Best VPN appliance with 2FA

I am trying to find the best solution for the following requirements:

• Client VPN for Windows & macOS users
• Preferably L2TP so employees don’t need to install additional software - but I’m open to other options
• Supports 2FA (hosted RADIUS with 2FA support?)
• Using Google Workspace as the identity provider and adding VPN users to a group in Google would be ideal (would rather not need to maintain two separate user databases)

I am planning to have a UDM-Pro installed at this location, but I don’t know that I want to use it for the Client VPN - I am thinking of having a separate VPN appliance - I was thinking of using pfSense - but I am open to any suggestions.

From the research I’ve done so far, it seems like the easiest way to implement 2FA is to use a hosted RADIUS service that supports 2FA. I also need this system to be easy to manage and maintain when new employees are onboarded.

Does anyone have any ideas of the best services available right now for this use case? Or can anyone share how they are implementing VPN service for large companies?

This is a bit theoretical.

On pfSense you have FreeRADIUS package which includes one time password, users can be set up to use this.

On an OpenVPN instance you can then use that FreeRADIUS for authentication.

You ought to be able to set this up easily in a test environment and inspect the results.

The implementation of OpenVPN with a CA on pfSense is pretty good, certainly easy to revoke certs when users are terminated.

Or why don’t you just use a cert / username / password.

I think I recall something about appending the password to the code (might not be the case) when using the OTP, somehow users might not like that.

@neogrid The Cybersecurity Insurance company for my client is requiring them to have 2FA on their VPN connection back to their corporate office. From what I’m reading online, a certificate doesn’t count as 2FA. It would need to be user/pass/OTP based authentication.

Fair enough, I’d add certs too, not that complicated but easy to revoke.

you can have per user certificate with OpenVPN, and also client export package to make things easier.

• FreeRadius package to cover the 2FA requirement. seems doable with pfSense.

Any advice on hooking into Google as IdP? Was looking at JumpCloud, Cloud RADIUS by SecureW2, Duo and Okta. Would love any feedback is anyone has any experience with any of these services.

I would look into Palo Alto Prisma Access. I have 6 POPs across the US and run IPSec tunnels back to my data center for corporate access. It’s an easy design that supports MFA across many identity providers.

VPN for large companies uses PKI (smartcards). This is a form of 2fa as it requires a pin + the smarcard. Does your current implementation use smartcards or certificate based auth?

I would recommend cert based with a pin and token passcode for auth.

OP, I will recommend what I have put in place where I work (Fortinet), but you might not like it.
-Firewall: Fortigate - handle the VPN connections (and certificate if you want - we are removing the certificate because we now use EMS which is much more flexible and you don’t need to redeploy cert every year)
-Radius: FortiAuthenticator that you can use your user database from Active Directory/LDAP or something else and you can specify to require 2FA when signing in.
-Firewall Client: FortiClient that is provided by your FortiEMS server which in turn let you setup Zero Trust (ZTNA) rules and block devices even before they reach your network.

Of course it is not cheap, but it is league more secure than standard setup - at the price also of more complexity.