defguard icon indicating copy to clipboard operation
defguard copied to clipboard
verified publisher icon DefGuard

network devices on locations with mfa

Open gstorme opened this issue 2 months ago • 0 comments

Is your feature request related to a problem? Please describe.

When adding a network device, this message is shown in the pop-up: Only locations without Multi-Factor Authentication are available here, as MFA is only supported in Defguard Desktop Client for now.

However I can still select locations with MFA enabled (I only saw that warning afterwards 🤦‍♂️ which is my bad, this issue is also to prevent mistakes from others in the future). From the dg logs, the connection also appeared to being established:

INFO defguard_wireguard_rs::wgapi_linux: Interface wg0 has been successfully configured. It has been assigned the following addresses: [IpAddrMask { ip: 10.98.0.22, cidr: 32 }]
DEBUG defguard_wireguard_rs::wgapi_linux: Interface wg0 configured with config: InterfaceConfiguration { name: ...
DEBUG defguard_wireguard_rs::utils: Adding a route for allowed IPv4: 192.168.3.66/32
DEBUG defguard_wireguard_rs::utils: Route added for allowed IPv4: 192.168.3.66/32
...
DEBUG defguard_wireguard_rs::utils: Peers routing added successfully
DEBUG dg: The following DNS servers will be set: [192.168.12.6, 192.168.12.8]
DEBUG defguard_wireguard_rs::utils: Executing command resolvconf with args: ["-a", "wg0", "-m", "0"]
DEBUG defguard_wireguard_rs::utils: Command resolvconf spawned successfully, proceeding with writing nameservers and search domains to its stdin
DEBUG defguard_wireguard_rs::utils: Adding nameserver entry: 192.168.12.6
DEBUG defguard_wireguard_rs::utils: Adding nameserver entry: 192.168.12.8
DEBUG defguard_wireguard_rs::utils: Waiting for resolvconf command to finish
DEBUG defguard_wireguard_rs::utils: DNS servers and search domains set successfully for interface wg0
DEBUG dg: Finished creating a new interface wg0
INFO dg: Connected to network be-x.

But the wireguard connection was not being established. Client:

kernel: wireguard: wg0: Handshake for peer 4 (x.x.222.218:51820) did not complete after 5 seconds, retrying (try 15)
kernel: wireguard: wg0: Sending handshake initiation to peer 4 (x.x.222.218:51820)

Server:

kernel: wireguard: wg0: Invalid handshake initiation from x.x.x.x:35227

Describe the solution you'd like

Maybe a 2 step plan, or if you won't support network devices on MFA locations: Prevent mistake from defguard admins.

  • Hide, or make it unable to select, locations with MFA from the dropdown
  • Make it more clear from the client that it's unable to connect when MFA is enabled on the location

If/when you do plan on supporting network devices on locations with MFA: Will it be possible to exclude network devices from MFA? Optional: can a network device be linked to another user, so it's also removed when the directory sync disables/deletes that user? Only admins should be able to set excludes on network devices, or link the network device to another user than admin.

Describe alternatives you've considered

Setup an extra location without MFA, only for network devices. Use another solution for non-interactive connections.

Additional context

Low priority (for us)

gstorme avatar Nov 04 '25 14:11 gstorme