Differences

This shows you the differences between two versions of the page.

--- other:networking:opnsense:totp [2025/09/21 18:23] – rodolico
+++ other:networking:opnsense:totp [2025/09/21 18:47] (current) – rodolico
@@ Line 1: / Line 1: @@
 ====== TOTP Authentication in OPNSense ======
-Time based One Time Password authentication [[https://en.wikipedia.org/wiki/Time-based_one-time_password|Wikipedia]] has become more commonly used in Multi-Factor Authentication (MFA) for additional security in various areas. Generally used by authenticators such as [[https://freeotp.github.io/|FreeOTP]], [[https://www.microsoft.com/en/security/mobile-authenticator-app|Microsoft Authenticator]], [[https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2|Google Authenticator]] and many more. My preference is FreeOTP, by the way.
+Time based One Time Password authentication [[https://en.wikipedia.org/wiki/Time-based_one-time_password|Wikipedia]] has become more commonly used in Multi-Factor Authentication (MFA) for additional security in various areas. Generally used by authenticators such as [[https://freeotp.github.io/|FreeOTP]], [[https://www.microsoft.com/en/security/mobile-authenticator-app|Microsoft Authenticator]], [[https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2|Google Authenticator]] and many more. My preference is FreeOTP due to the ability to back up the configuration without having to use a proprietary system.
-OPNSense has supported TOPT for several years, and we will discuss how to set it up. I will be using [[https://opnsense.org/|OPNSense]] v25.01.12, and offering a script we wrote to deploy the QR Codes most authenticators prefer.
+OPNSense has supported TOTP for several years, and we will discuss how to set it up. I will be using [[https://opnsense.org/|OPNSense]] v25.01.12, and offering a script we wrote to deploy the QR Codes most authenticators prefer.
 We are mainly focused on using MFA, using TOTP with an authentication for Road Warrior VPN access.
@@ Line 51: / Line 51: @@
   - Click Save
-Attempt to log in from a second session. If it all works, you are now authenticating with and without TOTP. Try logging in with just the password, and with the TOPT Authenticator token preceding the password (//######password//)
+Attempt to log in from a second session. If it all works, you are now authenticating with and without TOTP. Try logging in with just the password, and with the TOTP Authenticator token preceding the password (//######password//)
 ===== Full Testing =====
 <WRAP center round important 60%>
-The QR Code is sensitive information. Anyone with access to the OTP Seed can use any Authenticator app to calculate the correct TOPT code. Treat this as the same level of sensitivity as you would passwords.
+The QR Code is sensitive information. Anyone with access to the OTP Seed can use any Authenticator app to calculate the correct TOTP code. Treat this as the same level of sensitivity as you would passwords.
 </WRAP>
-Ensure all of your users have their TOPT Authenticator working. There is no simple way I have found to get the QR Code to everyone. For just a few people, you can simply go to System | Access | Users, right click on their QR Code and put it where they can scan it into their Authenticator app.
+Ensure all of your users have their TOTP Authenticator working. There is no simple way I have found to get the QR Code to everyone. For just a few people, you can simply go to System | Access | Users, right click on their QR Code and put it where they can scan it into their Authenticator app.
 For larger numbers of end users, I wrote a pair of scripts that will scan an OPNSense configuration file and create the QR Codes for each user. The user accesses the web page, enters their OPNSense username and password, and the QR Code is displayed for them.
@@ Line 82: / Line 82: @@
   - Click Save
+===== Usage =====
+Some VPN clients have configurations for TOTP, but each is different. All it does is prepend the TOTP code you enter to the password, so if your client does not have a separate field, you can simply prepend the six digit TOTP to your normal password. Once I have tested more, I may update this document for various OpenVPN clients.