duo account and an installation of OpenVPN Access Server.

Duo Admin Setup

  1. Log in to the Duo Admin Panel and click on Applications.
  2. Click Protect an Application, then find OpenVPN Access Server and click Protect.
    Protect an Application
  3. OpenVPN Access Server is added to your Duo-protected applications. You’ll need the integration key, secret key, and API key that display for a future step in the configuration.
    access server added to Duo-protected applications
  4. Download the Duo OpenVPN Access Server package from the duo_openvpn_as GitHub repository.

Setup Post-Auth Script

Next, you’ll configure the post-auth script downloaded from Duo’s GitHub repository. This is where you’ll add your integration key, secret key, and API hostname from the Application configuration within your Duo Admin panel (noted above).

  1. Extract the Duo OpenVPN Access Server package.
  2. Open the duo_openvpn_as.py script with a text editor.
  3. Find the section where you fill in your integration credentials and enter your integration key, secret key, and API hostname:
    duo api hostname
  4. Move or upload the duo_openvpn_as.py script to the OpenVPN Access Server scripts folder (/usr/local/openvpn_as/scripts/) on your server.
  5. As a root user, use the sacli tool to set duo_openvpn_as.py as your post-auth script:
    cd /usr/local/openvpn_as/scripts/
    ./sacli --key “auth.module.post_auth_script” --value_file=”usr/local/openvpn_as/scripts/duo_openvpn_as.py” ConfigPut
  6. Reload the service to commit the changes:
    ./sacli start
  7. Test your setup. (It would be good to test with both a user that has already enrolled in Duo authentication and one that has not.) To do this, log in as a regular VPN user through your Client UI for your OpenVPN Access Server.

End User Logins

New Duo user logs into web client UI

Existing Duo user logs into web client UI

Existing Duo user logs into web client UI

Existing Duo user logs in with the mobile app


Duo also provides additional documentation on their website: OpenVPN Access Server Documentation, OpenVPN Access Server FAQ page, and OpenVPN Knowledge Base articles.

Removing Duo authentication

If you no longer use Duo for your users and need to remove the integration, here are the steps to take:

  1. As a root user on your OpenVPN Access Server (connected through SSH or terminal) use the sacli tool to remove the Duo setup:
    cd /usr/local/openvpn_as/scripts/
    ./sacli --key "auth.module.post_auth_script" ConfigDel
  2. Reload the service to commit the changes:
    ./sacli start

Share