On 24/3/25 12:29, jeremy ardley wrote:
You could use MFA on the SSH connection and then use certificates to
establish the VPN connection?
My SSH MFA setup has clients must connect using a certificate, then
they must enter a pasword, and then they must complete a google
authenticator.
It is possible to configure OpenVPN with MFA such as google
authenticator, but other mechanisms are possible.
I should mention that having an internet facing ssh service is usually a
very bad idea. The 'better' approach is to have only a VPN exposed and
use heavy security on that. Once the VPN link is established you can ssh
through the VPN to internal systems.
You can also set up rules on your VPN server so that clients have a very
restricted view of your internal systems and have heavy restrictions on
the protocols they run.
