Pritunl clients. Zero trust, host checker, MFA


It’s in the roadmap the idea of adding into the clients MFA for wireguard, or a host check for security reasons?
For example if the computer doesn’t have a cert or a file or a process running don’t allow the connectivity. For android, windows, linux…
Or require a MFA start to use the client with wireguard, the server could force a MFA authentication before it allows the Wireguard connection.

On the other hand, I see in github that you are the only developer in the company, is this the case? how the enterprise support is handled? and the future development secured?

The Pritunl server and client have additional authentication and connection management described in the WireGuard documentation section. This includes support for multi-factor authentication. The Pritunl Client Wireguard connections use a combination of SHA512-HMAC authorization, NaCl asymmetric authorization+encryption and RSA-4096 asymmetric authorization. This authentication system is used by the server to generate a new WireGuard key on each connection.

Once connected keep alives are sent every 10 seconds, if the client doesn’t keep the connection active the server will remove the WireGuard key. This will require the client to reauthenticate to receive a new key.

This design allows supporting the WireGuard protocol while still maintaining the strong connection-oriented authentication that is available in OpenVPN.

1 Like

Multi-factor is something I know + something I have. I don’t see it here.
From the link you sent

[WireGuard] uses a connection-less design and this private key could be used by an attacker to hijack the connection even if multi-factor authentication is used. In high security environments it is important to consider that OpenVPN connections with multi-factor authentication will not have these weaknesses

This means and although wireguard is doesn’t have a bad approach, openvpn with a real MFA is even better.

Regarding some of the other questions, when I mentioned host checker I mean this

Pritunl Endpoint is a new endpoint monitoring and management system added to Pritunl Zero. This initial release will only handle monitoring a few system metrics which will be graphed in the Pritunl Zero web console. This new platform will be used to build additional endpoint management, monitoring and security features. Currently only Linux hosts are supported, additional operating system support will be added in the future

The Pritunl server can be configured with Google Authenticator. With an enterprise subscription Duo, YubiKeys, OneLogin push and Okta push are supported. All of these multi-factor authentication options will work with both OpenVPN and WireGuard connections. The multi-factor authentication is required to initiate a WireGuard connection in Pritunl.

The connection-less design of WireGuard does weaken authentication compared to OpenVPN but this is mostly mitigated with the design of the Pritunl servers connection monitoring. The keep alive requests are also authenticated with same method as connection requests. This leaves only a small window for attacks.

Pritunl Endpoint currently only supports monitoring system metrics on Linux. It may be expanded in the future to provide device security and validation for Pritunl VPN connections but this isn’t in development currently. The only endpoint feature currently in development is the phone call and SMS alerts for system issues such as low disk space or failed disks.

1 Like