In-tunnel MFA #2175
-
|
I was trying to determine to what extent I could use defguard to provide VPN access where:
As far as I was able to tell from the code in defguard_core, there doesn't seem to be a provision for routing the MFA flows in-tunnel. Am I completely mistaken, or is there some other approach that achieves the "only wireguard is exposed to the Internet" criterion? Thanks for your insights! |
Beta Was this translation helpful? Give feedback.
Replies: 4 comments 1 reply
-
|
Hello, I think that the flow that you are describing could be achieved by setting up two VPN locations in Defguard as follows:
This of course would be not so user friendly since it would require establishing two connections at once in a correct order and updates of Client's configuration wouldn't work without a VPN tunnel/access to Edge (since the Edge would be hidden), but meets your requirement of exposing only Wireguard. |
Beta Was this translation helpful? Give feedback.
-
|
Hi, |
Beta Was this translation helpful? Give feedback.
-
|
@lostmythread Apologies for the long wait. One more thing worth considering would be using service locations: https://docs.defguard.net/features/service-locations Currently those work only for Windows, but they allow to establish an "always on" tunnel (a tunnel that is always established after the machine boots). I think it could make your use case more approachable for users, as it would automatically establish the first tunnel without any user input. This feature will certainly be worked upon further, as we are planning to add support for it for other platforms (MacOS, Linux). Let me know if that fits your needs or you are looking for something else. |
Beta Was this translation helpful? Give feedback.
-
|
My (tiny) userbase is Linux, MacOS, and mobile. If I can gather the time and inspiration to add this type of feature in a PR, would there be interest? |
Beta Was this translation helpful? Give feedback.
@lostmythread Apologies for the long wait. One more thing worth considering would be using service locations: https://docs.defguard.net/features/service-locations
Currently those work only for Windows, but they allow to establish an "always on" tunnel (a tunnel that is always established after the machine boots). I think it could make your use case more approachable for users, as it would automatically establish the first tunnel without any user input. This feature will certainly be worked upon further, as we are planning to add support for it for other platforms (MacOS, Linux). Let me know if that fits your needs or you are looking for something else.