A service of Daily Data, Inc.
Contact Form

Unix Server Tech Knowledge Base

User Tools

Site Tools

Trace: TOTP Authentication in OPNSense
other:networking:opnsense:totp

This is an old revision of the document!

TOTP Authentication in OPNSense

Time based One Time Password authentication Wikipedia has become more commonly used in Multi-Factor Authentication (MFA) for additional security in various areas. Generally used by authenticators such as FreeOTP, Microsoft Authenticator, Google Authenticator and many more. My preference is FreeOTP, by the way.

OPNSense has supported TOPT for several years, and we will discuss how to set it up. I will be using OPNSense v25.01.12, and offering a script we wrote to deploy the QR Codes most authenticators prefer.

We are mainly focused on using MFA, using TOTP with an authentication for Road Warrior VPN access.

Set up authentication in OPNSense

  1. Log into your OPNSense router as a user with administrative permissions
  2. Go to System | Access | Users
    1. For each user
      1. Edit Account
      2. Scroll down to OTP seed
      3. Click “Show” (older versions did not require this step)
      4. Click the gear box to (re)generate an OTP Seed
      5. Click Save
  3. Go to System | Access | Servers
    1. Click plus sign to create new server
    2. Descriptive Name: Something that readily identifies this, such as TOTP
    3. Type: Local+Timebased One Time Password
    4. Token length: 6 (Microsoft compatible)
    5. Time Window: 30
      1. this is the default, but I like to see what the value is, so I enter it
      2. This defines what the window is. So, if your authenticator changes numbers in the middle of you typing it in, this defines if you have to reenter it
    6. Grace period: 10 (same as above, it is the default)
      1. this is the default, but I like to see what the value is, so I enter it
      2. Again, this is kind of like Time Window, but appears to be the difference in time between your authenticator and the server. Increasing this is less secure, but allows for an easier match
    7. Click Save
  4. Go to System | Access | Tester
    1. Authentication Server: Select the one you just created
    2. Username: enter the username for an account
    3. Password: ######password
      1. ###### is the six (or eight, if you chose that) digit code given by the authenticator
      2. password is the normal password
    4. Click Test
other/networking/opnsense/totp.1758488287.txt.gz · Last modified: 2025/09/21 15:58 by rodolico