MFA session gating Pro¶
What it's for¶
MFA session gating requires a second factor before the VPN opens — and it's enforced on the server, not just in the app: until the user approves, the device's VPN peer simply doesn't exist on the server, so there is nothing to connect to. It needs the integrated WireGuard® server.
How to use it¶
Set the policy. Per client (Details page) or as a customer-wide default, choose one of:
- Disabled — no gate.
- Per connection — the user approves every single connect.
- Interval — one approval opens a session for a set time; within it, reconnects don't re-prompt. When it expires, the VPN closes until the next approval.
What the user experiences. On a gated connect, the client shows an authorization prompt. The user either enters the 6-digit code from their authenticator app (a browser page opens for it), or — if a phone is set up as their approver — confirms on the phone by picking the matching number and using fingerprint/face unlock.
Enrollment happens by itself. The first time a user hits the gate, the client shows a QR code to add to any authenticator app (Google Authenticator, Aegis, …). Nothing to prepare on your side.
Phone approval (push) — pair the user's phone with the mobile app and select it as the client's approver device. The code page always remains available as fallback, so a dead phone battery never locks anyone out.
Machine peers are never gated. Devices marked as machine-type (servers, kiosks, unattended boxes) connect without MFA regardless of policy — by design, so you can't lock an unattended machine out of its own VPN.
Pitfalls¶
- An active session survives a backend outage and still expires on time — the VPN server enforces the timer itself. Don't be surprised that restarting the backend neither drops nor extends sessions.
- If gated users suddenly can't connect at all, check that the integrated server is up to date — an outdated one fails closed: gated peers stay blocked rather than bypassing MFA.
- Interval length is a trade-off, not a security freebie: per-connection is strongest, long intervals are most comfortable. Pick per group of users, via customer defaults.
- A license expiring never switches enforcement off — active gates keep working; only policy editing is restricted until the license is renewed.