Skip to main content

How to Enable 2FA in OPNsense with Google Authenticator?

Two-factor authentication, often known as 2FA or 2-Step Verification, is a technique of authentication that involves two components: a pin/password and a token. 2FA provides an additional layer of security for an application or a service. Also, it can usually be implemented easily and requires little effort to use. Using Google Authenticator, OPNsense provides full support for two-factor authentication (2FA) across the entire system. The following OPNsense services have 2FA support:

  • Virtual Private Networking (OpenVPN & IPsec)
  • Caching Proxy
  • OPNsense Graphical User Interface
  • Captive Portal
Best Practice

In addition the its 2FA support, OPNsense also provides next-generation firewall capabilities such as web control and application control. This is provided by an external tool called Zenarmor.

Zenarmor NGFW Plug-in for OPNsense is one of the most popular OPNsense plug-ins and allows you to easily upgrade your firewall to a Next Generation Firewall in seconds. NG Firewalls empower you to combat modern-day cyber attacks that are becoming more sophisticated every day.

Some of the capabilities are layer-7 application/user aware blocking, granular filtering policies, commercial-grade web filtering utilizing cloud-delivered AI-based Threat Intelligence, parental controls, and the industry's best network analytics and reporting.

Zenarmor Free Edition is available at no cost for all OPNsense users.

In this tutorial, we will explain how to enable 2FA with Google Authenticator or FreeOTP for GUI and captive portal access in an OPNsense firewall.

To be able to follow this tutorial, you must have the following devices and root privileges.

  • OPNsense 21.7.7 Firewall.
  • Android or iOS device with installed authenticator application, like Google Authenticator or FreeOTP.

The 2FA configuration in the OPNsense firewall is straightforward. You can set up 2FA with Google Authenticator/FreeOTP in your OPNsense by simply following the six steps outlined below:

  1. Add TOTP Access Server

  2. Install Google Authenticator Application

  3. Add a Local User

  4. Activate the Authenticator

  5. Test the Token

  6. Enable Authentication Server

1. Add TOTP Access Server

To add a TOTP server in your OPNsense system, you may follow the instructions below:

  1. Navigate to System>Access>Servers in your OPNsense web UI.

Access Servers in OPNsense

Figure 1. Access Servers in OPNsense

  1. Click on the add button with the + icon at the top right corner of the form to create a new one.
  2. Fill in the Descriptive name field for the Server, such as TOTP Access Server.
  3. Set the Type to Local + Timebased One time Password.
  4. Leave other options as default if you use Google Authenticator as in our tutorial. For other tokens, you may need to change the Token Length option.
  5. The Time window option is used for the time period in which the token will be valid, default is 30 seconds. You may increase or decrease as you wish.
  6. The Grace period option is used for the time in seconds in which this server and the token may differ, the default is 10 seconds. You may set higher for a less secure easier match.
  7. The Reverse token order option is used for changing the token and password order. By checking this option requires the token after the password. Default requires the token before the password.
  8. Click Save to add the TOTP server.

Adding TOTP Access Server in OPNsense

Figure 2. Adding TOTP Access Server in OPNsense

2. Install Google Authenticator or FreeOTP Application

You can easily install Google Authenticator or FreeOTP apps on your Android device by going to the Google Play store or on your iOS device via the Apple Store.

Google Authenticator on Android

Figure 3. Google Authenticator on Android

Installing FreeOTP Authenticator on Android

Figure 4. Installing FreeOTP Authenticator on Android

3. Add a Local User

OPNsense provides the following options for user authentication:

  • Local User Access: You may manage users using the OPNsense local user manager.
  • LDAP: You may manage user access using Windows Active Directory Services.
  • RADIUS: You may manage users on an external RADIUS authentication server.

In this tutorial, we will use Local User Access and only create one user account. But the procedure applies to as many users as you want. You may follow the steps listed below to add a local user to your OPNsense firewall:

  1. Navigate to the SystemAccessUsers in your OPNsense firewall.
  2. Enter a unique Username for the local user account, such as fwadmin.
  3. Enter a strong Password for the user.
  4. Fill in the Full Name field.
  5. You may enter an E-Mail.

Creating admin user account in OPNsense-1

Figure 5. Creating an admin user account in OPNsense-1

  1. Enable the Login shell by selecting one of the available shells such as, /us/local/bin/bash since we'll create the user for firewall administration in this tutorial. If you leave the Login shell as /sbin/nologin, this option prevents the user from logging into the OPNsense web UI.
  2. You may enter an Expiration date or leave blank if the account shouldn't expire.
  3. Set Group Membership to admins by clicking the right arrow after selecting the admins group.
  4. Check Generate new secret for the OTP seed option to enable 2FA for your user.
  5. You may leave other settings as default.
  6. Click the Save button to apply the settings. This will redirect you to the certificate page to create the VPN user certificate. Certificate creation for the VPN user account is explained in the next section.

Creating admin user account in OPNsense-1

Figure 6. Creating an admin user account in OPNsense-2

4. Activate the Authenticator

To activate your new OTP seed on your authenticator application, such as Google Authenticator or FreeOTP, you may follow the steps given below:

  1. Navigate to the SystemAccessUsers in your OPNsense firewall.
  2. Edit the user you just created, fwadmin, by clicking on the pencil icon .
  3. Click on the Click to unhide button in the OTP QR Code field. This will display the QR Code for the user.

OTP QR code for the user in OPNsense

Figure 7. OTP QR code for the user in OPNsense

  1. Launch the authenticator application, such as Google Authenticator or FreeOTP, on your mobile device.
  2. Add OTP configuration for the new user in your authenticator application either by scanning the OTP QR code displayed in step 3 or entering the username and the seed key, in our example it is NJCMM5NARKIUESJOM6OTCRR32AMNING. This will take you to the home screen of the application and will generate a Token for 30 Seconds.

5. Test the Token

OPNsense firewall provides a simple tester to test user authentication. You should test 2FA authentication for your user by following the next steps given below:

  1. Navigate to the System>Access>Tester in your OPNsense web UI.
  2. Set the Authentication Server to the authentication server you have configured, such as TOTP Access Server.
  3. Fill in the Username, such as fwadmin.
  4. Launch the authenticator application on your mobile device.
  5. Grab the token for your account, such as fwadmin.
  6. Enter the password using both the token and OPNsense local user password you defined.
info

Remember, you need to enter the token before or after your password (depending on your configuration). For example, if the Google Authenticator token is 000123 and your local password is MyPassword, then you should enter 000123MyPasswordin the Password field.

  1. Click on the Test button to verify your user authentication. If everything goes as planned, you should see that your user is successfully authenticated.

Testing 2FA for a user in OPNsense

Figure 8. Testing 2FA for a user in OPNsense

6. Enable Authentication Server

The OPNsense firewall validates user credentials against the Local Database by default. to For ensuring that no local user can gain access without 2FA, you should change this setting by following the steps below:

  1. Navigate to the System>Settings>Administration in your OPNsense web UI.
  2. Scroll down to the Authentication pane.
  3. Set the Authentication Server to your newly added Authentication server, such as TOTP Access Server.
caution

Don't forget to disable/unselect the Local Database server to prevent logins without using 2FA.

  1. Click Save to activate the settings.

Enabling TOTP Authentication server in OPNsense

Figure 9. Enabling TOTP Authentication server in OPNsense

You can now access your OPNsense web UI using only 2FA.

info

Because ssh login does not support 2FA, you can optionally force it to use a certificate when logging in.

You can also enable 2FA or MFA for other supported services, such as OpenVPN and Captive Portal, in your OPNsense firewall by following the similar procedure described in this tutorial. We will outline enabling 2FA for a captive portal in OPNsense in the following section.

How to Enable 2FA for Captive Portal

We'll assume that you have already installed and configured a captive portal in OPNsense firewall. You may enable 2FA for your Captive Portal by following the steps below:

  1. Add or modify your captive portal user and generate an OTP seed by following the instructions given above.
  2. Edit your captive portal by navigating to Service > Captive Portal > Administration.
  3. Select your TOTP authentication server, such as TOTP Access Server for the Authenticate using option.
  4. Click Save.
  5. Click Apply to activate the new settings.

Enabling 2FA for Captive Portal in OPNsense

Figure 10. Enabling 2FA for Captive Portal in OPNsense