WireGuard VPN - 2FA

[tratek]

Hi

Since years I'm using OpenVPN and today, for comparison, I've set up WireGuard VPN on my Asus AX86u router.
The setup is straight forward and I can see better performance (avg 8mb/s vs 4mb/s) while transfering larger files.
Yet, I dont see any option to set up 2FA which I consider as must-have.
Is there a way to active 2FA for WireGuard?

Thanks!

 

[bbunge]

Hi

Since years I'm using OpenVPN and today, for comparison, I've set up WireGuard VPN on my Asus AX86u router.
The setup is straight forward and I can see better performance (avg 8mb/s vs 4mb/s) while transfering larger files.
Yet, I dont see any option to set up 2FA which I consider as must-have.
Is there a way to active 2FA for WireGuard?

Thanks!

Why do you want to punish yourself with 2FA? It does nothing to improve connection security.

 

[tratek]

1) to minimize the risk of accessing my config file and having access to VPN
2) cause I like pain? ;-)

 

[ZebMcKayhan]

Is there a way to active 2FA for WireGuard?

That's not how Wireguard was designed. So no... there is no authentication as we think of it. Either you have the right encryption keys or you don't.

For enhanced safety Pre-Shared key could be used. This was added due to recent advances in quantum computers.

to minimize the risk of accessing my config file and having access to VPN

Maybe you should read up on how it works: https://www.wireguard.com/protocol/
If you still feel you need 2FA, then use something else than Wireguard.

 

[tratek]

For enhanced safety Pre-Shared key could be used. This was added due to recent advances in quantum computers.

My point is - that having Private & Public keys included within the config file poses a risk of stealing it in case you get access to the file.

The same goes for Pre-Shared key as it's also included directly within the conf file and can be read. Unless I take it wrong?


I guess, its about ways of protecting the conf file

 

[ZebMcKayhan]

The same goes for Pre-Shared key as it's also included directly within the conf file and can be read. Unless I take it wrong?

Your right... if someone gets the file they will have access to your network... naturally the config file should be kept safe and preferably deleted (it serves no purpose after import). Never email or similar such file.
If someone still manages to get your config file you are already compromised.

No details of the file content is ever sent unencrypted during use.

But if you still don't feel safe, then don't use it.
Or setup 2FA on the sensitive resources themselves (like computer login, phone access, nas access etc.c) Wireguard can't help with that.

 

[RMerlin]

If you insist on getting 2FA, I would recommend going with OpenVPN, and using an LDAP backend. You can then use something like Jumpcloud as the LDAP directory, which will allow you to use 2FA. I have a customer setup that way with pfsense + OpenVPN + Jumpcloud, giving us 2FA.

Asuswrt-Merlin does not support LDAP, but maybe you could cross compile a plugin for it. I`ve never looked at what`s involved in adding LDAP support to OpenVPN, I only know it`s possible.