defguard
  • Introduction
  • User documentation (help)
    • Configuring VPN
      • Defguard Desktop Client
        • Update instance
      • Other WireGuard® Clients
        • Configuring a device for new VPN Location manually
    • Password change / Reset
    • Enrollment & Onboarding
      • With internal Defguard SSO
      • With external SSO (Google/Microsoft/Custom)
    • Setting up 2FA/MFA
    • Desktop Client
    • CLI Client
  • Admin & features
    • Deploying your instance
      • One-line install script
      • Standalone package based installation
      • Docker images and tags
      • Docker Compose
      • Kubernetes
      • Upgrading
      • Gateway
        • Running gateway on MikroTik routers
      • Securing gRPC communication
      • OpenID RSA key
      • Configuration
      • Pre-production and development releases
      • High Availability and Failover
      • Health check
    • Features & configuration
      • Zero-Trust VPN with 2FA/MFA
        • Create/manage VPN Location
        • Network overview
        • Executing custom gateway commands
        • Multi-Factor Authentication (MFA/2FA)
          • MFA Architecture
        • Remote desktop client configuration
        • DNS and domains
      • Remote user enrollment
        • User onboarding after enrollment
      • SSO (OpenID Connect)
        • Portainer
        • Grafana setup
        • Proxmox
        • Matrix / Synapse
        • Django
        • MinIO
        • Vault
      • SMTP for email notifications
      • YubiKey Provisioning
      • Webhooks
      • Forward auth
      • SSH Authentication
      • Network devices
      • Gateway notifications
      • New version notifications
  • Troubleshooting Guide
    • Sending support information
    • Client Windows installer exit codes
    • Client "All traffic" connection issues
    • WebAuthn security keys
  • Enterprise Features
    • License
    • Enteprise features
      • Automatic (real time) desktop client configuration & sync
      • External OpenID providers
        • Google
        • Microsoft
        • Zitadel
        • Keycloak
        • JumpCloud
        • Okta
        • Custom
      • External OIDC secure enrollment
      • VPN & Client behavior customization
      • REST API
      • Access Control List
        • ACL Aliases
      • LDAP and Active Directory integration
        • Configuration
        • Settings table
        • Two-way LDAP and Active Directory synchronization
  • Tutorials
    • Step by step setting up a VPN server
      • Adding additional VPN locations
  • In depth
    • Roadmap
    • Architecture
      • How do VPN statistics work
      • Security concepts
  • For Developers
    • Contributing
    • Environment setup
    • Translations (core/web)
      • Switching language
      • Adding translations
  • Translations (client)
    • Adding translations
  • Contact us
    • Community & Support
Powered by GitBook
On this page
  • Enabling MFA for a selected VPN/Location
  • Peer disconnect threshold
  • Client update after enabling MFA
  • Testing MFA on defguard client
  • Supported MFA methods
  • User MFA setup
  • Successful authentication

Was this helpful?

Edit on GitHub
  1. Admin & features
  2. Features & configuration
  3. Zero-Trust VPN with 2FA/MFA

Multi-Factor Authentication (MFA/2FA)

PreviousExecuting custom gateway commandsNextMFA Architecture

Last updated 4 months ago

Was this helpful?

Defguard supports Multi-Factor Authentication for WireGuard with TOTP & Email codes and after that with session keys based on Wireguard Pre-Shared Keys (PSK). For more details about this please refer to the .

MFA requires:

  • defguard core >= v0.9.0

  • defguard proxy >= v0.3.0

  • desktop client >= 0.2.0

Enabling MFA for a selected VPN/Location

Enabling MFA for a desired VPN Location is done by:

  1. going into defguard to VPN Overview

  2. selecting the VPN Location from the dropdown list, and pressing the Edit Location button in the top right corner of the page

  3. check the "Require MFA for this Location" checkbox under the Location Configuration section

  4. set Peer disconnect threshold we recommend it to be min. 300 (5 min) - see chapter .

  5. and save changes.

Peer disconnect threshold

When MFA is enabled on a location defguard periodically (currently every 1 minute) checks statistics if a client is connected and if the period of inactivity (defined in Peer disconnect threshold option) is met, a client is disconnected.

Thus the gateway needs to be configured to send statistics in that period.

We recommend to set:

  • gateway to send statistics every 30sec

  • Peer disconnect threshold we recommend it to be min. 300 (5 min)

Client update after enabling MFA

Testing MFA on defguard client

If a VPN has MFA enabled, before connecting you will be asked to complete the authentication step first:

Supported MFA methods

For now, MFA is only available with the following methods:

Please remember to configure TOTP on you user account and/or SMTP settings for MFA on the desktop client to work..

User MFA setup

After enabling MFA for a given VPN, users will need to enable MFA for their accounts to be able to connect. This process is described in Setting up 2FA/MFA. For simplicity & security, the desktop client uses the same MFA methods as the defguard server.

An error message will be shown if users attempt to select a MFA method that has not been enabled for their accounts:

Successful authentication

If authentication succeeds, the Two-factor authentication modal will be closed and connection to the selected VPN will be attempted. Users will be asked to authenticate on every connection to a VPN with MFA enabled.

When MFA configuration is changed, all clients must do an .

Email - requires

Instance Update
SMTP to be configured
architecture section
below
TOTP - Time-based one-time password
Example MFA Location configuration
MFA in defguard desktop client
Attempting to use an MFA method that has not been enabled on the user's account.