Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN with Google 2FA

    Scheduled Pinned Locked Moved OpenVPN
    3 Posts 2 Posters 91 Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • I Offline
      ivica.glavocic
      last edited by

      OpenVPN server is set up with FreeRADIUS as auth source, Mobile-One-Time-Password turned on, users in FreeRADIUS. Config option static-challenge "Please enter your TOTP PIN" 1 is pushed to the clients.

      When client connects from OpenVPN Connect with PIN (password in Connect) + TOTP from Google Authenticator, gets "User authentication failed". Reason is because client adds TOTP before PIN, and server expects it to be after PIN.

      How can I reconfigure OpenVPN server on pfSense to accept TOTP after PIN?

      1 Reply Last reply Reply Quote 0
      • I Offline
        ivica.glavocic
        last edited by

        I got help from Netgate support regarding this issue, as a result, new feature request is opened: https://redmine.pfsense.org/issues/16558
        Thanks to everyone in Netgate support, specially mr. Lev Prokofev, their response, explanation and help was excellent.
        This topic is successfully resolved as far as I am concerned.

        GertjanG 1 Reply Last reply Reply Quote 1
        • GertjanG Offline
          Gertjan @ivica.glavocic
          last edited by

          @ivica.glavocic said in OpenVPN with Google 2FA:

          https://redmine.pfsense.org/issues/16558

          ๐Ÿ‘

          The redmine ticket shows clearly what your issue is - or was ^^
          "freeradius" is .. huge. It has many options, possibilities, extension, and so one. It's one of the most used software package in the world (we all use it several times a a day), and its also the most unknown software.
          The issue is that the pfSense GUI offers a very small set of the actual capabilities of Freeradius. Go look at the official documentation, you'll be off for days, and when you come back, you won't be the same man anymore.
          Netgate could create a GUI access for all these options, they also have to 'support' it from then on. That's close to mission impossible.

          The same thing goes for OpenVPN, or worse : bind, and even worse : postfix. All these 'packages', imho, don't even belong on a firewall, but I'm not complaining as I'm using OpenVPN and Freeradius on pfSense right now. I even modified the Freeadius config files so it used the SQL backed for the 'users' (captive portal users) and not the pfSense User Account Manager as I tend to think that "totally not trusted users" should not have a user account on my pfSense.

          I'm the only user using the pfSense OpenVPN access for my pfSense, so I don't need 2FA - for now.
          Thanks for your follow up anyway ๐Ÿ‘

          No "help me" PM's please. Use the forum, the community will thank you.
          Edit : and where are the logs ??

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.