> If anyone's got any good suggestions on how to do VPNs with 2FA
> on an OpenBSD gateway for non-technical users to access (iOS, Android,
> Windows clients) I'd love to hear them.
>
> I could bodge something together with openvpn and TOTP but it doesn't
> exactly spark joy.
Ideally the VPN server would be using a strong form of public-key cryptography (e.g., X25519) over other forms (e.g., password). Fortunately this is forced upon you by WireGuard. This means using TOTP would not count as 2FA since it's the same kind of factor (i.e., something you have), albeit weaker due to the shared nature of the TOTP key. Additionally most OSes force users to log in via password or biometrics (e.g., fingerprint); so using WireGuard as a VPN server provides an indirect form of 2FA—since to connect you must have the private key (first factor), but to get access to the key on the device you need to log into it via password or biometrics (second factor).
I am sure this is all information you already know though, so I suppose I would go with Janne Johanssons's approach of setting up something that requires one to input a password upon successfully connecting to WireGuard before allowing traffic to continue through the network. It is more likely one can bypass password authentication, so it would be better that happens after connecting to WireGuard as opposed to before to avoid an attacker from knowing if they have the correct password.
No comments:
Post a Comment