Latest OpenVPN Update (v2.4.1-2) Breaks duo_openvpn.so


#1

I recently patched my Fedora 25 system and the patch upgraded OpenVPN to openvpn-2.4.1-2.fc25.x86_64. This patch caused the following error message to be displayed when starting up openvpn:

   Options error: Unrecognized option or missing or extra parameter(s) in openvpn.conf:79: plugin (2.4.1)

Line 79 in my openvpn.conf file is:

   plugin /opt/duo/duo_openvpn.so <auth data>

The duo_openvpn.so configuration worked perfectly before I upgraded openvpn. I tried rebuilding and reinstalling the duosecurity openvpn plugin using the steps in https://duo.com/docs/openvpn, but this did not resolve the problem. Is there a known solution for this problem, or is a patch needed for the duosecurity openvpn plugin?


#2

Hi Chris,

I checked with our Support Team and this error is most often caused by incorrect IKEY, SKEY, and/or API hostname values on that line per the documentation here: https://duo.com/docs/openvpn#configure-the-server. If you’ve created a new application the Duo Admin Panel, those values would be new, so please confirm they exactly match the values specified in the application’s details in the admin panel.

If you have verified and re-entered those values and are still unable to resolve the error, please contact our Support Team so they can troubleshoot with you further. Thanks!


#3

Thanks Dooley. The only thing I did was update openvpn which caused the
duo security plugin for openvpn fail when starting the openvpn daemon. The
IKEY, SKEY, and API hostname match the values in my Duo Admin Panel. I
will plan to contact the Support Team.

My last option is to just revert back to the previous openvpn version. I
am pretty sure this will work.

Thanks,

Chris


#4

Just to close the loop on this, after further investigation by our Engineering Team, we’ve updated our documentation at https://duo.com/docs/openvpn#configure-the-server to show that OpenVPN version 2.4 and later requires the format:

plugin /opt/duo/duo_openvpn.so 'IKEY SKEY HOST'

Versions 2.3 and earlier do not need the single quotes. Further discussion on GitHub here: https://github.com/duosecurity/duo_openvpn/issues/19. Thanks again for reporting this!


#5

Thanks… that worked! I gave up on using DuoSecurity so I am glad I can
go back to using it again.

Regards,

Chris