How to OPNsense 2FA TOTP with Google Authenticator


This guide shows how to provide One-time Password (OTP) for 2 factor authentication with OPNsense and Google’s Authenticator. All OPNsense services can be used with the 2FA solution.

Step 1 – Add authentication server

To add a TOTP server, go to System ‣ Access ‣ Servers and click the plus (+) for Add server in the top right.

OPNsense System Access TOTP Server

Select Type Local+Timebased One Time Password from drop-down list.

Step 2 – Add or change users

For this example, we’ll create a new user, go to System ‣ Access ‣ Users and click the plus (+) in the right corner.

Add or change OPNsense users

Enter a username and password and fill in the other fields, just like for any other user. Then left at OTP-seed click the checkbox at Generate new secret (160bit).

Generate new secret OPNsense System Access Users OTP-seed

Then click the Save button.

Step 3 – Enable the authenticator for OTP seed

To activate the new OTP seed on the Google Authenticator, first open the user you just created again, click on the pencil icon, then on the Click to unhide button.

Enable the authenticator for the OTP seed

Be very careful with the seed or QR code as this is the only thing you need to calculate the token. KEEP YOUR SEED/QR CODE SAFE !

Step 4 – Activate authentication server

Now activate the authentication server and deactivate the local database, under System ‣ Settings ‣ Administration on Authentication – Server: click on TOTP Server.

Activate authentication server

Do deactivate the Local Database and click the Save button.

Step 5 – Google Authenticator Installation

Open your platform’s App Store, such as iOS or Android, and search for Google Authenticator. Install the app on your device as usual.

Step 6 – Scan QR code

Now open the Google Authenticator app on your smartphone or tablet PC and select the option to scan the QR code, may with the + icon, alternatively the seed can be entered directly.

To test user authentication, OPNsense offers a simple tester. This under System ‣ Access ‣ Tester.

Select the previously configured authentication server and enter the user name. The entry must be made in the form of token + password together in the password field.

  The password field is used to enter both the token and password, ie. Password: 123456PASSWORD when using the default configuration. The OTP authentication server can also be configured to be used in reverse order like PASSWORD123456.

How useful was this post?

Click on a star to rate it!

Average rating 5 / 5. Vote count: 1

No votes so far! Be the first to rate this post.

We are sorry that this post was not useful for you!

Let us improve this post!

Tell us how we can improve this post?

Leave a Reply

Your email address will not be published. Required fields are marked *