Multi-factor user authentication for WireGuard VPN access
This process enables you to require multi-factor authentication for remote clients connected to your network via WireGuard VPN. It also enables you to associate a remote VPN tunnel to a user, giving you the ability to base access policies and Reports information on a per-user basis. Both are critical considerations in a Zero Trust Network Access policy.
Important: a Google or Microsoft account which supports MFA is required. You will need to enable MFA on that account in addition to the configuration outlined below.
This configuration takes place in two parts within NG Firewall:
- Captive Portal, to capture WireGuard traffic and prompt for credentials
- The Firewall app, to allow network access to only authorized users
Setting up Captive Portal
- Go to Apps > Captive Portal > Capture Rules
- Click ‘Add’ to create a new rule
- Add the following conditions to this new rule:
Source Interface is WireGuard VPN
Username is [unauthenticated]
- Go to Captive Portal > User Authentication
- Select the OAuth provider you want to use: Google or Microsoft*.
- Save your changes.
*The “Any OAuth” option enables your users to choose which OAuth provider they would like to use. We discourage this option, as it includes other OAuth options and introduces further complexity to the process.
Setting up the Firewall app
Go to Apps > Firewall > Rules to begin this step. You will create at least two rules here:
- An “allowed access” rule, using the condition
Username is [allowed user’s email address]and the Action Type Pass
- A “block unauthorized” rule, using the condition
Username is [authenticated]and the Action Type Block
The “block unauthorized” rule is to prevent access to those who authenticate using an OAuth account which is not provided by the company; i.e. a personal Gmail account.
Can I use one “allow” rule with multiple users?
It is possible to use multiple email addresses in the Username is field, but note that a rule with a large number of usernames may take a long time to process. Additionally, a rule that includes multiple users affects them all at the same time: if you need to disable access for one user, you have to edit the rule to remove their username.
We recommend creating one rule for each user. As long as each “allowed” rule is placed above the “block” rule, each will work. This enables you to disable access on an individual basis, if necessary.
How does this work for the user?
The user connects to WireGuard normally. Once connected, the user needs to access any URL which will traverse the tunnel. This will enable Captive Portal to intercept the traffic and respond with the captive page. Until they complete this step, they will be blocked by the “block unauthorized” Firewall rule, giving them no access to anything beyond the tunnel.
The captive page prompts for OAuth & redirects the user to the selected service. When authentication is complete, the service returns the email address to NG Firewall, which we associate to the ‘username’ attribute. We add ‘authenticated’ to their sessions.
At this point, the user has full normal access within the network.
Please sign in to leave a comment.