We've recently begun integrating Multi-Factor Authentication (MFA) into our OpenVPN setup to enhance remote access security. The main idea is that even if login credentials are compromised, VPN access shouldn't be available without a second factor of authentication. However, we have encountered some practical challenges in terms of usability and setup. We're currently looking into different options such as RADIUS and NPS-based MFA integration, while also trying to find the right balance between security and user experience. Additionally, we need to consider how to manage edge cases, like offline access or user lockouts. I'm interested in hearing how others are managing this and what methods have worked best for you, as well as any pitfalls to avoid.
2 Answers
We used SSL/TLS combined with User Authentication through Active Directory and TOTP. It's working well for us!
We decided to go with RADIUS and TOTP using authenticator apps. It’s reliable and doesn't add too much complexity for users. Just make sure to have solid backup and lockout recovery options, or it could get really tricky.
That's great! We do something similar but with local authentication since I only manage a handful of users.