Skip to content

duosecurity/duo_openvpn_as

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

45 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Overview

Issues Forks Stars License

duo_openvpn_as - Duo two-factor authentication for OpenVPN Access Server

Installing

Download the latest Duo OpenVPN Access Server release as a zip file from GitHub and unzip the package on your own OpenVPN Access Server.

TLS 1.2 and 1.3 Support

Duo's OpenVPN Access Server plugin uses Python's ssl module and OpenSSL for TLS operations. Python versions 2.7 (and higher) and 3.5 (and higher) have both TLS 1.2 and TLS 1.3 support.

Usage

Configuring & Enabling the Post-Auth Script

Make sure you have your OpenVPN Access Server's integration key (IKEY), secret key (SKEY), and API hostname. You can find these in your Duo Admin Panel under the Applications tab.

Open the duo_openvpn_as.py script in a text editor and fill in your IKEY, SKEY, and API hostname in the following area:

# ------------------------------------------------------------------
# Fill in your integration credentials on the following three lines:
IKEY = 'INTEGRATION_KEY'
SKEY = 'SECRET_KEY'
HOST = 'API_HOSTNAME'
# ------------------------------------------------------------------

Then, move the duo_openvon_as.py script to the OpenVPN AS scripts folder. This typically can be found in /usr/local/openvpn_as/scripts/. Make sure it is executable.

$ mv duo_openvpn_as.py /usr/local/openvpn_as/scripts/
$ chmod a+x /usr/local/openvpn_as/scripts/duo_openvpn_as.py

Then, set duo_openvpn_as.py as your post-auth script:\

$ /usr/local/openvpn_as/scripts/sacli -a admin_username -i -k auth.module.post_auth_script --value_file=/usr/local/openvpn_as/scripts/duo_openvpn_as.py ConfigPut

where admin_username is the username of an administrator on your OpenVPN Access Server. You'll be prompted to enter the administrator's password.

Finally, restart the service to commit your changes:

$ /usr/local/openvpn_as/scripts/sacli -a admin_username -i Reset

Testing

Try to log in as a regular VPN user through the OpenVPN Access Server web interface. If you're using an account that has not been enrolled for Duo authentication, your login attempt will be denied with a self-enrollment URL. Visit the URL, enroll, then try again.

Note: You will only receive a self-enrollment URL if you log in to your OpenVPN Access Server instance with a web browser!

When you log in as a Duo-enrolled user, you'll see a secondary prompt with instructions to enter a Duo passcode or alternate factor.

You can choose from doing a push, phone, or sms factor. Additionally, you can specify a number after the factor name to identify which enrolled device you are using.

Support

The full documentation for OpenVPN Access Server can be found at https://duo.com/docs/openvpn-as.

Report any bugs, feature requests, etc. to us directly at [email protected]

Have fun!

http://www.duosecurity.com