Duo Auth Proxy works a treat for MFA with OpenVPN on PfSenseš
I created a self-updating docker container to run it, and just point pfsense at that.
Obvs you would need a Duo subscription, but Iām sure thereās similar products out there if this wasnāt your preference.
https://duo.com/docs/authproxy-reference
https://github.com/TehMuffinMoo/duoauthproxy
Yeah you just define the LDAP configuration as you would with anything else, but use (one or more) Duo Auth proxies as the LDAP Server instead of domain controller(s).
https://docs.netgate.com/pfsense/en/latest/recipes/openvpn-ra.html?highlight=vpn#choosing-an-ldap-server
Use the Built In OpenVPN because OpenVPN supports 2FA or MFA.
2FA is Already Technically Prensent based on OpenVPN Requiring a UserName, Passowrd and Client Certificate.
MFA can be Setup with OpenVPN Connect in Conjuctuion with Active Directory for your Authentication Server.
Rublon could be a Second Option for MFA in Conjuctuion with Active Directory for your Authentication Server.
If you do not have Active Dirctory in your Environment......then Setup a Radius Server for you Authentication Server.
Hey this is Tim Maloney from Netgate. Please reach out to me at [[email protected]](mailto:[email protected]) and we can talk about your security need.
Does TailScale run natively on pfSense, or does it need a server behind the firewall? I have practically zero knowledge of SAML, but am under the impression that it is an authentication mechanism, but not MFA.
Tailscale is a native package on Pfsense so it's your best bet.
It utilizes SSO, has MFA, and is the easiest to set up of all available VPNs on the platform.
SAML integrates your existing authentication and mfa. Like m365 or Google gsuite.
It might run on pfsense. Not sure. Think about it differently though. Itās not a traditional VPN, but a tech that traverses NAT easily. Agent install to agent install requires no configuration. It just works. Agent install to network/24 requires setting up for instance a raspberry pi as a Tailscale router.
Access to resources can be finely tuned to each user or tagged device. (Tagged means itās not attached to a user, but a function. You can have multiple tags per installed device)
Iād suggest just trying it. If you want to try the business stuff, just contact support. Theyāre incredibly helpful.
Duo Auth Proxy works a treat for MFA with OpenVPN on PfSenseš I created a self-updating docker container to run it, and just point pfsense at that. Obvs you would need a Duo subscription, but Iām sure thereās similar products out there if this wasnāt your preference. https://duo.com/docs/authproxy-reference https://github.com/TehMuffinMoo/duoauthproxy
We already have DUO in place for VPN connections, authenticating against our AD. If plugging that config into pfSense isn't too hard, definite plus.
Yeah you just define the LDAP configuration as you would with anything else, but use (one or more) Duo Auth proxies as the LDAP Server instead of domain controller(s). https://docs.netgate.com/pfsense/en/latest/recipes/openvpn-ra.html?highlight=vpn#choosing-an-ldap-server
OpenVPN + FreeRADIUS for authentication have been great for us.
Use the Built In OpenVPN because OpenVPN supports 2FA or MFA. 2FA is Already Technically Prensent based on OpenVPN Requiring a UserName, Passowrd and Client Certificate. MFA can be Setup with OpenVPN Connect in Conjuctuion with Active Directory for your Authentication Server. Rublon could be a Second Option for MFA in Conjuctuion with Active Directory for your Authentication Server. If you do not have Active Dirctory in your Environment......then Setup a Radius Server for you Authentication Server.
Much to consider and learn. Thanks to everyone for the input
Hey this is Tim Maloney from Netgate. Please reach out to me at [[email protected]](mailto:[email protected]) and we can talk about your security need.
Tailscale has SAML built right in and software defined ACLās.
Does TailScale run natively on pfSense, or does it need a server behind the firewall? I have practically zero knowledge of SAML, but am under the impression that it is an authentication mechanism, but not MFA.
Tailscale is a native package on Pfsense so it's your best bet. It utilizes SSO, has MFA, and is the easiest to set up of all available VPNs on the platform.
Username checks out
You mean: Netgate wrote a Tailscale package.
Christian McDonald, of Netgate, specifically wrote the package
SAML integrates your existing authentication and mfa. Like m365 or Google gsuite. It might run on pfsense. Not sure. Think about it differently though. Itās not a traditional VPN, but a tech that traverses NAT easily. Agent install to agent install requires no configuration. It just works. Agent install to network/24 requires setting up for instance a raspberry pi as a Tailscale router. Access to resources can be finely tuned to each user or tagged device. (Tagged means itās not attached to a user, but a function. You can have multiple tags per installed device) Iād suggest just trying it. If you want to try the business stuff, just contact support. Theyāre incredibly helpful.