Not good. 2FA and user authorisation seems to be very necessary this days... Of course, access to the RMS is secured (if using 2FA), but the links and ovpn connections generated by this portal are not. Any person who get the ovpn file or link can connect without any authorisation. Moreover, during creating the user invitation to the RMS we can't force 2FA - it is the user decision to use it or not. It is almost unacceptable.
Also, clients created in VPN Hubs should have the access to VPN disabled by default. And if enabled, the scheduled disable option should be present.