Matt's picture

Hello all, 

NOTE: I'm documenting this here because I just spent a full work day trying to get Duo Security's OpenVPN two factor authentication plugin working in the TurnKey OpenVPN appliance... and Google was very little help. If someone else comes along trying the same setup, hopefully they will find this helpful.

I got my OpenVPN appliance up and running, generated a user certificate and installed it on my MacBook in Tunnelblick. Connected fine without any issues. Woohoo!

Then I downloaded & built the source for Duo's 2FA plugin following the instructions here:

It installed, added it to the bottom of server.conf, restarted OpenVPN and tried to connect. That's when problems began...

The first observed symptom was that on attempting to connect, OpenVPN would shut down. Searching the logs revealed this:

Could not create temporary file '/tmp/
openvpn_acf_b63797cf86952c671087e8920d5f7a97.tmp': No such file or directory
Because I'm a programmer and not a Linux sysadmin, it took me a WHILE to notice the following in the TurnKey OpenVPN server.conf:
chroot /etc/openvpn/easy-rsa/keys/crl.jail

Previously unfamiliar with the chroot command, once I figured out what this was doing, I realized that the error message was exactly correct. There was no tmp folder located in /etc/openvpn/easy-rsa/keys/crl.jail.

No problem! I created a tmp folder there, changed the permissions to 1777 and finally, OpenVPN no longer shut down when it received a connection request. Instead, it would attempt to call the Duo plugin and eventually the client would timeout.

Turns out the Duo OpenVPN plugin is not all contained in the ... it calls a Python (or Perl if you prefer) script to do it's work. Since / was changed, it was no longer where it was expected to be and was never executing.

Initially I tried copying the scripts where they would be found in the chroot jail but could not get that to work either. Admittedly, I gave up quickly... still sure that the chroot jail was the problem, I decided to take a different approach and just turn it off. I commented that part of the server.conf out like so:

# chroot /etc/openvpn/easy-rsa/keys/crl.jail
# crl-verify crl.pem
crl-verify /etc/openvpn/easy-rsa/keys/crl.jail/crl.pem

After sorting out a few permissions issues along that path, the Duo plugin started working perfectly.

I may revisit the chroot jail tomorrow and try to get the plugin working that way... if I do, I'll post back here... but for now it works. And hopefully, Google will save everyone else from this frustration.



Liraz Siri's picture

Wow, great write-up Matt. I'm sure anyone that runs into the same problem is going to appreciate your documentation of the solution.

If my Google experiences are anything to go by, whenever you get too close to the boundaries of where "no man has gone before" Google stops being helpful.I'm guessing you may have been one of the first people to run into that issue...

Add new comment