I read online that it is possible to enable 2FA for OpenVPN servers. Because RMS Hub uses OpenVPN under the hood, should it not be possible to enable 2FA?
I’ll explain why:
-When you create a new VPN hub and add a client to it, you can download the .ovpn file and upload it onto OpenVPN connect on your laptop.
-Each time you then start the VPN connection, you don’t have to provide any form of password or 2FA.
-That means if the laptop running the OpenVPN Connect client is stolen or contains malware, for a bad actor it is a simple click of the button to connect with the VPN to site where the teltonika is located and access the client’s infrastructure.
-The fact that the RMS website has 2FA does not solve the problem. That only secures web portal login.
If it is not possible, what are alternative options?
I’ve read up on it, and it looks like the 2FA you’re mentioning is for accessing the server portal, not connecting to the server itself. This, in essence, means that RMS is the same; you log in to the portal using 2FA, in order to actually configure, download the file, and then have the ability to connect to the VPN server:
I believe it wouldn’t matter what kind of VPN you would end up using, it is the same everywhere - the functionality is locked behind a login to the account, which you can use until you log out. In our case, to obtain the file in the first place, you would have to get through the 2FA and login to the account, where only then would you be able to download the .ovpn file and actually connect to the VPN, but even then, things such as connecting to one of our devices wouldn’t be as simple, since they also have their own passwords in place.
Security risks are always present, no matter the service you might use. At the end of the day, the responsibility for securely using these services is the users’ responsibility.
Thank you for taking the time to reply to my post so quickly and in such a detailed manner.
I hear you and I agree with you regarding it being the user’s responsibility to stay secure. But for our client, where we want to roll out 100s of these devices, that won’t be enough.
If I setup a VPN hub that allows me to VPN to the Teltonika on site and then gives me access to to the subnet on site (containing critical OT infrastructure that don’t have 2FA / password) I have a problem. Because again, if someone stole my laptop or loaded malware on it, they simply click “connect” on the OpenVPN Connect client and then they are connected to the client’s site subnet (doesn’t matter that the Teltonika itself has a username and password, the bad actor can go straight to other equipment of the client on site).
Now I know that e.g. sonicwall requires you to provide a username, password and OTP (2FA) everytime you start the VPN connection from your laptop. That means even if my laptop is stolen or hacked, they won’t be able to launch the VPN.
As far as I understand it is possible to do this for OpenVPN as well:
I just assume the way RMS is using OpenVPN, it is not enabled / exposed to us users?
You are correct, the link you provided does explain how to set up 2FA, but it shows how to set the 2FA to connect to the OpenVPN Connect app, and not to initiate a connection to the actual server.
