If anyone's got any good suggestions on how to do VPNs with 2FA
on an OpenBSD gateway for non-technical users to access (iOS, Android,
Windows clients) I'd love to hear them.
I could bodge something together with openvpn and TOTP but it doesn't
exactly spark joy.
Ideally the VPN server would be using a strong form of public-key cryptography
(e.g., X25519) over other forms (e.g., password). Fortunately this is forced
upon you by WireGuard. This means using TOTP would not count as 2FA since it's
the same kind of factor (i.e., something you have), albeit weaker due to the
shared nature of the TOTP key. Additionally most OSes force users to log in via
password or biometrics (e.g., fingerprint); so using WireGuard as a VPN server
provides an indirect form of 2FA—since to connect you must have the private key
(first factor), but to get access to the key on the device you need to log into
it via password or biometrics (second factor).
I am sure this is all information you already know though, so I suppose I would
go with Janne Johanssons's approach of setting up something that requires one
to input a password upon successfully connecting to WireGuard before allowing
traffic to continue through the network. It is more likely one can bypass
password authentication, so it would be better that happens after connecting to
WireGuard as opposed to before to avoid an attacker from knowing if they have
the correct password.
