First, make sure you've read the official OpenVPN Access Server documentation.
Duo adds some additional requirements, in that it makes use of OpenVPN Access Server's dynamic challenge-response mechanism. This mechanism is supported in the open-source client starting with version 2.2, but you usually must enable it explicitly:
Make sure you're running version 2.2 or later of the openvpn client:
$ openvpn --version
OpenVPN 2.2.1 x86_64-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Mar 30 2012
Originally developed by James Yonan
Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>
...
Set the auth-retry option to a value of interact when running the client. For example:
$ openvpn --config client.ovpn --auth-retry interact
Where admin_username is the username of an administrator on your OpenVPN Access Server instance:
Use OpenVPN Access Server's command-line interface to remove the post-auth script:
$ /usr/local/openvpn_as/scripts/sacli -a admin_username \
-k auth.module.post_auth_script ConfigDel
Restart the service to commit your configuration changes:
$ /usr/local/openvpn_as/scripts/sacli -a admin_username Reset
Need more help? Try searching our OpenVPN AS Knowledge Base articles or Community discussions. For further assistance, contact Support.