OPNSense + OpenVPN with two factor authentication and an Android Client

I recently tried to set up a two factor (user/pass and certificate) VPN connection using some tutorials from the Internet. Unfortunately these tutorials are no longer up-to-date, so I would like to describe here how it works! In using OPNSense v20.8.

First we need a certification authority for our own certificates, which we will create. To do this, log in to OPNSense and click on “System –> Trust –> Authorities“. Now click on the “Add” in the upper right corner and we can create a new certificate authority!

Click “Add” in System – Trust – Authorities

Let’s add the following:

Descriptive nameOPN Authority
MethodCreate an internal Certificate Authority
Key TypeRSA
Key length (bits)4096
Digest AlgorithmSHA512
Lifetime (days)825
Country Code<your country code>
State or Province<your state province>
City<your city>
Organization<your organization>
Email Address<your email address>
Common NameOPN internal-ca

Well done! With our own certification authority we can now issue certificates! You should now see something similar on the screen:

Our new Certification Authority!

Then we let our new certification authority issue a certificate for our server right away! Via “System–>Trust–>Certificates” you should already see a certificate; the one for the WebGUI. Now click on “Add” to add a new one…

Click “Add” in System–Trust–Certificates

Perfect…. now we need to add a lot of data to generate our server certificate:

MethodCreate an internal Certificate
Descriptive nameVPN Server Certificate
Certificate authorityOPN Authority
TypeServer Certificate
Key TypeRSA
Key length (bits)4096
Digest AlgorithmSHA512
Lifetime (days)825
Private key locationSave on this firewall
Country Code<your country code>
State or Province<your state province>
City<your city>
Organization<your organization>
Email Address<your e-mail address>
Common NameVPN Server Certificate
Alternative NamesDon’t touch!

After saving, it should look like this:

The bottom one is our new server certificate!

Ok perfect. Now let’s add an user to OPNSense for VPN use. Go to “System–>Access->Users” and click “Add” in the upper right corner. This is a two-step process, so read carefully!

Click “Add” in “System–Access–Users”
Username<your preferred username>“Manni” in my example
Password<the password for the user>
Generate a scrambled password to prevent local database logins for this userUnchecked
Full name<full user name>
E-Mail<users email address>
Preferred landing page<leave empty>
Login shell/sbin/nologin
Expiration date<leave empty>
Group Memberships<don’t change>
CertificateChecked -> Click to create a user certificate
OPT seed<leave empty>
Authorized keys <leave empty>
IPsec Pre-Shared Key <leave empty>

After clicking “Save“, a new prompt appears:

After changing the method to “Create an internal Certificate“, we need to add some data:

MethodCreate an internal Certificate
Descriptive name<leave default>“Manni” in my example
Certificate authorityOPN AuthorityThe authority we’ve created in the first step
TypeClient Certificate
Key TypeRSA
Key length (bits)4096
Digest AlgorithmSHA512
Lifetime (days)825
Private key locationSave on this firewall
Country Code<users country code>
State or Province<users state province>
City<users city>
Organization<users organization>
Email Address<users email address>
Common Name<leave default>“Manni” in my example
Alternative Names<don’t change anything>

After saving, you come back to the first prompt. Now you’ll find the new certificate in “User Certificates”:

Here you see the new Certificate for “Manni”

On the bottom click “Save and go back” and you’ll see all users again including “Manni”.

Done! The new user is now configured!

We’re half way through! Grab a coffee or/and some candy and move on installing the SSL server!

Go to “VPN–>OpenVPN–>Servers” and click “Add” in the top right corner.

You know what to do 😉

Leave default settings except of:

DescriptionSSL VPN Server
Server ModeRemote Access (SSL/TLS + User Auth)
Backend for authenticationLocal Database
Server CertificateVPN Server Certificate (OPN Authority)
DH Parameters Length4096 bit
Encryption algorithmAES-256-CBC (256-bit key, 128-bit block)
Auth Digest Algorithm SHA512 (512-bit)
IPv4 Tunnel Network<choose an ip subnet>choose one that is not used eg:
IPv4 Local Network<your local network>eg:
Disable IPv6Checked

After clicking “Save” you’ll see your server is up and running:

The OpenVPN server is up and running.

At this point we need to configure the firewall…

  1. to allow incoming traffic on port 1194 from the WAN interface
  2. the local network can be reached from the new subnet
The WAN rule.
The OpenVPN rule.

Ok, ok.. the last step: exporting the configuration!

Go to “VPN–>OpenVPN–>Client Export” and select the newly created VPN Server from the list.

Remote Access ServerSSL VPN Server UDP:1194The one we have just created
Export typeFile OnlyBecause our client will be an Android client, all certificates need to be inline!
Hostname<your ip or hostname>Could be your public static ip or your DynDNS domain name.
Use random local portCheck
Validate server subjectCheck
Windows Certificate System StoreUncheck
Disable password saveUncheck
Custom config<leave empty>

You should also see two certificates on the bottom of the page which can be exported. Choose the “Manni” certificate and click the download button on the right.

This is the client certificate. Download by clicking on the right button.

You’ll get and *.ovpn file. Just import this in any OpenVPN App on your Android phone and you’re good to go! You can now connect to the OPNSense appliance with “Manni’s” username and password!


You may also like...

1 Response

  1. Aron Malcher says:

    Hallo, ich habe die Schritte befolgt und OpenVPN Connect Verbindung erfolgreich, aber ich kann nicht auf meine lokalen Geräte zugreifen und wenn ich Webseiten öffne zeigt der Connect Client auch keinen Ausschlag an Traffic aus, was mich vermuten lässt das keinerlei Traffic durch den Tunnel geht. Ich habe jetzt schon echt viel im Internet geguckt, aber keinerlei Lösung gefunden. Vielleicht hast du ja eine Idee woran das liegt, bzw. wie man das Problem löst.

Leave a Reply

Your email address will not be published. Required fields are marked *