Adding 2FA to WireGuard

Nico Schottelius nico.schottelius at
Fri Sep 13 15:22:55 CEST 2019

Hey Rémi,

Rémi Lapeyre <remi.lapeyre at> writes:
> Hi Nico, yes pyotp is the implementation I use on the server, but anything
> Compatible withrfc6238 should work.

That sounds about right!

>> We have written ungleich-otp [0] that extends the otp approach with
>> realms similar to kerberos.
> This looks interesting, I will move the code that validate the OTP in a
> separate class so that another validation backend like one based on this
> project can be used instead of reading the seeds from a SQLite file like
> I’m doing now.
> I did not see any kind of cool down in
> Are you not worried that someone
> could try to brute-force the OTP validation?

That is a good point! We will certainly want to fix that, as the seed
entropy is not *that* big.

Best regards,


Your Swiss, Open Source and IPv6 Virtual Machine. Now on

More information about the WireGuard mailing list