Using 2FA with the LogonBox VPN Client

Chris Dakin

Introduction

2FA for VPN connections is a common requirement today but is a feature that a standard WireGuard server does not include.

At LogonBox, we have supported many different authentication methods with our SSPR product for years and with the VPN product, we bring this same experience to the VPN client.

 

Available authentication modules

Our authentication module support can be grouped into 6 types of authenticators:

Mobile app authenticators
LogonBox Authenticator
Duo
Microsoft Authenticator
Google Authenticator
Authy

Hardware authenticators
Yubico
RADIUS (for example, RSA SecureID tokens)

User-provided answers (something you know)
Security Questions
PIN

Other authenticators (something you have)
SMS
One-Time Password (via Email)

Extra checks or information during authentication
Captcha
IP Authenticator
Login time restrictions
Information Step

Passing the authentication to an external service
SAML

 

Configuring 2FA for the VPN Client

2FA can be configured in the Authentication Flows menu. For a specific authenticator, you can follow any article that already exists for our SSPR product, but you will add the authentication modules to the LogonBox VPN Client auth scheme instead.

On an initial install, the setup wizard will guide you to use User Selective 2FA, where you can provide a list of authentications your organization is happy to use, then let you users make the choice of what works best for them. User Selective 2FA can be reconfigured at any time using the Configure Multi-Factor Authentication link on the Authentication Flows page.

For more information, please see here.

 

Alternatively, you can opt to edit the LogonBox VPN Client flow directly and add in one or more modules yourself.

For example, here we will add in our LogonBox Authenticator. Click the link for the authentication scheme.

 

Delete the existing User Selective 2FA module, then on the right, click the + on the LogonBox Authenticator module to add it to the list.

Scroll down and click Save to apply the changes.

For other authentication types, we have a number of articles available here and here.

 

Review the Peer Definition longevity

By default, a LogonBox VPN client configuration has a longevity set of 1 day. This means that first thing in the morning, a user will have to authenticate their client to connect, but can then disconnect and reconnect their client as many times as they need throughout the day without being prompted again for authentication.

As you're wanting to strengthen your security by adding 2FA you may wish to force the client to authenticate on every connection instead.

 

If you want to change this, navigate to the VPN menu and edit your peer definition (default is called LogonBox VPN Client).

Change the Longevity from TIMED to ONE_TIME and click Update to save the changes.

 

At this point, your users can now connect using your new 2FA configuration.

 

Example 2FA connections

Here's an example of a VPN connection that has been configured to use the LogonBox Authenticator.

The first time a user logs on, they will be prompted to scan a QR code to set up the app, any subsequent connections will send a push request to the app which the user has to approve.

 

And here's another example showing the User Selective 2FA in action, which a user has set up SMS and OTP authentication.