Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    2FA for openVPN using Google Authenticator with self registration?

    pfSense Packages
    2
    2
    830
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      agreer
      last edited by

      We are setting up openVPN for our users and are thinking of using Google Authenticator for the 2FA. Most of our employees are offsite and the initial registration with Google Authenticator poses an issue. For our users to register their Google Authenticator app they need to scan a QR code. The QR code is displayed in the pfsense web interface upon creating the user along with a warning that "The image can be saved and shown to a user, but treat it as a secure piece of information and do not send it through an insecure channel such as e-mail".

      This leads me to a few questions:

      1. Is the QR code valid for more than one activation? (could someone activate more than one device with it?)

      2. Is there a limited time that the QR code remains valid? (once I Generate the QR code for a user do they have a set amount of time to activate before the QR code is no longer valid?)

      3. Is there any method of self service registration when using Google Authenticator with openVPN where the user logs in the first time (preferably with a one time code) and is forced to register their mobile device with Google authenticator for future

      4. If self service registration is not an option, what other methods have other admins used to get remote users registered when using openVPN with Google Authenticator?

      Any suggestions would be helpful
      Thanks

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        Moved this to packages since the questions you are asking are more relevant to the FreeRADIUS package support for Google Authenticator than OpenVPN.

        1. It can be used multiple times, it's no different than manually entering the OTP configuration in a similar tool such as Authy or Bitwarden manually, but more convenient.
        2. No time limit, it's just a QR code version of the user configuration data.
        3. No.
        4. Nothing in pfSense directly. Other RADIUS servers may have options for things like that. Check around for things like daloradius which may have plugins for what you want. You can then point the auth at that external RADIUS server and let it handle the user auth and OTP.

        Any time you rely on the user to "self-register" or similar terms for their own VPN setup, it's weakening security. Yes, managing users and VPN configurations is a chore, but anything that makes it substantially easier almost certainly makes it more open to attack or abuse.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.