How-to enable Multi-Factor Authentication (MFA) on the ITS Private Cloud VPN (VSS VPN)

Table of Contents

Introduction

Starting from June 25, 2024, Multi-Factor Authentication (MFA) will be available for the ITS Private Cloud VPN (VSS VPN). This added security measure is optional but strongly recommended to enhance the security between users and the ITS Private Cloud management interfaces.

If you have already set up MFA for the ITS Private Cloud Portal, API, or CLI (vss-cli), you can use the same setup for the VSS VPN. The same TOTP-based authentication method will be used across all these services, streamlining your security measures.

This how-to explain how to enable MFA on the ITS Private Cloud VPN, and once enabled manage VPN connections with TOTP, and finally provides clarity about the session expiration and authentication.

Enable MFA

The VSS VPN service web interface allows you to configure MFA for both OpenVPN and Wireguard tunnels. To enable MFA for these tunnels, follow these steps:

  1. Visit the VSS VPN MFA management page at https://utor.cloud/vpn/mfa.

  2. Verify your current MFA setup with a TOTP.

    CleanShot 2024-05-30 at 15.20.01-20240530-192038.png

     

  3. Enable MFA for either or both OpenVPN and Wireguard tunnels as needed.

Once MFA is enabled, you will need to provide a TOTP to establish a connection.

Managing VPN Connections with MFA

Opening the gateways for secure connections to the VSS VPN is as easy as providing a TOTP via the VPN web interface https://utor.cloud/vpn/otp.

Also, for your convenience, the vss-cli (version 2024.6.0) includes an option to activate tunnels with MFA. Use the following command to establish a VPN connection:

vss-cli vpn gw on

The command will prompt you to provide the TOTP generated. You can add --totp and provide the code to the same command to avoid prompting.

Session Expiration and Re-authentication

Please note that your MFA token will be required to establish a connection. The session will expire either when the VPN connection is terminated or after 60 minutes of idle time. In either case, you will need to provide a new token to reconnect. You can provide a new token via https://utor.cloud/vpn/otp or the vss-cli:

vss-cli vpn gw on

Related articles

University of Toronto - Since 1827