NGFW version 16.3 adds the ability to use multi-factor authentication ("MFA") to OpenVPN, enabling the admin to add an additional layer of security to VPN connections. MFA in OpenVPN requires a standalone Time-based One-time Password (or "TOTP") application of the admin's or user's choice.
Using MFA effectively requires two devices: the client computer which will connect to the VPN and a second device, usually a mobile phone or tablet.
The points below describe the process of configuring and using MFA with OpenVPN in NG Firewall:
- Create a Local User in the NGFW & enable MFA.
- Get the user's MFA key or QR code.
- Enable MFA Authentication in OpenVPN.
- Install a TOTP app to a mobile device & pair it with the NGFW.
- Install the OpenVPN Client Connect app to the remote client computer.
- Deploy the NGFW's client config file to that remote client computer.
- Connect to OpenVPN and provide your TOTP code.
- The first step in enabling MFA will be to create a Local Directory user and turn on MFA for that user. Instructions on creating local users on NGFW are here: Local Users
- Click the gear icon to be presented with a QR code which can be scanned with the remote client device. You can also copy the key manually from just above the code.
- Next, go to Apps > OpenVPN > Server and confirm the Add MFA client configuration box is checked.
- Install the TOTP app of your choice to the remote client device. We have used Google Authenticator, but you can use any app capable of generating TOTPs. For instructions on installing and pairing Google Authenticator, please see this Google Support article.
- Once you have installed your TOTP app, pair it with the NGFW using the QR code or key obtained in step #2.
- If necessary, install the OpenVPN client to your remote device. You can download the client from OpenVPN's website here: https://openvpn.net/vpn-client/
- Download the appropriate client config file from OpenVPN > Server > Remote Clients, deploy it to the client device, and import that config into the OpenVPN app. For more detailed instructions on this process, please refer to this article: Configure and deploy OpenVPN clients for remote users
(If you've previously deployed a client config file to this device, you will need to do so again now that MFA has been enabled.)
- Connect to OpenVPN on the remote client. You should be prompted to enter your TOTP challenge code.
- Enter the code from your TOTP app into the OpenVPN connection dialogue.