teon
commented
4 months ago @FrancoLoyola for sure user cannot connect to the VPN. Can configure - but can't connect. @filipslezaklab we should just disable Wireguard manual setup for the MFA VPNs.
Open FrancoLoyola opened 4 months ago
teon
commented
4 months ago @FrancoLoyola for sure user cannot connect to the VPN. Can configure - but can't connect. @filipslezaklab we should just disable Wireguard manual setup for the MFA VPNs.
FrancoLoyola
commented
4 months ago Thanks for the quick reply! Looking forward to the update!
SkullKill
commented
4 months ago @teon Sort of related, but we would like to have the option to disable the option for the user to provision their own VPN (both defguard and native wireguard).
So , an option to completely disable the "Add a new device" option for users. And only allow the Admins to generate a token for the user to use to provision their defguard clients.
Not sure if you want me to open a new ticket for this?
teon
commented
4 months ago @SkullKill yap, that is another issue - please open a new issue and describe your requirements.
teon
commented
4 months ago @filipslezaklab allow configuring a device manually:
Describe the bug The user can still create a manual/vanilla WG config even if 2FA enforced.
This allows to connect without having to use TOTP
To Reproduce Steps to reproduce the behavior:
Expected behavior That users cannot connect without using TOTP -> Do not allow to add vanilla WG configs
Version information
Screenshots
Additional context I'm not familiar with React (or ts/js at all), but it seems to me that having some sort of check in: https://github.com/DefGuard/defguard/blob/c6f2d94fe033048c63141d0cbf70663f674c28b0/web/src/pages/addDevice/steps/AddDeviceSetupMethodStep/AddDeviceSetupMethodStep.tsx#L94 to not show the card if MFA is enabled should work.
Maybe a cleaner approach is just to skip to the next step if MFA is required with the "remote desktop activation" already selected for you and skip that step altogether