In-tunnel MFA

[lostmythread]

I was trying to determine to what extent I could use defguard to provide VPN access where:

1. Nothing exposed on the Internet besides the Gateway(s)
2. Client performs enrollment on a "trusted" network, i.e. where the Edge servers are reachable.
3. Clients connect to a Gateway in two stages:
   1. pre-MFA: setup base wireguard tunnel using the pub/priv keypairs that were setup during enrollment. User authentication, possibly involving an external identity provider, is all done in-tunnel. At this stage, the Gateway only allows access to DNS, Edge(?), Identity provider.
   2. post-MFA: once authenticated, rules matching the user's/group's/device's allowed destinations are applied. The VPN is operational.

As far as I was able to tell from the code in defguard_core, there doesn't seem to be a provision for routing the MFA flows in-tunnel. Am I completely mistaken, or is there some other approach that achieves the "only wireguard is exposed to the Internet" criterion?

Thanks for your insights!

[t-aleksander]

Hello,
You are correct that currently Defguard assumes that your external provider and Edge is available publicly to the clients before connecting to the VPN. This is perhaps best explained by this diagram and our architecture overview: https://docs.defguard.net/deployment-strategies/hardware-os-network-and-firewall-recommendations#firewall-settings, https://docs.defguard.net/in-depth/architecture

I think that the flow that you are describing could be achieved by setting up two VPN locations in Defguard as follows:

1. The first VPN location would not require any authentication and would allow regular wireguard connections. This location would grant access to the DNS, external providers and so on.
2. The second VPN location would have MFA enabled and would require authenticating to the external provider first. Since the external provider is behind the first location, connecting to this location would require initially connecting to the first location.

This of course would be not so user friendly since it would require establishing two connections at once in a correct order and updates of Client's configuration wouldn't work without a VPN tunnel/access to Edge (since the Edge would be hidden), but meets your requirement of exposing only Wireguard.

[lostmythread]

Hi,
Thanks for your answer, it helps clear things up for me. Your comment about user friendliness is spot on, for now I'm using a home-grown solution that also requires something like the two-step process you mention. I was looking at Defguard as something that might provide a comparatively better integrated and smoother solution.
Is this type of functionality compatible with the direction you see the project going?

[t-aleksander]

@lostmythread Apologies for the long wait. One more thing worth considering would be using service locations: https://docs.defguard.net/features/service-locations

Currently those work only for Windows, but they allow to establish an "always on" tunnel (a tunnel that is always established after the machine boots). I think it could make your use case more approachable for users, as it would automatically establish the first tunnel without any user input. This feature will certainly be worked upon further, as we are planning to add support for it for other platforms (MacOS, Linux). Let me know if that fits your needs or you are looking for something else.

[lostmythread]

My (tiny) userbase is Linux, MacOS, and mobile. If I can gather the time and inspiration to add this type of feature in a PR, would there be interest?

[teon]

Any PRs are welcome! 🤗