cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4976
Views
0
Helpful
8
Replies

OpenVpn Plugin Not sending requests to duo

DylanDodds
Level 1
Level 1

We are attempting to hookup duo to our OpenVPN server. We are running OpenVPN version 2.3.10 on Ubuntu 16.04. We followed the steps in the setup guide. Looking for duo on our syslog, we get no errors and our openVPN log is the same. It looks like it makes a request to duo (i’ve pinged our api url to ensure we can connect to it and it pinged fine), but There are no failed or passing authentication in our duo authentication log. It’s like the request is never actually hitting the endpoint.

Here is the grep duo syslog All sensitive information has been taken out:
PLUGIN_INIT: POST /opt/duo/duo_openvpn.so ‘[/opt/duo/duo_openvpn.so] [] [] []’ intercepted=PLUGIN_AUTH_USER_PASS_VERIFY
ovpn-server[7415]: PLUGIN_CALL: POST /opt/duo/duo_openvpn.so/PLUGIN_AUTH_USER_PASS_VERIFY status=2
ovpn-server[7415]: PLUGIN_CALL: POST /opt/duo/duo_openvpn.so/PLUGIN_AUTH_USER_PASS_VERIFY status=2
ovpn-server[7415]: PLUGIN_CALL: POST /opt/duo/duo_openvpn.so/PLUGIN_AUTH_USER_PASS_VERIFY status=2
ovpn-server[7415]: PLUGIN_CLOSE: /opt/duo/duo_openvpn.so

and here is the openvpn.log, all sensitive informaiton removed:
TLS: Initial packet from [AF_INET], sid=
CRL CHECK OK: CN=
VERIFY OK: depth=1, CN=
CRL CHECK OK: CN=
VERIFY OK: depth=0, CN=
PLUGIN_CALL: POST /opt/duo/duo_openvpn.so/PLUGIN_AUTH_USER_PASS_VERIFY status=2
TLS: Username/Password authentication deferred for username ''
Data Channel Encrypt: Cipher ‘AES-128-CBC’ initialized with 128 bit key
Data Channel Encrypt: Using 256 bit message hash ‘SHA256’ for HMAC authentication
Data Channel Decrypt: Cipher ‘AES-128-CBC’ initialized with 128 bit key
Data Channel Decrypt: Using 256 bit message hash ‘SHA256’ for HMAC authentication
Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES128-GCM-SHA256, 3072 bit RSA
[] Peer Connection Initiated with [AF_INET]
PUSH: Received control message: 'PUSH_REQUEST’
SIGTERM[soft,delayed-exit] received, client-instance exiting

edit: I have verified that openvpn connects without the duo plugin

8 Replies 8

DylanDodds
Level 1
Level 1

The fix for this was to install python. We were using python3 but apparently python2 was required. a simple apt install python fixed this issue. It should be documented in the openvpn plugin page that python2 is required. It’s nuts that it didn’t even throw an error about python.

Thanks, we’ve noted specifically that python2 is required. Thanks for using Duo!

Duo, not DUO.

Cedric_Charlet
Level 1
Level 1

Hi,

I have the same issue in Debian Strech and Python 2.7.13 and 3.5.3 are installed

My config
Debian strech 9.8
Openvpn 2.4.0

My installed packages
ii dh-python 2.20170125 all Debian helper tools for packaging Python libraries and applications
ii libpython-stdlib:armhf 2.7.13-2 armhf interactive high-level object-oriented language (default python version)
ii libpython2.7:armhf 2.7.13-2+deb9u3 armhf Shared Python runtime library (version 2.7)
ii libpython2.7-minimal:armhf 2.7.13-2+deb9u3 armhf Minimal subset of the Python language (version 2.7)
ii libpython2.7-stdlib:armhf 2.7.13-2+deb9u3 armhf Interactive high-level object-oriented language (standard library, version 2.7)
ii libpython3-stdlib:armhf 3.5.3-1 armhf interactive high-level object-oriented language (default python3 version)
ii libpython3.5:armhf 3.5.3-1+deb9u1 armhf Shared Python runtime library (version 3.5)
ii libpython3.5-minimal:armhf 3.5.3-1+deb9u1 armhf Minimal subset of the Python language (version 3.5)
ii libpython3.5-stdlib:armhf 3.5.3-1+deb9u1 armhf Interactive high-level object-oriented language (standard library, version 3.5)
ii python 2.7.13-2 armhf interactive high-level object-oriented language (default version)
ii python-apt-common 1.1.0~beta5 all Python interface to libapt-pkg (locales)
ii python-bs4 4.5.3-1 all error-tolerant HTML parser for Python
ii python-chardet 2.3.0-2 all universal character encoding detector for Python2
ii python-html5lib 0.999999999-1 all HTML parser/tokenizer based on the WHATWG HTML5 specification
ii python-lxml 3.7.1-1 armhf pythonic binding for the libxml2 and libxslt libraries
ii python-minimal 2.7.13-2 armhf minimal subset of the Python language (default version)
ii python-pkg-resources 33.1.1-1 all Package Discovery and Resource Access using pkg_resources
ii python-rpi.gpio 0.6.5~stretch-1 armhf Python GPIO module for Raspberry Pi
ii python-six 1.10.0-3 all Python 2 and 3 compatibility library (Python 2 interface)
ii python-webencodings 0.5-2 all Python implementation of the WHATWG Encoding standard
ii python2.7 2.7.13-2+deb9u3 armhf Interactive high-level object-oriented language (version 2.7)
ii python2.7-minimal 2.7.13-2+deb9u3 armhf Minimal subset of the Python language (version 2.7)
ii python3 3.5.3-1 armhf interactive high-level object-oriented language (default python3 version)
ii python3-apt 1.1.0~beta5 armhf Python 3 interface to libapt-pkg
ii python3-minimal 3.5.3-1 armhf minimal subset of the Python language (default python3 version)
ii python3-pyinotify 0.9.6-1 all simple Linux inotify Python bindings
ii python3-systemd 233-1 armhf Python 3 bindings for systemd
ii python3.5 3.5.3-1+deb9u1 armhf Interactive high-level object-oriented language (version 3.5)
ii python3.5-minimal 3.5.3-1+deb9u1 armhf Minimal subset of the Python language (version 3.5)

Thanks for your support

Not sure what issue you are having. Please provide more context or contact Duo Support.

Duo, not DUO.

Hi,

I not receive the notification in my phone. I don’t have error message in the log.

In the duo security log, i don’t have any request.

I think my plugin dosen’t send the request to duosecurtiy

Best regards

Le mar. 7 mai 2019 à 15:45, Engineering via Duo Security Community duo@discoursemail.com a écrit :

You can enable a higher level of OpenVPN logging to see what is happening when it should be firing off the Duo plugin. https://help.duo.com/s/article/4332

You can double-check your Duo plugin installation to make sure the plugin files were built and installed in the right directory, and that the edits to your .conf file are correct.

Duo, not DUO.

Hi,

I have followed the instructions from Two-Factor Authentication for OpenVPN | Duo Security, but when I tried to connect to my openvpn instance the login fails and I can see this message in / var / log / messages:

Nov 10 19:44:27 ip-xxx-xxx-xxx-xxx duo_openvpn.py: Duo OpenVPN: writing failure code to /tmp/openvpn_acf_xxxxxxxxxxxxxxx.tmp
Nov 10 19:44:58 ip-xxx-xxx-xxx-xxx duo_openvpn.py: Duo OpenVPN: pre-authentication for macOS-MFA
Nov 10 19:44:59 ip-xxx-xxx-xxx-xxx duo_openvpn.py: Duo OpenVPN: user macOS-MFA is not enrolled: Please enroll at https://■■■■■■■■■■■■■■■■■■■■■■■■■■■■/portal?code= XXXXXXXX & akey = XXXXXXXXXX

I am really confused where the user account for macOS-MFA is stored, I have noticed that the username is used into the tutorial, but I want to use my own username.

Somebody knows how to manage the username for the validation with duo?

What tutorial has the “macOS-MFA” username?

The username passed to the Duo OpenVPN integration should come from the CN in your OpenVPN user certificate.

So maybe you need a different cert with your actual username as the CN?

Duo, not DUO.
Quick Links