This tutorial will explain configuring Duo for single sign-on to Pritunl. Users will authenticate through Duo when downloading VPN profiles and before each VPN connection. Although Duo can be used independently for best security it should be used in combination with another single sign-on provider. If Duo is used in combination with another provider the user will need to authenticate with Duo when downloading VPN profiles and before each VPN connection. VPN re-connections will not require a Duo authentication, this can be changed with the Two-Step Authentication Cache settings.
In the Duo admin interface select Applications then click Protect an Application and search for OpenVPN. Then click Protect this Application. Once the the application has been created set the Name to
Pritunl and set Username normalization to Simple. Then click Save Changes.
Once the Duo app has been configured open the Pritunl settings and set Single Sign-On to Duo or one the combinations including Duo. Then copy the Integration key to Duo Integration Key, Secret key to Duo Secret Key and API hostname to Duo API Hostname.
Pritunl supports several Duo modes. The Push mode will send a push authentication request to the users mobile device. The Phone Callback mode will call the users phone and ask the user to approve the authentication request. The Passcode mode will require the user to enter the passcode from the Duo mobile app or a hardware token from Duo. The Push + Phone Callback mode will use a phone callback if the user does not have the Duo mobile app installed.