We have a Synology DSM set up for data sharing for an academic research group. Our ethical approval necessitates two-level protection of the data. We have done this in the past by using our host institution’s VPN (one level), which needs 2FA to access, and then needing username + pw specifically to map the server. For multiple reasons, this isn’t available to us for the curent project.
I have set up the OpenVPN access, which works well. I note that I can choose to set up 2FA on OpenVPN, if I want.
But the VPN itself doesn’t inherently have any log-on restrictions (I can ask my users to add 2FA, but if some outside user is trying to hack in, I can’t force them to do so).
So what is the added level of security? Is it just the VPNConfig.ovpn file itself? If someone got hold of that, then anyone with a username + pw would be able to log on?
is there any way to force 2FA in some way for anyone trying to access the server? So that people would need access to allowed users’ device in order to log on? Or any other way I can restrict users other than the username + pw combination?