How to configure 2FA for GUI access in OPNsense

OPNsense is a popular fork of pfSense – both of which are based on FreeBSD. Netgate’s recent decision to create a premium version of pfSense (pfSense Plus) that integrates proprietary code alongside the fully open-source version (pfSense Community Edition) has left many believing that pfSense CE will be gradually abandoned.

Because of that, many pfSense users have jumped ship (or are considering switching) to OPNsense, and while both systems are very similar most configurations have substantial differences by now.

With that in mind, this post explains how to configure two-factor authentication for GUI access in OPNsense.

This guide assumes you have a working OPNsense configuration with working WAN and LAN interfaces.

PONsense - 2FA - Dashboard 1

What is 2FA?

2FA stands for two-factor authentication. It’s an authentication scheme that uses your password while requiring a second factor for authentication. The second factor is usually a dynamically generated one-time password (OTP). While the OTP can be sent to you by text message, a better (and more secure) way is to use an authenticator app that generates one-time passwords for you. 2FA’s basic principle is to use something you know (your password) with something you have (your phone, your authenticator app) for authentication.

Most service providers support 2FA, so there’s a good chance you’re already using it with some of your accounts. We’re going to set it up on OPNsense because it just makes sense to lock down OPNsense GUI access with 2FA – particularly in an enterprise environment.

Let’s get started.

Creating a time-based one-time password (TOTP) authentication server

The first thing we’re going to do is create a TOTP authentication server to be used for 2FA in OPNsense.

  1. From the side menus, go to System > Access > Servers. The Authentication Servers page is displayed. PONsense - 2FA - Go To System_Access_Servere
  2. Click the + sign to add a new server. The Authentication Server Configuration page is displayed. PONsense - 2FA - Authentication Servers - Click Plus
  3. Enter a name for your server in the Descriptive name field.
  4. From the Type drop-down menu, select Local + Timebased One Time Password. Using this option, we will log in using our defined password and the generated TOTP.
  5. Make sure the Token length is set to 6.
  6. Optionally tick the Reverse order token box. When ticked, you enter the defined password before the TOTP. When unticked, you do the opposite. I’m leaving it unticked.
  7. Click Save. PONsense - 2FA - Configure TOTP Server
  8. We’re taken back to the Authentication Server page, and we can see that our TOTP server is displayed. PONsense - 2FA - TOTP Server Created

Creating and configuring a user for 2FA authentication

Now that our server is set up, we’re going to create a new user and configure that user account to use 2FA authentication.

  1. From the side menus, select System > Access > Users. The Users page is displayed. PONsense - 2FA - Go To System_Access_Users
  2. Click the + icon. The User Configuration page is displayed. PONsense - 2FA - New Users - Click Plus
  3. Enter a name for this user in the Username field.
  4. Enter and confirm a password in the Password fields.
  5. Scroll down until you see the OTP seed setting (towards the bottom of the page) and tick the Generate new secret (160 bit) box and click Save. PONsense - 2FA - Configure 2FA User 1
  6. A new section called Effective Privileges appears under the Group Memberships section. Click the Pencil sign to add privileges to this user. The System Privileges page is displayed. PONsense - 2FA - Set Effective Privieleges 1
  7. Tick the box to the left of GUI – All pages and click Save. You’re taken back to the User Configuration page. PONsense - 2FA - Set Effective Privileges 2
  8. We can see that the privileges we just assigned are now listed. And there’s a new section called OTP QR code now displayed under Generate new secret (160 bit). Click the Click to unhide button. PONsense - 2FA - Click to Unhide QR Code
  9. This displays the QR code used to configure the 2FA account in the Authenticator app. Stay on this page, as we will be using the QR code in the next steps. PONsense - 2FA - QR Code Displayed

Configuring Google Authenticator

For this tutorial, we’re going to use the Google Authenticator app to generate our one-time passwords. There are other clients available for iOS and Android, but in the name of simplicity and familiarity, we’ll be using Google Authenticator in this example. Google’s Authenticator app does not require you to have a Google account, nor does it require an internet connection. So using the app should not give Google any visibility into your activities or your one-time passwords. But, by all means, feel free to use one of the many alternatives.

Configuring Google Authenticator is very simple once downloaded onto your device.

  1. Launch the app.
  2. Click the Add a code button or the + sign at the bottom right of the UI. You’re prompted to scan a QR code with your camera or manually enter the setup key. PONsense - 2FA - Google Authenticator - Add Code
  3. Select Scan a QR code. Your device’s camera comes up. Scan the QR code we created in the previous step. PONsense - 2FA - Google Authenticator - Scan QR Code
  4. You’re done. Google Authenticator is now configured and will dynamically generate one-time passwords every 30 seconds. PONsense - 2FA - Google Authenticator - Configured

Testing the TOTP server

Now that we have a user configured to use 2FA and that we’ve configured our Authenticator app, it’s time to test our TOTP server to make sure it properly authenticates our user.

  1. From the side menus, select System > Access > Tester. The Tester page is displayed. PONsense - 2FA - Go To System_Access_Tester
  2. Enter the username in the Username field.
  3. Depending on whether you ticked the Reverse token order box when creating your TOTP server, enter either TOTP+your password (unticked) or your password+TOTP (ticked) in the Password field.
  4. Click Test. PONsense - 2FA - Login Test
  5. If all went well, you should see User: <your 2FA username> authenticated successfully at the top left of the page. PONsense - 2FA - Test Successful

Configuring OPNsense to use our TOTP server for GUI authentication

Now that we’ve successfully tested our user’s 2FA authentication, we can set OPNsense to use our TOTP server to authenticate our user for GUI access.

  1. From the side menus, select System > Settings > Administration. The Administration page is displayed. PONsense - 2FA - Go To System_Settings_Administration
  2. Scroll down to the Authentication section, and from the Server drop-down menu, select your TOTP server and click Save. PONsense - 2FA - Set TOTP Server for GUI Authentication
  3. You should see The changes have been applied successfully at the top left of the page. PONsense - 2FA - TOTP Server Change Successful

Testing our setup for OPNsense GUI access

Now let’s go ahead and test an actual login to the OPNsense GUI using 2FA.

  1. Start by logging out of OPNsense. PONsense - 2FA - Logout
  2. Login to OPNsense using your TOTP and password. PONsense - 2FA - 2FA User Login
  3. You’re logged in, and the Dashboard is displayed. PONsense - 2FA - Dashboard 2

Wrapping up

We’ve successfully configured OPNsense to use 2FA for GUI access. Access to the brains of your network is now locked down with two-factor authentication. Moving forward, to access your OPNsense GUI, you’ll need something you know (your password/PIN) and something you have (your phone for OTP generation).

You can also use 2FA can in other areas of OPNsense, such as for OpenVPN connections, for example. That’s beyond the scope of this tutorial, but we may touch upon that topic in a future post. Until then, I’d recommend setting up 2FA on all services you use that support it – it goes a long way to securing your accounts.

Stay safe.

Related: Two-factor authentication (2fa) statistics