PRITUNL API KEY PASSWORD
When OpenVPN is configured with certificate authentication as the primary authentication factor, Duo uses the OpenVPN password field as the input mechanism for the secondary authentication factor. For example: $ openvpn -config client.ovpn -auth-retry interact
Set the auth-retry option to a value of interact when running the client. This mechanism is supported in the open-source client starting with version 2.2, but you usually must enable it explicitly.įirst, make sure you’re running version 2.2 or later of the openvpn client: $ openvpn -version You may need to enable the dynamic challenge-response mechanism in your OpenVPN client. If you specified the reneg-sec option in the server configuration above, be sure to also include it in your client configuration file: reneg-sec 0 The auth-user-pass line in the client config will cause the OpenVPN client to prompt the user for an additional password (described in more detail below) to authenticate. Configure the ClientĮnsure that the following line is present in the OpenVPN client configuration file of all of your users: auth-user-pass Save the configuration file and restart the OpenVPN server for the changes to take effect. If your OpenVPN version is below 2.2, then you should instead set reneg-sec to a very large value. Old versions of OpenVPN may fail to connect with reneg-sec set to 0. Therefore, we recommend disabling reneg-sec by setting it to 0 in your server configuration file: reneg-sec 0 If your user's VPN client saves the password and automatically reauthenticates with it, this may cause issues with the user receiving unexpected push notifications or their client replaying a one-time passcode. This setting defaults to 3600 seconds, which means your users must reauthenticate every hour. This option will determine how often OpenVPN forces a renegotiation, thereby requiring the user to reauthenticate with Duo. We also recommend setting the reneg-sec option in the server configuration file. OpenVPN 2.3 or earlier: plugin /opt/duo/duo_openvpn.so IKEY SKEY HOSTīe sure to replace IKEY, SKEY, and HOST on the plugin line with the integration key, secret key, and API hostname from your OpenVPN application's properties page in the Duo Admin Panel. OpenVPN 2.4 and later: plugin /opt/duo/duo_openvpn.so 'IKEY SKEY HOST' etc/openvpn/nf or /etc/openvpn/nf) and append the following line to it: Open your OpenVPN server configuration file (e.g. The duo_openvpn.so plugin and duo_openvpn.py Python helper script will be installed into /opt/duo.
PRITUNL API KEY INSTALL
Then simply extract, build, and install the plugin.
PRITUNL API KEY DOWNLOAD
To get started with the Duo OpenVPN plugin, download the Duo OpenVPN v2.4 plugin.
"push", "phone", "sms") as their OpenVPN password. Users will provide a passcode or factor identifier (eg.Support for OpenVPN deployments with password authentication may be supported in the future. Duo only integrates with OpenVPN servers that employ certificate authentication and use a unique common name (CN) in each user's cert.
PRITUNL API KEY HOW TO
First Stepsīefore moving on to the deployment steps, it's a good idea to familiarize yourself with Duo administration concepts and features like options for applications, available methods for enrolling Duo users, and Duo policy settings and how to apply them. If your organization requires IP-based rules, please review this Duo KB article. Firewall configurations that restrict outbound access to Duo's service with rules using destination IP addresses or IP address ranges aren't recommended, since these may change over time to maintain our service's high availability. This application communicates with Duo's service on TCP port 443.
0 kommentar(er)
