[Solved] Wireguard VPN server and 2FA?

I run a (private) network consisting of meanwhile 8 OpenWrt based Wireguard servers.
My question is whether it is intended to equip OpenWRT with a module for 2-factor authentication at login. (Or have I just not found this module so far?)
I am looking forward to goal-oriented answers.
(And please excuse my "DeepL-English". Unfortunately I only speak German).

Best regards! Peter

You can use PSK as a second factor and it can be unique for each client.
To make it canonical 2FA, patch the client to read PSK from some token.

Thanks for your reply!

Of course, all my connections (between the 8 servers and together 48 clients) each have their own PSK in addition to their keys.

I am not concerned with the connection between the WG servers or the clients to their assigned server.
I am concerned with secure access as root on the GUI of my widely distributed servers. Of course the WG servers are always with reliable and trusted people to me and of course they have a good password for this access. But I consider a 2FA for such security critical applications as timely and necessary. (This is NOT meant to be a criticism of OpenWrt! Just a wish).
And: I am unfortunately not able to develop an add-on there myself.

Many greetings Peter

Translated with www.DeepL.com/Translator (free version)

It seems openssh in OpenWrt supports FIDO2 tokens: Fido U2F SSH authentication (2FA/MFA) - #7 by linosgian

You can disable external access to the GUI and run it on only, and then forward a port via SSH instead.

Restrict access to sensitive network parts with firewall.
This way you can use client IP as a second factor.
WireGuard binds client IP to its keys.

This is something I need to look into more. Thanks for pointing that out.

Yes, I am very well aware of such tricks. But this is too "overdressed" for me.
I mean, even my little Seafile server on the RaspberryPi and my "german Fritz Box" and already many websites (like the one of this forum!) offer a 2FA with an authenticator.
I'm sure someday a developer will build that directly into OpenWrt as an installable add-on. Want to bet?

My wireguard servers are of course only accessible through my VPN. So they are not "free on the internet". And it is a purely private and non-commercial VPN. The friends who run the servers at their place only use a FritzBox or another home router. Only mine uses an OPNsense.

I know I'm always exaggerating a bit about IT security. After all, this was my job for many years ... .

Many greetings! Peter

Translated with www.DeepL.com/Translator (free version)

The hint from @mikma seems to be the solution for my "problem". Sounds very good and I will deal with it intensively.

Thanks to all who have answered me!

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.