Multi-Factor Authentication (MFA/2FA)

Defguard supports Multi-Factor Authentication for WireGuard with TOTP & Email codes and after that with session keys based on Wireguard Pre-Shared Keys (PSK). For more details about this please refer to the architecture section.

MFA requires:

defguard core >= v0.9.0
defguard proxy >= v0.3.0
desktop client >= 0.2.0

Enabling MFA for a selected VPN/Location

Enabling MFA for a desired VPN Location is done by:

going into defguard to VPN Overview
selecting the VPN Location from the dropdown list, and pressing the Edit Location button in the top right corner of the page
check the "Require MFA for this Location" checkbox under the Location Configuration section
set Peer disconnect threshold we recommend it to be min. 300 (5 min) - see chapter below.
and save changes.

Peer disconnect threshold

When MFA is enabled on a location defguard periodically (currently every 1 minute) checks statistics if a client is connected and if the period of inactivity (defined in Peer disconnect threshold option) is met, a client is disconnected.

Thus the gateway needs to be configured to send statistics in that period.

We recommend to set:

gateway to send statistics every 30sec
Peer disconnect threshold we recommend it to be min. 300 (5 min)

Client update after enabling MFA

When MFA configuration is changed, all clients must do an Instance Update.

Testing MFA on defguard client

If a VPN has MFA enabled, before connecting you will be asked to complete the authentication step first:

Supported MFA methods

For now, MFA is only available with the following methods:

TOTP - Time-based one-time password
Email - requires SMTP to be configured

Please remember to configure TOTP on you user account and/or SMTP settings for MFA on the desktop client to work..

User MFA setup

After enabling MFA for a given VPN, users will need to enable MFA for their accounts to be able to connect. This process is described in Setting up 2FA/MFA. For simplicity & security, the desktop client uses the same MFA methods as the defguard server.

An error message will be shown if users attempt to select a MFA method that has not been enabled for their accounts:

Successful authentication

If authentication succeeds, the Two-factor authentication modal will be closed and connection to the selected VPN will be attempted. Users will be asked to authenticate on every connection to a VPN with MFA enabled.

PreviousExecuting custom gateway commands NextMFA Architecture

Last updated 1 month ago

Was this helpful?