Re: site-to-site VPN with credential prompts?

To: debian-user@lists.debian.org
Subject: Re: site-to-site VPN with credential prompts?
From: john doe <johndoe65534@mail.com>
Date: Mon, 24 Mar 2025 09:52:37 +0100
Message-id: <[🔎] 7eb8e418-7db2-48b7-ae38-e406160d4347@mail.com>
In-reply-to: <[🔎] eb891680-242e-42bf-80b9-f2c8af617e43@gmail.com>
References: <[🔎] CAH8yC8kg=yNE7Avp6++wEr3Nfcnpp5zWMmjRjhaGRHmx0ubMoQ@mail.gmail.com> <[🔎] c4e72e8d-5d09-423d-b907-52c7e1cf1f31@gmail.com> <[🔎] eb891680-242e-42bf-80b9-f2c8af617e43@gmail.com>

On 3/24/25 05:39, jeremy ardley wrote:


On 24/3/25 12:29, jeremy ardley wrote:


You could use MFA on the SSH connection and then use certificates to
establish the VPN connection?

My SSH MFA setup has clients must connect using a certificate, then
they must enter a pasword, and then they must complete a google
authenticator.

It is possible to configure OpenVPN with MFA such as google
authenticator, but other mechanisms are possible.



I should mention that having an internet facing ssh service is usually a
very bad idea. The 'better' approach is to have only a VPN exposed and
use heavy security on that. Once the VPN link is established you can ssh
through the VPN to internal systems.



This is realy the best way forward.

An other MFA alternative is PKI and user/ PWD prompt and optionaly 2FA.

--
John Doe

Reply to:

References:
- site-to-site VPN with credential prompts?
  - From: Jeffrey Walton <noloader@gmail.com>
- Re: site-to-site VPN with credential prompts?
  - From: jeremy ardley <jeremy.ardley@gmail.com>
- Re: site-to-site VPN with credential prompts?
  - From: jeremy ardley <jeremy.ardley@gmail.com>

Prev by Date: Re: laptop options
Next by Date: Laptop trackpoint (pointing stick) detected as "PS/2 Generic Mouse". Bug?
Previous by thread: Re: site-to-site VPN with credential prompts?
Next by thread: Re: site-to-site VPN with credential prompts?
Index(es):
- Date
- Thread