Prerequisites

You will first need to download an Authenticator app.  Any authenticator app should work, and the pfSense FreeRADIUS package is tested with Google Authenticator.

You'll also need to login to your pfSense firewall as admin.

Using OpenVPN with 2FA

The OpenVPN server comes pre-configured to use FreeRADIUS as the authentication backend.  To utilize this, you just need to create FreeRADIUS users.

1. Go to Services -> FreeRADIUS in the pfSense firewall.

2. Under the Users tab, click Add

3a. Select a username for VPN access. 

3b. One-Time Password Configuration

Set the following options - 

One-Time Password - Make sure this box is checked

OTP Auth Method - Google-Authenticator

Init-Secret - Click "Generate OTP secret" to create a random Init-Secret

PIN - Create a unique 4-8 digit PIN, this is needed to log in using 2FA so make sure to securely give this to the VPN user.

Once these are set, click on "Generate QR Code".  Give the VPN user secure access to this QR code so they can scan it using their Authenticator app.

Scroll to the bottom of the user creation page and click "Save".

4. Connect the user to an Authenticator app using the QR Code

5. Download the OpenVPN client from the pfSense firewall under VPN -> OpenVPN -> Client Export

6. Install the OpenVPN client on the user's device.  NOTE: You will need to create a FreeRADIUS user for each individual device that connects using OpenVPN.

Once installed, you'll be prompted for a username and password to connect.

To log in, use the username you just created, and the password will be the OTP PIN + Authenticator OTP.

Using 2FA to access the pfSense WebGUI

To access the pfSense WebGUI using 2FA, you'll need to create an "administrator" FreeRADIUS user, give the user access in System -> User Manager, and disable the default "admin" user.  Here is a step-by-step guide for doing this.

1. Go to Services -> FreeRADIUS in the pfSense firewall.

2. Under the Users tab, click Add

3a. Select a username for admin access.  In our example, we use "administrator" for the admin username.

3b. One-Time Password Configuration

Set the following options - 

One-Time Password - Make sure this box is checked

OTP Auth Method - Google-Authenticator

Init-Secret - Click "Generate OTP secret" to create a random Init-Secret

PIN - May contain 4-8 digits, make sure to save this.

Once these are set, click on "Generate QR Code".  Scan the QR code using an Authenticator app.

3c. Once you've scanned the QR Code and connected your Authenticator app, scroll to the bottom of the user creation page and click "Save".

4. Once you've created the FreeRADIUS user, go to System -> User Manager

4a. Add a new user.

Disabled - Make sure to check the box that says "This user cannot login".  If you leave the box unchecked, the user will be able to log in without 2FA.

Username - Must be the same username as the FreeRADIUS user you created in Step 3.

Password - Must be a valid password.

Group Membership - Make sure the user is a member of the "admins" group.  This will give the user access to the pfSense WebGUI.

5. Once you've created your 2FA user, log out and test if you're able to log in using 2FA.

To log in, use the username you just created, and the password will be the OTP PIN + Authenticator OTP.

6. Once you've logged in successfully with your 2FA user, go back to System -> User Manager and edit the "admin" user.  Tick the box that says "This user cannot log in".

This will disable the default admin user, so you can only access the pfSense WebGUI using 2FA.