OPNsense, Active Directory, OpenVPN and 🔒 TOTP
Some say it couldn’t be done, I’d like to prove you otherwise.
I recently did a project where the combination from the title would come in handy. A secure VPN server that uses an existing Windows Active Directory setup.
After everything is setup. You have an OpenVPN server that authenticates using Active Directory and requires a TOTP token, all running on OPNsense
Alright, let’s get to work! First, go to
System > Access > Servers and click
Add. Use the following info, replace data to fit your enviroment.
Descriptive name: Uberkek AD Type: LDAP + Timebased One Time Password Hostname or IP address: uberkek.domain.local Port value: 389 Transport: TCP - Standard Protocol version: 3 Bind credentials User DN: CN=opnsense,OU=service-accounts,OU=users,DC=uberkek,DC=domain,DC=local Password: lamepassword Search scope: One Level Base DN: OU=users,DC=uberkek,DC=domain,DC=local Authentication containers: (use the select button) Extended Query: <leave empty> Initial Template: Microsoft AD User naming attribute: sAMAccountName Read properties: nah Synchronize groups: nah Limit groups: nah Token length: 6, or 8 Time window: <Hard mode: 1, Easy mode: 30> Grace period: <Hard mode: 0, Easy mode: 10> Reverse token order: Checked, or unchecked
The token order threw me off. The way this thing works is that you enter the TOTP token in the password field. If reverse token order is checked, then you fill in your token AFTER the password. Uncheck it, and now you enter your token BEFORE the password.
If all you want is a OpenVPN server without TOTP. Then select
Type: LDAP and skip to setting up the OpenVPN server.
If everything went well. You can now head over to
System > Settings > Administration. Scroll down to Authentication and use the
Server dropdown to select both your new authentcation source and local authentication. If you decide that you don’t want local authentication, then keep in mind the root account also doesn’t work! Learnt that the hard way.
System > Access > Users, you will see a shiney import button (the cloud with the arrow). Click it with all the power that is in you. Select the users that are going to use the VPN.
After the users are imported. Click the edit button for the user you want to configure. Go down to OTP seed and select
Generate new secret (160 bit). Click save and scroll down again. You will now see a secret and a button to show a QR code. Add the QR code to an authenticator app.
Now go to
System > Access > Tester and select your AD + TOTP authentication source. Type in your username and password + OTP token. Type the token before or after your password, depending on the
Reverse token order checkbox. If everything went well, you should see a blue box telling you that the test passed. Congratulations.
Now all you need to do is make a VPN server. Easy enough, right? Go to
VPN > OpenVPN > Servers and click
Add. Configure as follows:
Description: Uberkek VPN Server Mode: Remote Access (User Auth) Backend for authentication: AD + TOTP (The name you chose earlier) Peer Certificate Authority: VPN CA? (Make a CA for your VPN server if you haven't already) Server Certificate: VPN server (make a certificate using the CA for the VPN) IPv4 Tunnel Network: 22.214.171.124/24 (or whatever) IPv4 Local Network: 126.96.36.199/24 (or whatever)
Configure the rest to your liking. Poke a hole in your firewall to let OpenVPN traffic pass in
Firewall > Rules > WAN interface. I’m going to assume you know how to make a firewall rule.
Now go to
VPN > OpenVPN > Client Export. Enter a hostname for your VPN and download the OVPN file. Import in into your client and login with your AD credentials and TOTP token in the password field.
It’s really that simple.