Cheapest 2FA VPN
Posted by new-at-networking@reddit | sysadmin | View on Reddit | 73 comments
I manage IT for a small nonprofit and I'm looking to implement a VPN with 2FA the cheapest way possible.
We are currently using our Unifi Dream Machine's OpenVPN Server, but it seems it does not handle 2FA.
What is the easiest and cheapest way to implement 2FA? I can self-host on Ubuntu Server if needed. If possible, I would like to integrate Entra ID (we use Microsoft 365), so I only have to manage user accounts in one place.
*We use Entra ID, but do not have a DC (no local AD)
*If I cannot integrate with Entra ID, I would like an easy and secure way to manage user accounts
Tricky-Cap-3564@reddit
For 10 users the free tiers on ZTNA solutions are worth exploring before committing to a VPN setup. Cato networks operates on the same zero trust model at enterprise scale with native Entra ID integration if you ever need to grow into something more robust down the line.
minektur@reddit
openvpn + freeradius (easy to do on pfsense community) - you can find instructions on pfsense website...
We already used pfsense so it was a nobrainer for us.
CharlieT74@reddit
Cloudflare One is free for up to 50 users? Fully functional SASE/ZeroTrust and more secure than terminating a VPN on the firewall/network
Crumby_Bread@reddit
I second cloudflare zero trust. Super easy to set up and you’re not exposing yourself via a traditional VPN setup.
skipITjob@reddit
Must be just me, but I found it difficult to set up. Gave up in the end.
BigFrog104@reddit
have a a sysadmin do it for you if its too hard for an IT manager to handle. That's what syadmins are for.
skipITjob@reddit
I shall put that hat on and try again. Thanks for the idea!
CharlieT74@reddit
It took me a while to get to know its quirks.
Fatel28@reddit
/thread
biscuit_fall@reddit
check out VNS3 poepleVPN in the AWS marketplace. does everything you need, and its free. pretty sure it supports Wireguard VPN
RupertTomato@reddit
Just use Entra MFA. It will be free for you.
Even better - don't use a VPN and instead use Entra remote application proxy and an MFA conditional access policy. Don't bother trying to use address translation, just get a valid trusted cert which will be your only cost.
Blazingsnowcone@reddit
You also can use enrta mfa with vpn clients via an NPS with the MFA extension installed. Though it does require a Windows Server
RupertTomato@reddit
Yep, I've used this in the past. It works well. I probably wouldn't recommend it as a new configuration today for two reasons. MFA is push and accept only (no number matching) and VPN is just too permissive when I can give smaller access with an application proxy.
BrentNewland@reddit
I just set this up specifically because we want our users to have Yes/No prompts for VPN auth instead of having to do the full "enter the code" MFA. Also because we want to do phased switchover from DUO, and our Palo Alto makes this almost impossible when switching to SAML auth.
In fact, I asked our MSP to do this first, and they set up the Entra SAML MFA instead. I had to set it up on my own.
hornetfig@reddit
There's two methods for this.
The dial-up VPN is straight RADIUS and so all you can do that NPS add-in.
The AoVPN client method has full conditional access support and Entra issues short-lived certificates that you have NPS accept (and nothing else):
https://learn.microsoft.com/en-us/windows-server/remote/remote-access/how-to-aovpn-conditional-access
aj_rus@reddit
OP states cheap option. Windows server + cal licenses for rds will likely be a budget consideration.
Blazingsnowcone@reddit
Eh kinda threw it up there as alot of small enviroments still have local servers, so they may already meet that requirement.
Dolapevich@reddit
Here you go: Defguard is an enterprise-grade open-source VPN solution
It is free.
Jniklas2@reddit
And why should it be the "best" vpn?
Dolapevich@reddit
You are right, "best" is not a good description.
It is a performant, secure, versatile and open source solution, but I can see it not fitting in everyone's needs.
Stenstad@reddit
Yeah, Defguard is pretty neat.
shikkonin@reddit
OpenVPN does support 2FA with certificate (even on smartcards) and pin/passphrase.
wezelboy@reddit
And Duo
Stonewalled9999@reddit
Duo is very many things, but it is not cheap
Special-Original-215@reddit
It's free for less than 10 users but duo is not a VPN
Stonewalled9999@reddit
I never said it was a VPN I said it was many things 🤔
BigFrog104@reddit
Don't worry the average redditor lacks reading comprehension. The few it an IQ over 68 understood what you meant. We pay $50 a year per user in Duo (local DAG and ISE) so add in the cost of the VMs and its expensive considered MS Auth is "free" in that most people are E1 or P1 or E3 holders already.
TinderSubThrowAway@reddit
It’s not that expensive, $3 per user per month for us.
siedenburg2@reddit
even simple totp, no need for extra software with additional costs
Roland465@reddit
We have a client that does OpenVPN + Google Authenticator works like a charm.
man__i__love__frogs@reddit
Do you have servers on prem? What's the need for VPN?
You could look into Entra Private Access, its a service you can install on an existing VM, doesn't need to be dedicated, and a client on user computes. Directly integrates with M365 and is a modern SASE solution. Around $6/user/month.
Masterjuggler98@reddit
How do you classify "cheapest"? If you mean fewest dollars on a credit card, do what I do for my company and self host netbird with entra SSO. Not only do I use it for remote access to resources, I actually use it internally for inter-vlan access to resources instead of doing it at the firewall level. I like the management interface far, far better than tailscale.
Smart_Shelter_2036@reddit
For a cost-effective 2FA solution, consider using OpenVPN with a combination of Google Authenticator or Authy for 2FA. Since you're open to self-hosting, you can set up a simple Ubuntu Server to run OpenVPN and implement a PAM module for 2FA. If integrating with Entra ID is a must, look into using Azure AD with RADIUS; it can streamline user management. We faced similar challenges, and treating context as a shared workspace with versioned writes using puppyone helped us maintain user permissions effectively.
kvorythix@reddit
get the smallest thing that'll do the job and a decent dock. numpad is nice until the extra width gets in the way all day
ksteink@reddit
I use Mikrotik Router and I have configured OpenVPN Server with TOTP. It's all done within the same Mikrotik and the users needs to put their password and the 6 digits of the TOTP code from the MS Authenticator.
Works like a charm :)
TinderSubThrowAway@reddit
I’m running OpnSense with OpenVPN with Radius and a Duo Proxy for MFA.
Jemikwa@reddit
My current company uses Netbird which supports EntraID and other SSO auth (which would include 2fa). It's similar in function to Tailscale but has basic steering/group features (disclaimer, I don't know if TS has these too, I only mention them since I know NB has them)
The_Koplin@reddit
Cloudflare Zero Trust = free for 50 users. @ 51 you pay for all 51 users. The setup is easy enough install an outbound only tunnel from any computer to CF (cloudflared) . Setup Zero Trust networking back in over that tunnel (via the CF ZT website) , and you can integrate with Entra (via websites for both MS and CF). I am using this currently.
I have a VPN from Palo Alto but nation state actors constantly try to brute force it so its limited to only very specific users and IP's. I enabled Cloudflare Zero Trust to better hide my on-prem resources. No need to expose a VPN to the internet. Only Zero Trust enrolled and controlled devices/users can access my Cloudflare 'Team', and I can even add a 2nd layer of authentication to internal resources as needed. Meaning you can use MS 2FA in front of say the login page to your on prem dream machine management interface.
The user makes the request to say "internal.example.com"
Cloudflare sees this request via a user running Cloudflare WARP (vpn replacment),
CF looks at your policy/rules and sees you added an extra re-auth policy.
CF calls MS to trigger an MFA
User does the MFA thing
CF sees that MS authed the request
CF allows access the internal resource.
https://developers.cloudflare.com/cloudflare-one/setup/
&
https://developers.cloudflare.com/cloudflare-one/access-controls/policies/mfa-requirements/
Hate to be an Ad for them, but it really is a decent solution for this use case.
Cost = your time
DarkAlman@reddit
Unifi should support SAML so you can integrate VPN auth directly to office365
https://help.ui.com/hc/en-us/articles/17107038373911-Configuring-Identity-Providers-with-UID-Enterprise
OutsideTech@reddit
Unifi Teleport + Entra ID
https://help.ui.com/hc/en-us/articles/30968066908439-Integrating-Microsoft-Entra-with-UniFi-Fabrics
MotionAction@reddit
Can't you setup SSO with the UDM OpenVPN?
R0NAM1@reddit
Tailscale client w/ selfhosted headscale server and you can setup OIDC with whoever all free,
jameseatsworld@reddit
What are they accessing behind VPN? If they're going to access VPN with EntraID MFA would you exclude users from other MFA services while connected?
You can setup a Meraki vMX in Azure then use Cisco Secure Client for MFA with Entra SSO.
I am pretty sure this only supports split tunnel for IPV4. You have to preference IPV4 if you want to limit what traffic is routed through VPN.
c4rb0n4t0r@reddit
Can Unifis VPN really not do SAML with Entra?
bionic80@reddit
Tailscale?
https://tailscale.com/docs/multifactor-auth
_martijn90_@reddit
Pfsense with openvpn and radius supports 2fa. Also with certificate.
oldRedditorNewAccnt@reddit
Can run on dang near any hardware too. Makes it easy to set up HA.
Odd-Change9844@reddit
When you say 'with cert', can it be a self signed cert or does it need to be CA?
_martijn90_@reddit
Self signed from pfsense CA server.
axoltlittle@reddit
We’ve been self hosting NetBird for over a year, been working wonders
protogenxl@reddit
Opensens running OpenVPN setup for 2fa
itguy6689@reddit
Cisco secure access
hologrammetry@reddit
Tailscale? https://tailscale.com/docs/multifactor-auth
RegularMixture@reddit
Second this. And with only 10 users it will be next to nothing in cost.
g0f@reddit
I truly like Twingate. It’s free for you at this scale.
jsiwks@reddit
Pangolin ZTNA
strikesbac@reddit
UniFi Fabric with Entra ID.
https://help.ui.com/hc/en-us/articles/30968066908439-Integrating-Microsoft-Entra-with-UniFi-Fabrics
Adam_Kearn@reddit
Use certificate authentication as well as password auth
bazjoe@reddit
Isn’t SSO from Entra or GCP good enough to check the MFA box for free ? TailScale offers a lot in free tier .
GrimmReaper1942@reddit
We use Tailscale linked to Google (which we force 2fa on)
addybojangles@reddit
OpenVPN CloudConnexa user here. You're going to want a business solution, so go with something trusted.
Plus you pay for connections and not seats, so you will only pay for the number of connections. That saves you a good chunk of money.
jlgt007@reddit
Openvpn (Ubuntu onprem) with access server.
Practical-Alarm1763@reddit
UniFi was multiple options to 2FA into VPN. There is no such thing as a VPN solution that has 2FA stock. Whatever firewall or service you get, you still need to configure 2FA for it ffs.
FarmboyJustice@reddit
You may be able to set up SAML authentication to the Dream Machine via Entra, which will let you use Entra MFA.
Greendetour@reddit
I would also question what resources are needed on prem, since you mentioned you don’t have a local AD and the client is primarily M365. Can you move those resources to M365 (SharePoint, etc) and use conditional access policies to tighten down access and forget about VPN? Might be cheaper than whatever hardware you need onsite for them in long run.
FarmboyJustice@reddit
It's only 10 users, AD is likely overkill. And if those users are doing 3D graphics, video editing or similar, they may need LAN performance.
xendr0me@reddit
You might be able to get the whole Cloudflare suite for free - https://www.cloudflare.com/galileo/
MrSanford@reddit
Unifi with radius to duo auth proxy
UrothGaming@reddit
Depending on your licens, maybe take a look at Azure VPN?
thomasmitschke@reddit
If you can configure SAML with your DreamMachine, then you can utilize the MFA of Entra.
skotman01@reddit
Is the UDM not able to run the UniFi Fabric? If so that integrates with Entra for SSO, and you could leverage conditional access for MFA.
Confusias1@reddit
You can absolutely integrate your Unifi stack with Entra ID using Unifi Identity. Should get you where you want to go.
Ceyax@reddit
Netbird