2FA in OpenVPN App
-
Indeed the app does not support 2fa yet, but since the frontend at least is developed by us at https://git.cloudron.io/cloudron/openvpn-app we can add this.
-
Indeed the app does not support 2fa yet, but since the frontend at least is developed by us at https://git.cloudron.io/cloudron/openvpn-app we can add this.
-
Indeed the app does not support 2fa yet, but since the frontend at least is developed by us at https://git.cloudron.io/cloudron/openvpn-app we can add this.
-
@nebulon I wanted to enable 2FA in frontend itself. Clients are connecting using certificates, so I believe those are pretty secure.
@sayedanowar9 One issue with just using the certs is that if a cert is misplaced (it's just a file after all) or got stolen (with all these npm/gems/pip post installation scripts anything can happen!), then one can connect to the VPN.
This is why most of the corporate VPNs have a passphrase or OTP to go along with the certificate. I have been meaning to implement this in the app for a while...
-
@sayedanowar9 One issue with just using the certs is that if a cert is misplaced (it's just a file after all) or got stolen (with all these npm/gems/pip post installation scripts anything can happen!), then one can connect to the VPN.
This is why most of the corporate VPNs have a passphrase or OTP to go along with the certificate. I have been meaning to implement this in the app for a while...
@girish Yes true, 2FA in OpenVPN connect is good to have. Importantly we need 2FA in FrontEnd is necessary as that one secured by password very likely user will reuse same password in all places or can provide very weak password.
So for now if you could enable 2FA in frontend that would be very helpful.
-
@girish Wanted to check back in on this thread. Is there a way to configure and require 2FA in order to connect a client to the OpenVPN server? I found a series of blog posts (starting with https://openvpn.net/blog/multi-factor-authentication-with-openvpn-community-edition/) that uses
oathtoolto do this, and curious to learn if those instructions would work on Cloudron as-is or if something more is required first. -
@sparkwise 2FA on the frontend is already there. I assume you mean 2FA for the VPN connection ?
@girish I believe so. We were using the "OpenVPN Connect" Mac app on the front-end, which supports this. My understanding is that the Cloudron build of the OpenVPN server would need to be built with the
libpam-google-authenticatorpackage, in order to enable a user to enable it from the app-specific terminal (and to configure the server app to require it.)I ended up going a different route (switching to AWS Client VPN) so this is no longer pressing for us, but I do think it would enable a nice security enhancement.
