duo_openvpn_as - Duo two-factor authentication for OpenVPN Access Server
Download the latest Duo OpenVPN Access Server release as a zip file from GitHub and unzip the package on your own OpenVPN Access Server.
Duo's OpenVPN Access Server plugin uses Python's ssl module and OpenSSL for TLS operations. Python versions 2.7 (and higher) and 3.5 (and higher) have both TLS 1.2 and TLS 1.3 support.
Make sure you have your OpenVPN Access Server's integration key (IKEY), secret key (SKEY), and API hostname. You can find these in your Duo Admin Panel under the Applications tab.
Open the duo_openvpn_as.py script in a text editor and fill in your IKEY, SKEY, and API hostname in the following area:
# ------------------------------------------------------------------
# Fill in your integration credentials on the following three lines:
IKEY = 'INTEGRATION_KEY'
SKEY = 'SECRET_KEY'
HOST = 'API_HOSTNAME'
# ------------------------------------------------------------------
Then, move the duo_openvon_as.py script to the OpenVPN AS scripts folder. This typically can be found in /usr/local/openvpn_as/scripts/. Make sure it is executable.
$ mv duo_openvpn_as.py /usr/local/openvpn_as/scripts/
$ chmod a+x /usr/local/openvpn_as/scripts/duo_openvpn_as.py
Then, set duo_openvpn_as.py as your post-auth script:\
$ /usr/local/openvpn_as/scripts/sacli -a admin_username -i -k auth.module.post_auth_script --value_file=/usr/local/openvpn_as/scripts/duo_openvpn_as.py ConfigPut
where admin_username is the username of an administrator on your OpenVPN Access Server. You'll be prompted to enter the administrator's password.
Finally, restart the service to commit your changes:
$ /usr/local/openvpn_as/scripts/sacli -a admin_username -i Reset
Try to log in as a regular VPN user through the OpenVPN Access Server web interface. If you're using an account that has not been enrolled for Duo authentication, your login attempt will be denied with a self-enrollment URL. Visit the URL, enroll, then try again.
Note: You will only receive a self-enrollment URL if you log in to your OpenVPN Access Server instance with a web browser!
When you log in as a Duo-enrolled user, you'll see a secondary prompt with instructions to enter a Duo passcode or alternate factor.
You can choose from doing a push, phone, or sms factor. Additionally, you can specify a number after the factor name to identify which enrolled device you are using.
The full documentation for OpenVPN Access Server can be found at https://duo.com/docs/openvpn-as.
Report any bugs, feature requests, etc. to us directly at support@duosecurity.com
Have fun!