The software supports two-factor authentication (2FA) for both authenticating at the user/admin portal and for connecting to the VPN.
Currently both YubiKey and TOTP are supported.
By default, 2FA will only be used for authenticating to the user and admin portals, and not for connecting to the VPN.
Users can enroll themselves in the portal on the "Account" page. If the user is enrolled for 2FA, and has access to the admin portal, it will also be used there.
The documentation page in the user portal gives more information about 2FA and how to use it.
NOTE: currently a user can enroll for both YubiKey and TOTP 2FA. The 2FA method can be "upgraded" to YubiKey at any time, which may be a security risk, see this issue.
Assuming your instance is called vpn.example and the profile is internet,
you need to modify /etc/vpn-server-api/vpn.example/config.php:
'vpnProfiles' => [
'internet' => [
'profileNumber' => 1,
'displayName' => 'Internet Access',
...
...
'twoFactor' => true,
],
],
Now the server configuration needs to be regenerated:
$ sudo vpn-server-node-server-config --instance vpn.example --profile internet
Also, the VPN processes need to be restarted:
$ sudo systemctl restart [email protected]{0,1,2,3}
Users will need to provide their OTP key also when authenticating to the
VPN. The client will ask for a user name and password. The user name MUST be
totp and as password the 6 digit code generated by the OTP application, or
yubi and the code generated by the YubiKey when pressing its button.
For example on Windows:
If a user lost their second factor credentials, they can be removed through the "admin".
If an administrator is enrolled for OTP, is the only administrator and loses
their secret, the enrollment can be cancelled removing the OTP enrollment in
the DB. Assuming the user ID is foo, and the instance is vpn.example, do
the following:
$ sudo sqlite3 /var/lib/vpn-server-api/vpn.example/db.sqlite
Perform the following query:
UPDATE users SET totp_secret=NULL, yubi_key_id=NULL WHERE user_id='foo'