Multi-Factor Authentication for the ITS Private Cloud VPN (VSS VPN)

Starting from June 25, 2024, Multi-Factor Authentication (MFA) will be available for the ITS Private Cloud VPN (VSS VPN). This added security measure is optional but strongly recommended to enhance the security between users and the ITS Private Cloud management interfaces.

Why Use MFA?

MFA adds an extra layer of security by requiring not only your password but also a time-based one-time password (TOTP) generated by an authentication app. This ensures that even if your password is compromised, your account remains secure.

Interoperability with Existing MFA Setup

If you have already set up MFA for the ITS Private Cloud Portal, API, or CLI (vss-cli), you can use the same setup for the VSS VPN. The same TOTP-based authentication method will be used across all these services, streamlining your security measures.

Setting Up MFA for VSS VPN

The VSS VPN service web interface allows you to configure MFA for both OpenVPN and Wireguard tunnels. To enable MFA for these tunnels, follow these steps:

  1. Visit the VSS VPN MFA management page at

  2. Verify your current MFA setup with a TOTP.

    CleanShot 2024-05-30 at 15.20.01-20240530-192038.png

  3. Enable MFA for either or both OpenVPN and Wireguard tunnels as needed.

Once MFA is enabled, you will need to provide a TOTP to establish a connection.

Managing VPN Connections with MFA

Opening the gateways for secure connections to the VSS VPN is as easy as providing a TOTP via the VPN web interface

Also, for your convenience, the vss-cli (version 2024.6.0) includes an option to activate tunnels with MFA. Use the following command to establish a VPN connection:

vss-cli vpn gw on

The command will prompt you to provide the TOTP generated. You can add --totp and provide the code to the same command to avoid prompting.

Session Expiration and Re-authentication

Please note that your MFA token will be required to establish a connection. The session will expire either when the VPN connection is terminated or after 60 minutes of idle time. In either case, you will need to provide a new token to reconnect. You can provide a new token via or the vss-cli:

vss-cli vpn gw on

Need Help?

If you have any questions or need assistance with setting up MFA, just contact vss (at) eis (dot) utoronto (dot) ca and we will be there to help.

University of Toronto - Since 1827