 Tom here for more systems and there's a new feature that's been added to untangle in version 16.3 There's a lot of little changes But the one particular big change that I like is the two factor being added with the QR code generator right into open VPN This is a nice enhancement. It doesn't just add it to the end of the password. It actually creates the proper Config so it will prompt you for the two factor. We're gonna cover how that works It's one of those little things that a few people have asked me about so I wanted to cover that particular new enhancement on there and Show you just how simple it is to get configured before we dive into the details videos If you'd like to learn more about me or my company head over to Lawrence systems comm If you like to hire sure project, there's a hires button right at the top If you want to support this channel in other ways including some of the silly shirts that we have Go ahead and use the affiliate links down below to get you deals and discounts on products and service We talk about it and our silly cat shirts or this new Condensed new England clam router, which has been just something I know it's stupid But we really laugh at it at the office and I know some of you may find it entertaining either way Let's dive into entangle now. All right, let's start right here with the change log for 16.3 point two There's a lot of little fixes around wire guard some fixes around the IPS system AD and fixes for things like web filter rules based on URL conditions and Now evaluate the host names based on SNI so a lot of great little fixes But the one I want to focus on here is of course the tootp for open VPN now the thing that really I like that they did here and it's the MFA and open VPN requires a standalone tootp based application for the System to work and it's your choice. Which one you get to use I bring it up because a lot of VPN companies try to have you load another app from the complete management standpoint of that Every time you have to have the user's load another app to authenticate against something that can be well more management Overhead that you have to deal with tootp is a great standard. It's well documented. There's plenty of apps that support it My particular favorite app is Aegis authenticator But you can also use Google authenticator and all these another popular solution So whichever one works for you you can use and maybe what you've already standardized I'm one in your stack and you say hey This is what my users use for all these different sites that all support tootp So the great feature is being that they do this including they have the And we'll show how this works MFA key code generator. So now let's take a look at how this actually gets implemented So over here in untangle, we're going to go to apps. We're going to go to open VPN We're going to do a server just set up a really basic Authentication server here. We have the default group and we have the client config now First i'm going to show you real quick here over in config local directory Here is that user tom last name thomas And right here is the well, there's two ways you can look at it You can see if it's set up by being great out versus being You know right here where it's a little bit less than great out, but if you click edit This will let you generate the new key or click here to display the qr code You can't get much simpler than that and you go scan the qr code and use that with your phone Away you go my first complaint though is that this right here is not something I can click and copy and paste But I mean it's not too long to type it in if you want to do a manual entry But either way they have the qr code that's where most of the people are going to be doing it is Click on the qr code and away you go. So go back over to apps open VPN And I want to show what the client config looks like so we're going to go ahead and download this client config And look at what they're doing in here. This is the part that's important. So we have This config and then we have static challenge t o t p code And this is what changes how this works normally in other systems and I've talked about this before on the channel Open vpn would just have you add To the password so you would take the static password and add in The t o t p authentication to get the user authenticated obviously for the user standpoint typing in their password and then Appending the t o t p code on there that can create some confusion What this does is brings up a second prompt inside of the latest version of open vpn That's current as of July 2021 and will have them have a second spot to insert their code Now it already does have because of these certificates that are in here technically to Compromise open vpn you're going to need the username and password those are important But having the port open such as the default 1194 port for open vpn Will not let the person trying to get into your system in they also need these certificates So in a basic way Yes, open vpn does have two factor because it has these certificates So they have to have the username password and certificates What the t o t p adds is technically a third factor of authentication But because these ones are static they can be compromised and the threat angle that could come from this of course Is if a end user's computer was compromised and they had open vpn installed Well now that threat actor who has access to that has those certificates that then allows them to start trying Usernames and passwords. So this is where t o t p comes in to hopefully save the day Now I have a windows machine with open vpn installed and We went over here to Import a config file that file we downloaded I downloaded this system here You just hit import file import the file and it'll show up here in the list Now I have this set up right now So I can try to ping the server showing it's not connected and we'll go ahead and show the connection This is the internal IP address of the untangle server you go here to open vpn And we're just going to go to connect And there's the username. There's the password we'll put in and then we got to put in the t o t p code Now one Downside so to speak is going to be even if the user saves their password Which I know is greatly convenient and convenience is the enemy of security at some point The convenience of saving the password will not get them too much further So whether or not you've administered really overrode this or not still up to you But they still it won't actually save the response even if they do this So we'll go ahead and scroll down get the password or the one time password I don't really need to save this password because no matter what's going to prompt me Put that in hit okay It verified all those factors And away we go. We're able to transfer data up arrow ping. I'm able to ping and talk internally to the Untangle server I'm on the inside of the network now Go ahead and stop that now like I said if it drops it will keep prompting them for 2fa So even if I do and we'll go ahead and disconnect And we're going to go ahead and connect and this time we'll save the password Check this box So is it yep And here we go it should time out and then start pinging again Now we'll do it one more time Disconnect She'll drop that You connect again the password save so that's still happened But still going to require tootp because it does not have that factor because the server of course is validating it I want six connects and Away we go it's going to start just any second now. Let's just start pinging again And there we go. We got data and traffic passing. So I think this is a welcome addition that extra layer of security I'm happy they added it. I'm happy it's implemented in a relatively easy way for end users To be able to do this and for those wondering does it work like this in linux? Matter of fact, yes, it does if you do it from the command line in linux It will bring up an extra prompt When doing it so for the two factor So depending on how you configure things, but that may not be ideal in the linux world to do But I'll leave that part up to you. Anyways, this is tom lorence. I wanted to share this with you Comment down below if you thought this was interesting If you want to learn more about untangle as a whole I've got reviews. I've done. I'll leave links to that video down below It's going to be a slightly older version But most of the features are the same except for this being a more recent than the video I've done But nonetheless, we are a reseller just fold as closure in case anyone's wondering or wants to High-risk for consulting on untangle and this is tom lorence. I'll see you guys online. Thanks And thank you for making it to the end of this video if you enjoyed this content Please give it a thumbs up if you like to see more content from this channel Hit the subscribe button and the bell icon to hire a sure project head over to lorence systems.com And click on the highest button right at the top to help this channel out in other ways There's a join button here for youtube and a patreon page where your support is greatly appreciated For deals discounts and offers check out our affiliate links in the descriptions of all of our videos Including a link to our shirt store where we have a wide variety of shirts and new designs come out Well randomly so check back frequently And finally our forums forums.lorence systems.com is where you can have a more in-depth discussion about this video and other tech topics covered on this channel Thank you again, and we look forward to hearing from you in the meantime. Check out some of our other videos