Perhaps have authpf add clients to a PF table which allows them to vpn in? The ssh part could have all kinds of S/Key and certificate additions if need be.
Or have people wireguard into the bastion host first, then use authpf to be let further into the network, since wg is far more silent when it comes to port knockers and scans. Den ons 2 nov. 2022 kl 03:07 skrev Stuart Henderson <stu.li...@spacehopper.org>: > > If anyone's got any good suggestions on how to do VPNs with 2FA > on an OpenBSD gateway for non-technical users to access (iOS, Android, > Windows clients) I'd love to hear them. > > I could bodge something together with openvpn and TOTP but it doesn't > exactly spark joy. > > -- May the most significant bit of your life be positive.
