OpenVPN Groups and MFA?

[TitanOne1337]

Hello everyone!

I was tasked by a customer with looking into setting up a OpenVPN based solution for User VPNs, because our current implementation with a FortiGate and its SSL VPN is going up in flames (the most well optimized and structurally sound thing since my grandmother's hips). Our "old" pfSense OpenVPN setup that only still exists because of the issues with the FortiGate VPN also has to be axed because it is, in plain terms, one steaming pile of garbage. This came to be before my time, and was done in this way because the people there apparently work 28 hours a day and 12 days a week, any downtime has to be planned months in advance.

To be clear, as a Firewall the FortiGate is staying, but I have to find a different VPN Solution, . This solution needs to fulfill some requirements:

• User Groups with granular permissions (down to specified IP and Port)
• The ability to assign a User to multiple Groups
• A MFA solution that is NOT cloud-based
• NO cloud in fact. For some certification that I don't remember we cannot use cloud services
• Simple config management, if possible just one config for all users

Part of the task is to try OPNsense first and foremost, since pfSense doesn't provide all the things we need and the OpenVPN Access Server is quite pricey for the couple dozen Users we have.

If anyone could tell me if OPNsense can do what I've listed, you'd save me a wild goose chase for answers and hours of throwing spaghetti at the wall to see what sticks.

[bartjsmit]

Sounds a lot like RADIUS to me

[trixter]

In OpnSense you could use the local database or common LDAP for authentication. MFA is also build in Sense as a local service - just the openvpn clients are not realy easy with MFA  - you would have to type in password + MFA in the passwords column.