OpenVPN with Two Factor Authentication (2FA)

Using DUO 2fa with OpenVPN requires to install an additional plugin.

Upload tar archive to your router then unarchive required plugins and helper files

curl http://dev.packages.vyos.net/tmp/openvpn-plugin-duo_2.4_amd64.deb -O
sudo dpkg -i openvpn-plugin-duo_2.4_amd64.deb

Following documentation from DUO site, configure OpenVPN instance https://duo.com/docs/openvpn

Get integration key, secret key, and API hostname from DUO control panel and add to VyOS the next commands for activating the plugin.

set interfaces openvpn vtunX openvpn-option '--plugin  /usr/lib/openvpn/duo/duo_openvpn.so IKEY SKEY HOST'
set interfaces openvpn vtunX openvpn-option 'reneg-sec 0'

Where:  IKEY - integration key, SKEY - secret key, HOST - API hostname

Full OpenVPN configuration:

set interfaces openvpn vtun10 local-port '1194'
set interfaces openvpn vtun10 mode 'server'
set interfaces openvpn vtun10 openvpn-option '--plugin  /usr/lib/openvpn/duo/duo_openvpn.so XXX YYY api-zzz.duosecurity.com'
set interfaces openvpn vtun10 openvpn-option 'reneg-sec 0'
set interfaces openvpn vtun10 persistent-tunnel
set interfaces openvpn vtun10 protocol 'udp'
set interfaces openvpn vtun10 server push-route '100.64.0.0/24'
set interfaces openvpn vtun10 server subnet '10.23.1.0/24'
set interfaces openvpn vtun10 tls ca-cert-file '/config/auth/ovpn/ca.crt'
set interfaces openvpn vtun10 tls cert-file '/config/auth/ovpn/central.crt'
set interfaces openvpn vtun10 tls crl-file '/config/auth/ovpn/crl.pem'
set interfaces openvpn vtun10 tls dh-file '/config/auth/ovpn/dh.pem'
set interfaces openvpn vtun10 tls key-file '/config/auth/ovpn/central.key'

How to generate cryptographic materials described by the following link https://support.vyos.io/en/kb/articles/using-easy-rsa-to-generate-x-509-certificates-and-keys-2