In this post, you will learn how to use Google Authenticator as a method of two-factor authentication. The user will be able to log in to the OpenVPN remote-access service using their username and a combination of their PIN and the 6-digit number on their Google Authenticator app.
Two-factor authentication often referred to as “2FA”, is an identity and access management method that requires two forms of identification to access resources and information. 2FA allows users to monitor and help safeguard their most vulnerable information and networks.
2FA's security comes in two parts:
- something you know (like a username/password)
- something you have (like a key, a token, or a certificate set)
In its default configuration, OpenVPN on pfSense Plus uses 2FA in the form of username/password combinations and certificates that reside on the user’s computer. This may not fully satisfy the needs of the enterprise, which is why pfSense Plus provides multiple options for authentication.
The primary component in this configuration is the addition of the FreeRADIUS package. The FreeRADIUS service will perform the authentication checks against the Google Authenticator and determine if the user should be allowed to authenticate to the OpenVPN service.
Step 1 - Installing FreeRADIUS
First, you must install the FreeRADIUS package by logging into the pfSense Plus web GUI, navigating to System > Package Manager, and clicking the tab for Available Packages. Scroll down to the FreeRADIUS package and click Install.
Step 2 - Basic Configuration
Once installed, you can navigate to Services > FreeRADIUS and begin configuring the service by clicking the Settings tab. Scroll down near the bottom and enable Mobile One-Time-Password (OTP) support by clicking on the checkbox. Leave all other values as default, and save.
Step 3 - Create a Listener Port
Next, we must configure FreeRADIUS to listen for authentication requests. We do this by creating an interface. Click on the Interfaces tab and click the green Add button. Fill the form out like this and click Save:
Your new listening interface should look like this:
Step 4 - Allow FreeRADIUS to Accept Incoming Queries
The RADIUS server will not answer authentication requests from clients it does not know about, so we need to define the firewall as a client. Click on the “NAS/Clients” tab and click Add. You should only need to fill out the top portion of the form and click Save. Make sure you remember the “Client Shared Secret” that you enter here:
Step 5 - Creating a User
Finally, you must create a user in FreeRADIUS that will use the Google Authenticator to authenticate to the OpenVPN service. The way this works is like this:
- The user chooses a PIN (personal ID number)
- When the user logs into the VPN service, they will prepend their PIN to the 6-digit code provided by the Google Authenticator app.
Let’s create a new user called “testuser” with a PIN of 1234. Navigate to the Users tab and click the Add button. Fill in the username, but DO NOT fill in a password. Instead, scroll down and click the checkbox to enable the One-Time Password for this user. For the OTP Auth method, choose Google Authenticator.
Scroll down further, click the Generate the OTP Secret button, and enter the user’s PIN below.
Finally, to make it easier for the user, you may generate a QR code that the Google Authenticator app may scan. You can either show this QR code to the user or save the image and transmit it securely so they can personally scan it.
Scroll down and save, leaving everything else as default. Once scanned, the user can use the combination of their PIN plus the 6-digit code from Google Authenticator to log in.
Step 6 - Adding FreeRADIUS as an Authentication Source
The final step will be to add FreeRADIUS as an authentication source in pfSense Plus. To do that, navigate to System > User Manager, click on the Authentication Servers tab, and click Add. Fill out the form like this, and remember to set the Protocol to PAP:
Your shared secret is the one you chose from the NAS/Clients configuration. Click Save, and you are ready to use FreeRADIUS for authentication.
Step 7 - Testing FreeRADIUS
Before you set up a service to authenticate from FreeRADIUS, it’s a good idea to test it first. You may test your setup by navigating to Diagnostics > Authentication and choosing FreeRADIUS as the Authentication Server.
Enter your username that was created earlier, and in the password field, type the 4-digit PIN (in our case, 1234) along with the 6-digit code from Google Authenticator (in our case, 693953), making the whole password field to be “1234693953” and click Test. If all goes well, you should see the green banner indicating success.
Step 8 - Configuring OpenVPN from the Wizard
Once you have successfully tested the setup, you may go on to use it with different services. In this example, you will use it to authenticate an OpenVPN user. Navigate to VPN > OpenVPN and click the Wizard tab. For Type of Server, choose RADIUS, and click Next.
Choose the FreeRADIUS server and click Next.
For Certificate Authority, click “Add new CA” and
Fill out the form appropriately and scroll down to click Add.
For Certificate, click “Add New Certificate.”
In the Descriptive Name field, enter “OpenVPN,” scroll down to the bottom and click Create New Certificate.
Fill out the following form, providing the Description (“OpenVPN” sounds reasonable), then scroll down and enter the tunnel network (10.0.8.0/24 in this example) and the local network (172.17.1.0/24) in this example. For Concurrent Connections, 50 would probably suit most purposes. Increase or decrease this number as you see fit. Scroll down to the bottom and click Next.
On the final page, click the checkboxes to add the necessary firewall rules and click Next, then Finish. Your OpenVPN server is now ready for use.
All OpenVPN users should now be configured in FreeRADIUS and NOT in the System > User Manager. You may download the OpenVPN Client Export package to provide VPN clients and configurations to your users.
Using FreeRADIUS with Google Authenticator is just another example of the versatility of pfSense Plus.