Hello there,
I was wondering if there are documented approaches for enabling 2FA to my OpenVPN server with TOTP codes.
I found this, this and this but nothing concrete in regard to OpenVPN + 2FA, other than the GAuth plugin which is outdated for OWRT 18.06.4 version.
Question: Is there a way in which I can enable this for OpenVPN (OpenWRT version)? If so, can you please point me out to resources or something for achieving this?
Thanks!
Something to think about is that often one needs to access their router because they have no Internet connectivity, which means you likely can't use an Internet-based 2FA system, which means you may be locked out of your router, which means that ....
It depends. I'm assuming that if I setup a MFA over a VPN server is because I have Internet connectivity, otherwise, with or without 2FA I'll be unable to remotely reach out my local network.
The only MFA deployment that I can think of in my network is for the VPN server.
This depends on the 2FA vendor, some will let you fail depending on conditions you can set.
I use Wireguard, not OpenVPN so can't help you there.
However, https://github.com/duosecurity/duo_openvpn doesn't look updated for a while, have you tried building it for openwrt?
Drop me a line if you can't, I'll try and compile it when I have the time.
duo_unix does compile for openwrt, I use it to secure openssh access via 2fa - https://github.com/Strykar/openwrt_packages/blob/master/duo_unix/Makefile