Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Adding another Factor to OpenVPN

    Scheduled Pinned Locked Moved OpenVPN
    4 Posts 2 Posters 233 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Gamienator 0G
      Gamienator 0
      last edited by

      Hey everyone,

      does anybody use OpenVPN on the pfSense with another Factor on Security? I need to setup an OpenVPN Server which:

      • Use Login with a User Cert
      • Need a password as well
      • Need on OTP Token as well

      Seeing the documentation on the Radius Package shows me that you can use the OTP on the Firewall, but it will be only a 4 - 6 digit PIN + the OTP which is not "secure" enough.

      So maybe DUO? Or what are your ways to go?

      Thanks in Advance!

      johnpozJ 1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator @Gamienator 0
        last edited by johnpoz

        @Gamienator-0 So your wanting to make your users experience just that much more difficult?

        You have something they have (cert), and something they know (password) why make it even harder for them?

        A 6 number pin that changes every 30 seconds is not secure enough? Which is also another factor that they need the app that generates the OTP.. And more than likely have to auth with yet another password to even up that app, etc

        Other factors that come into play, is their login to the machine different than the password for the vpn? Put a password on the cert as well if you want to make it even more "fun" for them.

        is the goal making it so difficult to remote in, that nobody does? ;)

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        Gamienator 0G 1 Reply Last reply Reply Quote 0
        • Gamienator 0G
          Gamienator 0 @johnpoz
          last edited by

          @johnpoz Well John,

          they have a cert, but that is mostlikely in the config file saved :) We driving here a zero trust policy and having a Cert on a device enables them on one part of the auth. The 30sec digit is enough, but reading the documentation for MFA seeing, that you can enable that on the freeradius package which means the 2FA Token will be 10-14 digits long. True that.

          Making the Cert password protected could be a solution as well, didn't thought about this. But I'm not sure if the OpenVPN Client (the newer one) can handle this. And since this is a admin only VPN year, we can make it as difficult as possible :)

          johnpozJ 1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator @Gamienator 0
            last edited by johnpoz

            @Gamienator-0 yes the openvpn client can handle password on cert.

            As to the cert being saved - you could put it on thumbdrive if you wanted. But the device be it a phone or a laptop or a tablet is the thing they have.. with the cert on it. Which again they most likely need to auth to access this saved cert, etc.

            If this is work laptop the drive is most likely encrypted, if lost. And if you put a password on the cert, not only would they have to break the encryption of the drive, but also know or break the encryption for the password on the cert.

            So have to have the laptop, have to auth to the devices OS. Which could also need 2nd factor different than the vpn. Have to then know the password to the cert, then have to know the username+password to auth to the vpn. Also need the OTP. Which you could have to auth to the OTP application as well.. I use authy for my otp, which can be set to have to auth to even run. Not sure about google and MS apps if they can also be set to have to auth to even run, etc. And this most likely be on a different device if a work laptop for example which will also have to auth to use.

            Is that enough factors for you? ;)

            Device (laptop)
            Device password
            Possible Device 2FA
            VPN Cert
            Cert Password
            VPN username+password
            OTP Device (phone)
            OTP device password
            OTP software password

            Pretty sure that should be enough.. Now they are ready to launch the nukes ;)

            Even if you rollup the latop to 1 device since it has the cert on it, you need to auth to it to access the cert, and you have to have this device so that is 2FA right there. So cert password is 3FA, then username and password is 4FA, then the OTP device even without password on app your at 6FA..

            You could add restrictions on what IPs they can come from, either ASN, or isp or region of the world so now your at 7FA. With a password on the OTP app your at 8FA.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.