I only started poking at this in September... and started looking at it in anger a few days ago. Today I finally got a successful VPN login using their soft token / phone app. 

PSA  -- when you're moving back and forth between naming systems, be sure to keep close track of your - and _ 's. 
PSA 2 -- If you're on a timeline, try not to work for a cheap company that makes you take the free / community supported path for things. 

Most of the challenge, well, apart from having no paid support, no background in Radius or MFA/2FA, is that neither company had specific instructions for interoperability with the other. Worse, Duo had a nice instruction set for the Barracuda SSL VPN appliance, but not the 'different enough to be a real problem' NG firewall VPN module. 

At some point I'll document the crap out of this and submit to both companies. For now, I'm going home and having something cold to drink. 

Nicely done.

That sounds like a royal pain in the ass!

Once I buckled down and started seriously focusing on it, it started coming together. Piece by agonizing piece. 

It was actually a good re-introduction to troubleshooting, dissecting the problem, and improvising. 
OK, The Barracuda guy showed me how to get Wireshark captures from the firewall, but I lost that command...
OK, the Duo dashboard shows no auth attempts getting that far.
OK, the Duo VM has no UI, so I have to figure out old-school ways to see what's happening.
OK, if I look deeply at the Duo log, I can see that the LDAP / AD connection is failing.
OK, if I enable and look at the Duo VM firewall logs, I can see who is trying to talk to who.
OK, if I check the security event log on one of the DCs that is not responding, I can see what's up with the auth attempt.
OK, if I check the sub-code on the event, I see its a bad ID or password.
OK, if I check the sub-sub-code on the event, I see its an unknown ID.
OK, if I compare the Duo log and the Event, I see I can't tell the difference between _ and -.
OK, if I flip back to my 8th buried window, I see that 'some dumbass' forgot to restart the Duo auth service.
etc, etc, and so on....

Sounds like you had to setup a Duo Authentication Proxy.

We have been able to avoid running one in our infrastructure since all the areas we needed to multifactor had direct Duo integrations.

But since we assimilated some infrastructure from another departments, we may end up having to run one to protect hosts that are not supported by a direct integration (e.g. hosts not utilizing central user store).

Right on the nose. Barracuda offers support for various, eminently Affordable at Very Small Scale vendors like RSA, but nothing suitable for us. Their devs said Google Authenticator support was on schedule for Q1, but Q1 came and went. Too bad my requirement wasn't as flexible.

The Barracuda DOES support Radius though. The answer is a little more piecemeal than direct AD authentication, but the Duo proxy does allow for AD to be the primary auth, so it still works. It's just not as polished as it could be.

I was originally looking at the on-prem Microsoft MFA server, and it looked like it would work nicely... Then I ran into their licensing. Fighting through that mess to find a cost was not worth the effort, so I trashed that VM and started with Duo.

The cool thing about the AuthProxy is that you can now use that for any Radius-based authentication.  It's not specific to just your Barracuda box.

Yup.
 :-)

I dont know what any of this means but I'm really proud of myself for learning pfsense...

Duo might integrate with pfsense... ;-)

Yep - pfsense has Radius support. Probably like using bricks to kill flies in your context, but it _could_ work.