Skip navigation

Duo Two-Factor Authentication for OpenVPN Access Server - FAQ

Last Updated: June 19th, 2018

How can I connect on Linux after installing Duo for OpenVPN AS?

First, make sure you've read the official OpenVPN Access Server documentation.

Duo adds some additional requirements, in that it makes use of OpenVPN Access Server's dynamic challenge-response mechanism. This mechanism is supported in the open-source client starting with version 2.2, but you usually must enable it explicitly:

  1. Make sure you're running version 2.2 or later of the openvpn client:

    $ openvpn --version
    OpenVPN 2.2.1 x86_64-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Mar 30 2012
    Originally developed by James Yonan
    Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <>
  2. Set the auth-retry option to a value of interact when running the client. For example:

    $ openvpn --config client.ovpn --auth-retry interact

How do I uninstall Duo from OpenVPN AS?

Where admin_username is the username of an administrator on your OpenVPN Access Server instance:

  1. Use OpenVPN Access Server's command-line interface to remove the post-auth script:

    $ /usr/local/openvpn_as/scripts/sacli -a admin_username \

-k auth.module.post_auth_script ConfigDel

  1. Restart the service to commit your configuration changes:

    $ /usr/local/openvpn_as/scripts/sacli -a admin_username Reset

Additional Troubleshooting

Need more help? Try searching our OpenVPN AS Knowledge Base articles or Community discussions. For further assistance, contact Support.