Skip navigation

Duo Security is now a part of Cisco

About Cisco


OpenVPN Access Server

These instructions will enable you to add Duo two-factor authentication to an OpenVPN Access Server installation. If you wish to use Duo with the OpenVPN Community Open Source Software Project, refer to the OpenVPN instructions instead.

Connectivity Requirements

This integration communicates with Duo's service on TCP port 443. Also, we do not recommend locking down your firewall to individual IP addresses, since these may change over time to maintain our service's high availability.

First Steps

To get started securing your OpenVPN Access Server with Duo, you'll need to:

  1. Sign up for a Duo account.
  2. Log in to the Duo Admin Panel and navigate to Applications.
  3. Click Protect an Application and locate OpenVPN Access Server in the applications list. Click Protect this Application to get your integration key, secret key, and API hostname. (See Getting Started for help.)
  4. Download the Duo OpenVPN Access Server package from our duo_openvpn_as GitHub repository.

Treat your secret key like a password

The security of your Duo application is tied to the security of your secret key (skey). Secure it as you would any sensitive credential. Don't share it with unauthorized individuals or email it to anyone under any circumstances!

Configure the Post-Auth Script

  1. Extract the Duo OpenVPN Access Server package downloaded from Duo's GitHub repository.
  2. Open the script in a text editor and fill in your integration key, secret key, and API hostname where instructed:

    # ------------------------------------------------------------------
    # Fill in your integration credentials on the following three lines:
    # ------------------------------------------------------------------
  3. Move the script to the OpenVPN AS scripts folder - typically /usr/local/openvpn_as/scripts/ - and make sure it is executable.

    $ mv /usr/local/openvpn_as/scripts/
    $ chmod a+x /usr/local/openvpn_as/scripts/

Enable the Post-Auth Script

  1. Use OpenVPN Access Server's command-line interface to set as your post-auth script:

    $ /usr/local/openvpn_as/scripts/sacli -a admin_username -k auth.module.post_auth_script --value_file=/usr/local/openvpn_as/scripts/ ConfigPut
  2. Restart the service to commit your configuration changes:

    $ /usr/local/openvpn_as/scripts/sacli -a admin_username Reset

    Where admin_username is the username of an administrator on your OpenVPN Access Server instance.

Test Your Setup

After you have enabled the Duo Post-Auth script, try to log in as a regular VPN user through the OpenVPN Access Server web interface. If you are using an account which has not previously been enrolled for Duo authentication, your login attempt will be denied with a self-enrollment URL. Visit the URL, enroll your phone, and then try logging in again.


You will only receive a self-enrollment URL if you log in to your OpenVPN Access Server instance with a web browser; this mechanism will not work with native clients (e.g. OpenVPN Connect). You can bulk enroll users if they won't be logging in through the web interface.


When you log in as a Duo-enrolled user, you will see a secondary prompt (either via a web browser or with a native client), with instructions to enter a Duo passcode (eg. "124356") or an alternate factor identifier:

Auth Web

Choose from the following factors:

push Perform Duo Push authentication
You can use Duo Push if you've installed Duo Mobile and added your account to it
phone Perform phone callback
sms Send a new batch of SMS passcodes
Your authentication attempt will be denied. You can then authenticate with one of the newly-delivered passcodes.

You can also specify a number after the factor name if you have more than one device enrolled. So you can enter phone2 or push2 if you have two phones enrolled.


Need some help? Take a look at the OpenVPN AS Frequently Asked Questions (FAQ) page or try searching our OpenVPN AS Knowledge Base articles or Community discussions. For further assistance, contact Support.

Network Diagram

  1. Open VPN connection initiated
  2. Primary authentication
  3. Open VPN connection established to Duo Security over TCP port 443
  4. Secondary authentication via Duo Security’s service
  5. Open VPN receives authentication response
  6. Open VPN session logged in

Ready to Get Started?

Sign Up Free