Skip to main content
Knowledge Base

OpenVPN enable MFA

Answer

A customer asked: > I created the duo account and the ami with `--duo-version`. > But I do not understand where put the variables: > ``` > duoIkey > duoSkey > duoHost > ``` r:terraform-aws-openvpn --- <ins datetime="2023-09-15T22:26:05Z"> <p><a href="https://support.gruntwork.io/hc/requests/110453">Tracked in ticket #110453</a></p> </ins>

These parameters are used by [`install-openvpn`](https://github.com/gruntwork-io/terraform-aws-openvpn/tree/main/modules/install-openvpn) module to install the OpenVPN package and related template files onto a server. ```shell sudo init-openvpn \ ... --duo-ikey "${duo_ikey}" \ --duo-skey "${duo_skey}" \ --duo-host "${duo_host}" \ ... ``` The [terraform-aws-openvpn](https://github.com/gruntwork-io/terraform-aws-openvpn) contains out-of-the-box [example](https://github.com/gruntwork-io/terraform-aws-openvpn/blob/92e519be6ee9f6f984efadf9f5fc8067ceb706c2/examples/openvpn-host-duo/user-data/user-data.sh#L38-L55). --- ### The fastest way to deploy a test instance with duo MFA 1. Download `openvpn-admin` binary for AMI ```shell GITHUB_OAUTH_TOKEN=<token> fetch \ --repo="https://github.com/gruntwork-io/terraform-aws-openvpn" --tag="v0.26.6" --release-asset="openvpn-admin_linux_amd64" /tmp ``` 2. Build an AMI (Amazon Machine Image) ```shell packer build \ -var aws_region=us-east-1 \ -var openvpn_admin_binary=/tmp/openvpn-admin_linux_amd64 \ -var active_git_branch=main \ -var github_oauth_token=${GITHUB_OAUTH_TOKEN} \ -only=ubuntu-20-build \ ./examples/packer/build.json ``` 3. Create a DUO account (if it doesn't already exist), from there we need three values: _Integration key_, _Secret key_, _API hostname_. Create OpenVPN application, make sure that `Duo Mobile passcodes` is checked in the application policy. 5. Using [terragrunt](https://github.com/gruntwork-io/terragrunt), deploy AWS infrastructure. Create `terragrunt.hcl` config and fill `inputs` with your values. After that, run `terragrunt apply` ```shell terraform { source = "git@github.com:gruntwork-io/terraform-aws-openvpn.git//examples/openvpn-host-duo" } inputs = { aws_account_id = "" ami_id = "" aws_region = "us-east-1" backup_bucket_name = "openvpn-backups" keypair_name = "" duo_ikey = "" # Integration key duo_skey = "" # Secret key duo_host = "" # API hostname. } ``` 6. Install `openvpn-admin` on your computer. ```shell GITHUB_OAUTH_TOKEN=<token> gruntwork-install \ --binary-name openvpn-admin \ --repo https://github.com/gruntwork-io/terraform-aws-openvpn \ --tag v0.26.6 ``` 7. Create OpenVPN accounts: `openvpn-admin request --aws-region us-east-1 --username foo` 8. To authenticate, pass _passcode_ from DUO Mobile in the password prompt. Note that in order for 2FA to work, the certificate username (the value for --username when running openvpn-admin request) should exactly match the duo username.