Duo Authentication

The Aviatrix OpenVPN® solution provides Duo authentication integration. This document helps you set up Duo to connect with Aviatrix. For more information on how to configure OpenVPN®, check out this link.

You need to first have a DUO account setup. If you do not have one, please see https://www.duosecurity.com/product

Get Duo API Credentials


This step requires admin privileges in Duo

You must first add an application to DUO for Aviatrix before you can connect. If you already have done this step previously, these same steps will take you to the API credentials needed to connect Aviatrix with this application.

  1. Log in to the Duo Admin Panel

  2. Navigate to Applications

  3. Click Protect an Application

  4. Search for OpenVPN in the application list

  5. Click Protect this Application

  6. The Integration key, Secret key and API hostname are displayed.


    You will need these values in Aviatrix to connect Aviatrix client to Duo


  7. (optional) Update the Settings fields as required

  8. (optional) Click Save Changes


You may need to adjust policies to allow this application to be visible to your users.

Connect Aviatrix VPN with Duo


You can setup DUO at both Aviatrix VPN Gateway launch time and after Aviatrix VPN gateway is launched. We highly recommend you configure DUO after the VPN gateway is launched.

  1. Follow the steps to create a new Aviatrix Gateway

  2. After the gateway is launched, at the Controller console, go to OpenVPN® -> Edit Config -> MODIFY AUTHENTICATION. Select DUO at the drop down menu.

  3. Populate Integration Key, Secret Key, and API Hostname from the values provided by Duo application details

  4. Update the Push Mode

    Push Mode Description
    Auto Duo sends a push notification to the user’s mobile device(s). The VPN client will wait for the user to accept this request before authenticating and proceeding.

    This setting allows users to control which method they would prefer to use for authentication. The server supports either Duo Push or Duo Passcode. The password prompt field of the VPN client is used to indicate which method is requested:

    o A value of #push indicates the user requests to receive a push notification.

    o A value of #<passcode> indicates the user is providing the token after the # to authorize.


    The # is required. If you are also connecting with LDAP, then the user’s LDAP password should be provided before the #.

    Token The user must enter the current Duo Passcode in the password field when prompted by the VPN client. If the client prompts for a username, any value is acceptable.
  5. Click Modify to have the action take effect.



You will need one Aviatrix VPN user to test. Validate that a VPN user is able to connect after receiving the push notification (or after entering a valid Passcode).

Using Push Mode of auto

  1. Connect your VPN client to the VPN gateway


    You should receive a push notification from Duo.

  2. Open the Duo Mobile app and select Confirm for the pending request


    Once you confirm the request, the VPN client should proceed to authenticate the user

  3. Verify you are connected and can access resources in the cloud

Using Push Mode of token

  1. Connect your VPN client to the VPN gateway


    You should receive a prompt to authenticate. If you do not receive a prompt, make sure auth-user-pass option is in the .ovpn configuration file.

  2. Open the Duo Mobile app and generate a new passcode.

  3. In the VPN user/password prompt, enter any value for the username field and enter the passcode from Duo Mobile app for the password

  4. Verify you are connected and can access resources in the cloud

  5. Note that you need to generate a new passcode for each connection.

Currently, selective authentication with DUO is broken if used when combined with LDAP. This bug is expected to be fixed in a later release.

OpenVPN is a registered trademark of OpenVPN Inc.