OpenVPN with DUO 2-Factor Authentication

​This is a deployment guide for IT Admins who want VPN with 2-step Authentication for enhanced security. In this article, we will learn how to install OpenVPN Access Server using Google Deployment Manager and integrate DUO for 2-factor Authentication. 

The following are required: 

1. Google Deployment Manager

2. Ubuntu 18.04 Server

3. OpenVPN Access Server (BYOL)

4. DUO for 2-factor Authentication (BYOL)

Google Deployment Manager: 

Google Deployment Manager is used to automate the whole process of Google infrastructure deployment and management. 

We are using Google Deployment Manager here to reduce the deployment time as OpenVPN Access Server Image already exists in the Google Marketplace. You can skip step one if you already have OpenVPN Server running. 

Ubuntu 18.04

Google Marketplace OpenVPN Access Server image runs on Ubuntu 18.04. You can also install OpenVPN in a Windows Server but you have to do it manually as there are no images of OpenVPN on Windows Server in the Google Marketplace. 

OpenVPN Access Server

OpenVPN Access Server has a license cost as it is for enterprise usage (free for up to 2 concurrent connections). We will use the OpenVPN Access Server as it is both easy to deploy and manage. The IT Admins can access the OpenVPN Admin panel from the browser.

DUO Authentication

Duo Authentication is used for 2-step Authentication. It will ask for OTP when the users try to authenticate with the OpenVPN Server. The OTP is pushed to the android/IOS devices registered with the DUO. 

Step 1: 

Deploying OpenVPN Access Server using Google Deployment Manager 

1.1 Deploying OpenVPN From Google MarketPlace: 

1. First, we will login into Google Cloud Console. 

2. Link: console.cloud.google.com

3. Then search for OpenVPN Access Server 

1.2 Deployment Manager Deployment Details: 

1. Click on Launch On Compute Engine to deploy the OpenVPN Access Server. You will be prompted to give the Instance a name, location, configuration, etc. 

2. After the deployment, we will find the following window: 

Here, The Admin Web Panel is given at Admin URL: https://34.93.14.42:943/admin

OpenVPN Admin Panel can be accessed by http://<instances external IP>/admin. The Admin Username and Password will be given in the deployment manager details page as shown in the above image. 

Step 2: 

Configuring OpenVPN Access Server using Admin Web Panel 

2.1 Server Network Settings: 

After logging in, go to Network Settings under Configuration in the left side panel. The Hostname or IP Address should be the same as the OpenVPN's External IP Address. 

2.2 VPN IP Network:

Go to VPN Settings under Configuration in the left side panel. OpenVPN will assign IPs to the clients from the Dynamic IP Address Network given a range. 

2.3 Routing:

Scroll down in the Network Settings and you will find the Routing option. If you want your Clients Internet to flow in & out through the VPN Server, then make the following changes (this will mask your clients External IP Address with the VPN Servers External IP Address).  

2.4 DNS Settings:

Scroll down in the VPN Settings and you will find the DNS Settings option. Change the settings as given below. 

Step 3: 

Creating DUO

3.1 Creating DUO Account:

Go to the following link to create your account.

Link: https://signup.duo.com/

Create an account with your details. Install the DUO app on your Android or IOS devices and register it with the account. DUO will give push notifications on your registered devices when you try to log into the DUO account or for the service your DUO is configured with. 

After creating the account, login with your credentials & you will receive a push notification on your Android/IOS device. Accept it to login. 

3.2 Configuring DUO Account: 

After you have successfully logged in, select Application from the left-hand panel. 

Now click on Protect An Application Option and search for OpenVPN Access Server. 

Now, click on Protect this Application and a web page will open with your DUO credentials. 

You will find the following: 

1. Integration key

2. Secret key

3. API hostname

These credentials will be integrated into your Ubuntu18.04 Server’s DUO scripts to work with OpenVPN. 

Step 4: 

Configuring DUO in the Ubuntu 18.04 Server to work with OpenVPN

4.1 Installing Python 2.7:

Run the following in your Ubuntu 18.04 Server to install python 2.7

sudo apt update

sudo apt install build-essential checkinstall -y

sudo apt install libreadline-gplv2-dev libncursesw5-dev libssl-dev libsqlite3-dev tk-dev libgdbm-dev libc6-dev libbz2-dev -y

cd /usr/src

sudo wget https://www.python.org/ftp/python/2.7.14/Python-2.7.14.tgz

sudo tar xzf Python-2.7.14.tgz

cd Python-2.7.14

sudo ./configure --enable-optimizations

sudo make install

sudo rm -rf /usr/src/Python-2.7.14*

4.2 Configuring DUO in the Ubuntu 18.04 Server:

Click this link to download the DUO Server Package.

Link: https://github.com/duosecurity/duo_openvpn_as/tarball/master

Upload the package in the ubuntu server and extract it using the following code

tar xvzf “file-name”.tar.gz

*I have created a folder “duoas” and have extracted the DUO Server package here. Now, we will go in the extracted folder and edit “duo_openvpn_as.py” using nano.

cd duosecurity-duo_openvpn_as-9e3251c

nano duo_openvpn_as.py

Fill in the following with your Integration Key, Secret Key and API hostname that you have received from your DUO account (as given in Section 3.2). Save and exit.

Now, we will move the file to the OpenVPN Access Server directory and make it user executable.

mv duo_openvpn_as.py /usr/local/openvpn_as/scripts/

chmod a+x /usr/local/openvpn_as/scripts/duo_openvpn_as.py

4.3 Enabling the Post-Auth Script:

Run the following commands to set duo_openvpn_as.py as your post-auth script:

/usr/local/openvpn_as/scripts/sacli -a “admin_username” -i -k auth.module.post_auth_script --value_file=/usr/local/openvpn_as/scripts/duo_openvpn_as.py ConfigPut

Use the admin username in the above command of the OpenVPN server we received from the deployment manager. You will be asked for a Password which will be the password we received from the deployment manager.

Now, restart the service using the following command.  

/usr/local/openvpn_as/scripts/sacli -a “admin_username” -i Reset

Step 5: 

Creating Users in the OpenVPN and registering with DUO

5.1 Creating a new OpenVPN User:

1. Go to your OpenVPN Access Server Web Admin Panel. 

2. Then go to the User Permission under User Management from the left panel

3. Fill in the new username space and click on more settings

4. Keep everything else default and save settings 

5.2 Registering Users with DUO

1. Click on your OpenVPN Instance external IP

2. Login in with your newly created user using the username and password you have set

3. You will get a request to register the user with DUO

4. Open the given red marked link 

5. Register the user with the Android/IOS device where you want to have the OTP/Push Notification  

Step 6: 

Using OpenVPN Connect 

OpenVPN Connect will be used to connect to the OpenVPN Access Server. Here we have used “openvpn-connect-2.7.1.101_signed.msi” for windows which have worked well with DUO 2-Factor Authentication. 

1. First, install the OpenVPN Connect in Windows. 

2. From the Right-hand side of the taskbar click on the OpenVPN icon and click on connect. You will see the following 

3. Enter your OpenVPN Access Server's External IP and click on continue 

4. Users will be prompted to enter their username and password. 

5. After that, click on Connect and the users will be asked to enter the 2-step authentication code

6. Open your OpenVPN Android/IOS App to fetch the OTP and enter it here to connect with the OpenVPN Access Server. 

In this guide, we learned how to install OpenVPN Access Server with DUO for 2-Step Authentication. This integration can be used to enhance security, for specific developers access to cloud environments.