Require authentication each time the tunnel is activated on the client side

Due to security requirements in our company, Firezone’s currently offered one-time or periodic user authentication to maintain session is not sufficient. If the configuration file containing the key were to be leaked, an attacker could access the session until it expires.

I am attempting to achieve OpenID authentication requirement (e.g. Keycloak with 2FA enabled) each time a user activates the tunnel via the client app. Any assistance in achieving this goal would be greatly appreciated.

Unfortunately it’s not possible without custom WireGuard clients to handle the auth. https can’t be redirected, operating system vendors’ captive portal detection doesn’t work inside VPN tunnels, and while it’s possible to redirect http to the Firezone login page, this approach is doesn’t make for a good user experience.

Kind of hi-jacking the thread because the marketing says that Firezone can “Require periodic re-authentication”, but how does this work with Wireguard? I can’t find anything in the docs that explain how a Wireguard tunnel can be re-authenticated?

Will client configuration simply expire after a set amount of time and then people need to download a new configuration file with new keys? Or is there some captive portal thing to re-authenticate sessions (sounds like there isn’t)?