Skip to main content

OPNsense, Active Directory, OpenVPN and 🔒 TOTP

Some say it couldn’t be done, I’d like to prove you otherwise.

I recently did a project where the combination from the title would come in handy. A secure VPN server that uses an existing Windows Active Directory setup.

After everything is setup. You have an OpenVPN server that authenticates using Active Directory and requires a TOTP token, all running on OPNsense

Alright, let’s get to work! First, go to System > Access > Servers and click Add. Use the following info, replace data to fit your enviroment.

Descriptive name: Uberkek AD
Type: LDAP + Timebased One Time Password
Hostname or IP address: uberkek.domain.local
Port value: 389
Transport: TCP - Standard
Protocol version: 3
Bind credentials
User DN: CN=opnsense,OU=service-accounts,OU=users,DC=uberkek,DC=domain,DC=local
Password: lamepassword
Search scope: One Level
Base DN: OU=users,DC=uberkek,DC=domain,DC=local
Authentication containers: (use the select button)
Extended Query: <leave empty>
Initial Template: Microsoft AD
User naming attribute: sAMAccountName
Read properties: nah
Synchronize groups: nah
Limit groups: nah
Token length: 6, or 8
Time window: <Hard mode: 1, Easy mode: 30>
Grace period: <Hard mode: 0, Easy mode: 10>
Reverse token order: Checked, or unchecked

The token order threw me off. The way this thing works is that you enter the TOTP token in the password field. If reverse token order is checked, then you fill in your token AFTER the password. Uncheck it, and now you enter your token BEFORE the password.

If all you want is a OpenVPN server without TOTP. Then select Type: LDAP and skip to setting up the OpenVPN server.

If everything went well. You can now head over to System > Settings > Administration. Scroll down to Authentication and use the Server dropdown to select both your new authentcation source and local authentication. If you decide that you don’t want local authentication, then keep in mind the root account also doesn’t work! Learnt that the hard way.

Go to System > Access > Users, you will see a shiney import button (the cloud with the arrow). Click it with all the power that is in you. Select the users that are going to use the VPN.

After the users are imported. Click the edit button for the user you want to configure. Go down to OTP seed and select Generate new secret (160 bit). Click save and scroll down again. You will now see a secret and a button to show a QR code. Add the QR code to an authenticator app.

Now go to System > Access > Tester and select your AD + TOTP authentication source. Type in your username and password + OTP token. Type the token before or after your password, depending on the Reverse token order checkbox. If everything went well, you should see a blue box telling you that the test passed. Congratulations.

Now all you need to do is make a VPN server. Easy enough, right? Go to VPN > OpenVPN > Servers and click Add. Configure as follows:

Description: Uberkek VPN
Server Mode: Remote Access (User Auth)
Backend for authentication: AD + TOTP (The name you chose earlier)
Peer Certificate Authority: VPN CA? (Make a CA for your VPN server if you haven't already)
Server Certificate: VPN server (make a certificate using the CA for the VPN)
IPv4 Tunnel Network: (or whatever)
IPv4 Local Network: (or whatever)

Configure the rest to your liking. Poke a hole in your firewall to let OpenVPN traffic pass in Firewall > Rules > WAN interface. I’m going to assume you know how to make a firewall rule.

Now go to VPN > OpenVPN > Client Export. Enter a hostname for your VPN and download the OVPN file. Import in into your client and login with your AD credentials and TOTP token in the password field.

It’s really that simple.