defguard
defguard copied to clipboard
DefGuard
Design: Disable "Add device" if 2FA for a location is enabled
Describe the bug The user can still create a manual/vanilla WG config even if 2FA enforced.
This allows to connect without having to use TOTP
To Reproduce Steps to reproduce the behavior:
- Create a location with required MFA
- Add some user
- Add TOTP to the user
- Add a new device
- Create a manual WG client
- User can connect without using TOTP
Expected behavior That users cannot connect without using TOTP -> Do not allow to add vanilla WG configs
Version information
- Defguard Core version: v0.9.0
- On any browser
Screenshots
Additional context I'm not familiar with React (or ts/js at all), but it seems to me that having some sort of check in: https://github.com/DefGuard/defguard/blob/c6f2d94fe033048c63141d0cbf70663f674c28b0/web/src/pages/addDevice/steps/AddDeviceSetupMethodStep/AddDeviceSetupMethodStep.tsx#L94 to not show the card if MFA is enabled should work.
Maybe a cleaner approach is just to skip to the next step if MFA is required with the "remote desktop activation" already selected for you and skip that step altogether
@FrancoLoyola for sure user cannot connect to the VPN. Can configure - but can't connect. @filipslezaklab we should just disable Wireguard manual setup for the MFA VPNs.
@teon Sort of related, but we would like to have the option to disable the option for the user to provision their own VPN (both defguard and native wireguard).
So , an option to completely disable the "Add a new device" option for users. And only allow the Admins to generate a token for the user to use to provision their defguard clients.
Not sure if you want me to open a new ticket for this?
@SkullKill yap, that is another issue - please open a new issue and describe your requirements.
@filipslezaklab allow configuring a device manually:
- If number of VPNs user is allowed to and they are not MFA >= 1
- Do not show MFA based configurations