OPNsense – Configure 2FA TOTP with any Password Authenticator

Author:

In this post, I will show you how to config 2FA Timebased One Time Password (TOTP) on OPNsense.

➡️If you think this tutorial is helpful, please support my channel by subscribing to my YouTube channel or by using the Amazon/eBay/ClouDNS Affiliated links below (Full Disclaimer). I will get a small commission from your purchase to grow my channel:

🚀 ClouDNS Affiliated: https://www.cloudns.net/aff/id/255803/

🚀 Things I used for my server: https://amzn.to/3hudohP

🚀 Tools I used: https://amzn.to/3uXaSUr

🚀 Devices I used: https://amzn.to/3FYlfxk

🚀 Networking/Cybersecurity/Programming Books: https://amzn.to/3HEYwb0

🚀 TrueNAS HBA SAS controller IT Mode from the Art of Server: https://ebay.us/cBWEvJ

🧧 PayPal Donation: https://www.paypal.com/paypalme/sysadmin102

If you don’t like reading posts like I do, you can follow along on my Youtube Channel. Below is the video:

Before you make any changes, you should make a backup of your configuration in case anything goes wrong, you can restore from the backup.

You can do this by navigating to System > Configuration > Backups

  • Select Download Configuration.
  • Select Encrypt this configuration file (if you want to encrypt the backup data).

Step 1 – Add New TOTP Authentication Server

Navigate to System > Access > Servers > Select the plus icon + to add a new Authentication Server

  • Descriptive Name: TOTP Server
  • Type: Local + Timebased One Time Password
  • Token length: 6 (6 digits TOTP standard will work with most authenticator app).
  • Time windows: Blank
  • Grace period: Blank
  • Reverse token order: Checked (I preferred this option to enter the token after the password).
  • Save when you are done.

Step 3 – Add or modify a user

Navigate to System > Access > Users

  • Select the plus icon + to add a new user or the pencil icon to modify a user.
  • I will modify sysadmin102 user in this post.
  • Scroll down to the end of the page.
  • OTP Seed:
    • Generate new secret (160 bit): Checked
  • Save
  • OTP QR code: Click to unhide

Step 3 – Activate Authenticator for this OTP seed on Authenticator App such as Microsoft, Google, Yubiko, or 1Password Authenticator App.

Open your favorite authenticator app and Add the new Account/Code by scanning the QR Code or by manually entering the OTP seed.

Scanning the QR Code with Google Authenticator or Microsoft Authenticator:

Scanning QR Code with 1Password:

  • Select the OPNsense credential in your 1Password Vault.
  • Select the Setting (3 vertical dots).
  • Select Scan QR code.

Note: You can use the same seed on different Authenticator app and they will generate the same One Time Password.

Step 4 – Testing TOTP Server before enabling 2FA Authentication with Authenticator App

Navigate to System > Access > Tester

  • Select TTOP Server that you created in Step 1.
  • Enter the Username and Password for the user that you generated the OTP seed in Step 3.
  • Adding the One Time Password from your Authenticator App to the end of your password (if you selected “Reverse token order” or in front of your password if you left “Reverse token order” unchecked.
  • In this example, the Password would be:
    • Reverse token order selected: YOURSUPERSECRETPASS403646
    • Reverse token order not selected: 403646YOURSUPERSECRETPASS

If you have correctly follow all the steps, you should see the confirmation that the user has sucessfully authenticated using the Local Password + One Time Password as shown below:

Step 5: Enable TOTP Authenticator Server

ONLY PROCEEED IF YOU ALREADY TESTED YOUR TOTP SERVER!!!

The default system validates login credential against “Local Database”. You will need to change this option to TOTP Server to enable 2FA Authentication.

Navigate to System > Settings > Administration

  • Scroll down to the Authentication Section
  • Select TTOP Server
  • Uncheck Local Database
  • Save

Log out and Login with your new TOTP server:

  • Reverse token order selected: YOURSUPERSECRETPASS403646
  • Reverse token order not selected: 403646YOURSUPERSECRETPASS
  • Remember your token will be either in front or after your password.

If you think this tutorial is helpful, please subscribe to my YouTube channel for more tutorials: https://www.youtube.com/@sysadmin102

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Translate »