OpenVpn Plugin Not sending requests to duo


#1

We are attempting to hookup duo to our OpenVPN server. We are running OpenVPN version 2.3.10 on Ubuntu 16.04. We followed the steps in the setup guide. Looking for duo on our syslog, we get no errors and our openVPN log is the same. It looks like it makes a request to duo (i’ve pinged our api url to ensure we can connect to it and it pinged fine), but There are no failed or passing authentication in our duo authentication log. It’s like the request is never actually hitting the endpoint.

Here is the grep duo syslog All sensitive information has been taken out:
PLUGIN_INIT: POST /opt/duo/duo_openvpn.so ‘[/opt/duo/duo_openvpn.so] [] [] []’ intercepted=PLUGIN_AUTH_USER_PASS_VERIFY
ovpn-server[7415]: PLUGIN_CALL: POST /opt/duo/duo_openvpn.so/PLUGIN_AUTH_USER_PASS_VERIFY status=2
ovpn-server[7415]: PLUGIN_CALL: POST /opt/duo/duo_openvpn.so/PLUGIN_AUTH_USER_PASS_VERIFY status=2
ovpn-server[7415]: PLUGIN_CALL: POST /opt/duo/duo_openvpn.so/PLUGIN_AUTH_USER_PASS_VERIFY status=2
ovpn-server[7415]: PLUGIN_CLOSE: /opt/duo/duo_openvpn.so

and here is the openvpn.log, all sensitive informaiton removed:
TLS: Initial packet from [AF_INET], sid=
CRL CHECK OK: CN=
VERIFY OK: depth=1, CN=
CRL CHECK OK: CN=
VERIFY OK: depth=0, CN=
PLUGIN_CALL: POST /opt/duo/duo_openvpn.so/PLUGIN_AUTH_USER_PASS_VERIFY status=2
TLS: Username/Password authentication deferred for username ''
Data Channel Encrypt: Cipher ‘AES-128-CBC’ initialized with 128 bit key
Data Channel Encrypt: Using 256 bit message hash ‘SHA256’ for HMAC authentication
Data Channel Decrypt: Cipher ‘AES-128-CBC’ initialized with 128 bit key
Data Channel Decrypt: Using 256 bit message hash ‘SHA256’ for HMAC authentication
Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES128-GCM-SHA256, 3072 bit RSA
[] Peer Connection Initiated with [AF_INET]
PUSH: Received control message: 'PUSH_REQUEST’
SIGTERM[soft,delayed-exit] received, client-instance exiting

edit: I have verified that openvpn connects without the duo plugin


#2

The fix for this was to install python. We were using python3 but apparently python2 was required. a simple apt install python fixed this issue. It should be documented in the openvpn plugin page that python2 is required. It’s nuts that it didn’t even throw an error about python.


#3

Thanks, we’ve noted specifically that python2 is required. Thanks for using Duo!