Duo Two-Factor Authentication for OpenVPN FAQ

Last updated: June 19th, 2018

This configuration is for the OpenVPN Community Open Source Software Project. Refer to the OpenVPN AS documentation if you're using OpenVPN Access Server.

My OpenVPN server must send HTTPS requests through a proxy

You can use an HTTPS Proxy when communicating with Duo Security's service. Add the proxy's host and port to the plugin line in OpenVPN's server configuration file (e.g. /etc/openvpn/openvpn.conf):

plugin /opt/duo/duo_openvpn.so IKEY SKEY HOST PROXY_HOST PROXY_PORT

The proxy must support the CONNECT protocol.

Is it possible to have OpenVPN send an automatic push to authenticate?

You can configure OpenVPN to send a push request automatically at logon as follows:

Make sure your OpenVPN server is at least version 2.1.0.
Update the Duo plugin to the latest version from GitHub if not version 2.1.
Add auth-user-pass-optional to the OpenVPN server configuration file (eg. /etc/openvpn/openvpn.conf).
remove auth-user-pass from the your users' OpenVPN client configuration file.

Additional Troubleshooting

Need more help? Try searching our OpenVPN Knowledge Base articles or Community discussions. For further assistance, contact Support.