VPN Two Factor Auth, SMS Providers, and some thoughts

itxnc
itxnc Posts: 98  Ally Member
First Comment Friend Collector Sixth Anniversary
edited April 2021 in Security
With everyone trying to work from home these past few weeks, thought I'd share some thoughts as an MSP on what we've encountered.

When COVID hit, we got a lot of inquiries from clients about working from home. Thankfully most of them were already protected by Zyxel USGs and ATPs that we provide and manage for them. So the hardest part was setting up the Remote Desktop stuff, not the VPN. To help them save $$$ and because they don't need much bandwidth for RDP, we've stuck with the SSL/SecuExtender avenue. With the v4.38 firmware boosts to concurrent sessions (and bug fixes), our installed routers were more than capable of meeting the demand.

SSL VPN has always been scary because it lacks the security of an IPSec certificate or PSK - that 'second piece'. We generally had it disabled on all our gateways and only used IPSec for remote admin of the routers as needed. But when 2FA became available for SSL VPN, we were thrilled. The trick is email 2FA isn't always great for VPN because a lot of people don't login to their business email from home computers/smartphones (or can't). We usually would ask clients which email account they could reach on their smartphone for somewhat easier access to the 2FA authorization. But SMS based would be much faster/easier (yes - we're aware of the dangers of SMS based 2FA, but given our client base, we don't expect that level of attack). Plus sometimes email based 2FA took a while to arrive, especially for people using older slower email services (AOL, CenturyLink, etc). So ViaNett seemed like a great solution. A direct from the router API based text service (vs Email to SMS). So we created an account and setup a few routers. It worked well, but they charged 20 cents a text!! Which made no sense because their stock service (ie non Zyxel) pricing was 5 cents a text. Plus we were having issues with some users disconnecting a lot (more on that later) so they might get 4-8 texts in one day. Add to that, when I spoke with Zyxel folks about these types of issues, it became clear they were going to drop ViaNett. So if you use it - it's not going to be around for long I suspect. Everything directs you to Email to SMS for this type of 2FA. 

So we hunted around a bit and there are a ton of providers out there. ClickSend seemed very promising. Just over 2 cents at their most expensive and if you recharge with $50, it's under 2 cents, and I think at $100 it's close to one cent. *Perfect* But what sets them apart is the dashboard - it's got a TON of functionality. Most of which you won't need. But a nice visualization of texts sent, errors, etc. Plus *very* detailed information on each text 'transaction' So with ViaNett, I could NOT get 2FA texts to one person. I'd send some test texts, they would arrive. Send the 2FA, nothing. I contacted their support and got the knee jerk 'what carrier, must be their fault, etc' but little else. So when we were testing out ClickSend same thing. Except when we opened the detailed info - it contained the error codes *from the SMS provider* and they said the text was rejected by their anti-spam filter. Manually send a text - worked. 2FA text? Spam. No joke this carrier (Google Voice) was rejecting the content 'Your routername verification code is xxxxxx' Go figure. Thankfully we could use their direct cell number and that went through. But the point is - ClickSend provides a ton of information to help you monitor how things are going. Both errors getting SMS texts to people but also visualizations that help show if people are having VPN connection issues (did one number get a bunch of 2FA texts in one day?) Another thing - most SMS providers text from a pool of numbers - which clutters up your messages app. ClickSend offers a dedicated number for THREE DOLLARS a month. No brainer. Even found a number in our area code and snatched it up. Now our clients get texts from a number they know is us. Awesome! Not a paid ad or anything I swear - just thrilled with the service and super cheap. I'm sure there are other great ones out there. FYI - the default 2FA text is long and you'll pay for TWO texts per session because it's > 160 characters. We use a shorter string now:

<user>, Click/tap this link within 3 mins to enable your VPN to <host>: <url>

Generally fits within one text!

As for SSL VPN - it was a challenge at first. Most folks, it works well. But we had some quirks to work through:
  • If you don't have a legit certificate - the certificate warning in SecuExtender freaked our users out (a good thing! They're learning to worry about stuff like that!). Namecheap has dirt cheap certificates (< $10 a year). FYI don't get 2 year certificates - Google is going to force people to get 1 year certs or they won't validate in Chrome. But to use a certificate you need a static IP, right? Nope. To make things 'legit' we use a combination of an afraid.org (FreeDNS) private domain we own and use DDNS to keep it current (clientname.ourdomain.com) then a namesheap certificate so connections validate without warning. You create the CSR on the Zyxel, get your certificate, import their chain certs in the Trusted tab then import the legit certificate. Use DNS validation for the certificate because you control the private domain in FreeDNS it's trivial to add the CNAME record (vs trying to use your client's actual domain and get DDNS and access to add CNAMEs) Bonus? If you want to access the router from inside, you can go to https://clientname.ourdomain.com and skip the annoying certificate warning about 192.168.x.1 All for < $10/year per client and a single premium FreeDNS account  you use for everyone (which is super cheap). Plus it makes the VPN client configuration easy with a FQDN.
  • One very confusing thing - if you disconnect SecuExtender, it stays running (and often hidden behind the ^ mark on windows). But if you double click the SecuExtender on the desktop *nothing happens* Why the login window doesn't appear is beyond me. So if we help a client install it, we always make the SecuExtender icon appear in the system tray AND explain to the user if they see the red square, just right click and connect. Otherwise use the desktop icon to start it. But double clicking the desktop icon SHOULD always bring up the login screen even if it's already running!
  • Many of our users reported the 'Save Username' checkbox didn't work. Because they would start the program and everything was empty. Guess what - if you click the small v symbol on right side of the server field - you select the server and the username fills in. Why wouldn't you automatically display the last used server if the box was checked? Again - lot of user queries on that one. Easy to fix!
  • Had one user get kicked out ALL the time. Was their internet connection. But another had great internet. They would get kicked out OR worse connect but all traffic stats stayed at 0 (when you have 2FA enabled, transmit increments, received stays at 0) If they disconnected/reconnected multiple times, eventually it would 'stick' and traffic would flow. They were on Windows 8.1 We tried everything - driver updates, Windows repairs, updates, etc. Finally just offered to upgrade them to Windows 10. All their problems vanished. Hmmmm
  • The v4.38 firmware seems to have improved the stability of the SSL VPN tunnels. Fingers crossed there
  • If you have users only using RDP - consider adding some firewall rules to restrict the SSLVPN zone to just that (and the destination RDS servers or a group of desktops known to be remoted into), but beware of other stuff they may use (or people who bring work laptops home and need other host/port access over VPN). 
We don't have many folks using IPSec because of the client cost, but we do have a few. All our IPSec setups use X-Auth. For months now we've had this issue where we'd suddenly get the X-Auth prompt (We have X-Auth Popup enabled). Often every couple hours - if you caught it and entered your credentials again it stayed up - otherwise it died. Searched everywhere for a solution. Stumbled upon it recently - not sure if this was a change in GreenBow or what. But in the Phase 1 Authentication tab in the X-Auth section is a checkbox 'Once'. Don't recall it being there before, but if it's not checked, you'll get the X-Auth popup any time the tunnel renegotiates. Seriously? Check the Once box? No more mid session popups. Connection stays nailed up great. But this way we can prevent permanent storage of the VPN credentials without getting prompted every few hours. 

Now what would REALLY be great is if Zyxel, even if just on the ATP series (though bet the USGs would handle it), added WireGuard support to SecuExtender. Just started using it with NordVPN and it definitely seems to be living up to the hype. Speedtests of over 100mbps on a smartphone - crazy.

Know this was long but figured some of you might find it interesting. COVID has been a wild ride as an MSP for sure!

Comments

  • Mario
    Mario Posts: 106  Ally Member
    Zyxel Certified Network Engineer Level 1 - Security First Comment Friend Collector Fifth Anniversary
    Hi itxnc
    Thanks for sharing with this information. I fully agree with support for WireGuard
    Just started with clicksend.. Can you provide the settings for the "Email-to-SMS Provider" setup?
    Can't get it working right now.
    Thanks
    Mario


  • itxnc
    itxnc Posts: 98  Ally Member
    First Comment Friend Collector Sixth Anniversary
    First, you need to setup the Email to SMS Integration on ClickSend and make sure the email address SENDING the message from the Zyxel gateway (configure in Notification -> Mail Server tab) is listed:



    Add it under Manage Allowed Addresses (the sending address listed in the Mail Server tab on the Zyxel)

    On the Zyxel side, it's easy, just configure the SMS tab like this:


    I had a couple of our gateways not like the 'auto append' setting. So I manually entered $mobile_number$@sms.clicksend.com instead. But most auto append worked fine. 

    We bought a 'static' number so our alerts always come from the same number. Worth the $$$ since we have many clients and they were getting annoyed because the 2FA messages wouldn't always be from the same number and grouped in one thread. 
  • Mario
    Mario Posts: 106  Ally Member
    Zyxel Certified Network Engineer Level 1 - Security First Comment Friend Collector Fifth Anniversary
    Now it's working, thank you for the help.

Security Highlight