Openvpn with LDAP auth and 2fa

macst345 · Dec 5, 2024, 2:49 PM

Hi,

I am trying to setup openvpn +2fa(google) on my pfsense.
I have connected my pfsense to a LDAP server(on a synology NAS) for auth and it tests ok.
Username is passed to LDAP and LDAP checks if it is a member of VPNgroup)

so far so good.
how to i add 2fa (google authenticator) to the mix ?

I looked into freeradius and pam but not sure which method to proceed with.

User's password is stored encrypted in LDAP so ot may fail for freeradius, since i read somewhere that freeradius requires unencrypted passwords.

Thanks for any suggestions.

Michael

stephenw10 · Dec 5, 2024, 5:40 PM

Do you mean via Google LDAP or just Google authenticator (totp) locally?

To use totp I believe you need to use radius, yes.

macst345 · Dec 6, 2024, 3:17 AM

Hi Stephen,

Yes, looking to add google authenticator for 2fa (totp) to working openvpn with local ldap authentication.

Michael

stephenw10 · Dec 6, 2024, 2:33 PM

AFAIK you would need to use radius to do it. Radius can auth against LDAP but that may not work with 2FA since as you say it needs to see the password a user submits as it contains the additional auth code.