MFA for OpenVPN
OpenVPN — whether Access Server or a community build — secures remote access for teams of every size, and its logins are only as strong as the passwords behind them. Both editions can authenticate against RADIUS, and the community server can use a PAM module, but neither ships MFA on its own. Authnull provides the factor over either path. You enable RADIUS authentication, point it at Authnull, and a push or OTP challenge is required before the tunnel is allowed.
OpenVPN forwards the login; Authnull adds the factor.
OpenVPN forwards the login to Authnull over RADIUS (or via PAM on the community server); Authnull validates the credential, challenges for the factor, and returns the result. Set the auth timeout high enough for push approval.
Configure MFA for OpenVPN
Real steps — the exact menus, fields, and values. Follow along in your console; the whole thing takes about 20 minutes.
Enable RADIUS authentication
In Access Server, switch the authentication method to RADIUS and add the Authnull connector with its shared secret.
Point community builds at RADIUS via plugin
For the community server, load the RADIUS plugin and configure it to reach Authnull.
Set the server and secret
In the RADIUS plugin config, set the Authnull IP, ports, and shared secret.
Raise the timeout and test
Increase the connection auth timeout, then connect with the OpenVPN client and approve the factor to bring up the tunnel.
Closes the MFA gap auditors look for
Enforcing MFA on OpenVPN gives you evidence for the remote-access and privileged-access controls in SOC 2 and the access requirements under CCPA — with per-login logs you can hand straight to an assessor.
Add MFA to OpenVPN — free to start.
Spin up Authnull, point OpenVPN at it, and enforce a factor on a pilot group today. No card, no rip-and-replace.