Adding another Factor to OpenVPN
-
Hey everyone,
does anybody use OpenVPN on the pfSense with another Factor on Security? I need to setup an OpenVPN Server which:
- Use Login with a User Cert
- Need a password as well
- Need on OTP Token as well
Seeing the documentation on the Radius Package shows me that you can use the OTP on the Firewall, but it will be only a 4 - 6 digit PIN + the OTP which is not "secure" enough.
So maybe DUO? Or what are your ways to go?
Thanks in Advance!
-
@Gamienator-0 So your wanting to make your users experience just that much more difficult?
You have something they have (cert), and something they know (password) why make it even harder for them?
A 6 number pin that changes every 30 seconds is not secure enough? Which is also another factor that they need the app that generates the OTP.. And more than likely have to auth with yet another password to even up that app, etc
Other factors that come into play, is their login to the machine different than the password for the vpn? Put a password on the cert as well if you want to make it even more "fun" for them.
is the goal making it so difficult to remote in, that nobody does? ;)
-
@johnpoz Well John,
they have a cert, but that is mostlikely in the config file saved :) We driving here a zero trust policy and having a Cert on a device enables them on one part of the auth. The 30sec digit is enough, but reading the documentation for MFA seeing, that you can enable that on the freeradius package which means the 2FA Token will be 10-14 digits long. True that.
Making the Cert password protected could be a solution as well, didn't thought about this. But I'm not sure if the OpenVPN Client (the newer one) can handle this. And since this is a admin only VPN year, we can make it as difficult as possible :)
-
@Gamienator-0 yes the openvpn client can handle password on cert.
As to the cert being saved - you could put it on thumbdrive if you wanted. But the device be it a phone or a laptop or a tablet is the thing they have.. with the cert on it. Which again they most likely need to auth to access this saved cert, etc.
If this is work laptop the drive is most likely encrypted, if lost. And if you put a password on the cert, not only would they have to break the encryption of the drive, but also know or break the encryption for the password on the cert.
So have to have the laptop, have to auth to the devices OS. Which could also need 2nd factor different than the vpn. Have to then know the password to the cert, then have to know the username+password to auth to the vpn. Also need the OTP. Which you could have to auth to the OTP application as well.. I use authy for my otp, which can be set to have to auth to even run. Not sure about google and MS apps if they can also be set to have to auth to even run, etc. And this most likely be on a different device if a work laptop for example which will also have to auth to use.
Is that enough factors for you? ;)
Device (laptop)
Device password
Possible Device 2FA
VPN Cert
Cert Password
VPN username+password
OTP Device (phone)
OTP device password
OTP software passwordPretty sure that should be enough.. Now they are ready to launch the nukes ;)
Even if you rollup the latop to 1 device since it has the cert on it, you need to auth to it to access the cert, and you have to have this device so that is 2FA right there. So cert password is 3FA, then username and password is 4FA, then the OTP device even without password on app your at 6FA..
You could add restrictions on what IPs they can come from, either ASN, or isp or region of the world so now your at 7FA. With a password on the OTP app your at 8FA.