Enforcing MFA for WireGuard Server on UDM SE

[JacquesTruevo]

I’m currently trying to enforce MFA for VPN users connecting via WireGuard and would appreciate some guidance on the best way to implement this using Defguard.

Our VPN server is running on a Ubiquiti UDM SE firewall, and we would ideally like to keep this existing gateway in place. The goal is to require MFA for users before they are able to establish the VPN connection.

We are open to either a client-side or server-side implementation, as long as the connection process enforces MFA for users prior to the tunnel being established.

I deployed a Defguard 2.0 instance to manage this, but it seems that I’m unable to configure or integrate the existing VPN server running through the Defguard Admin portal. It’s not clear whether this setup is supported or if an alternative architecture is required.

Could you please advise on:

• Whether MFA can be enforced for clients connecting to an existing WireGuard server on a UDM SE
• If integration with the existing gateway is possible
• Any configuration steps or documentation that could help implement this setup

Any guidance or best-practice recommendations would be greatly appreciated.

[kchudy]

Aswered via email. Closing.