OPNsense Forum
English Forums => General Discussion => Topic started by: jmcgon on September 22, 2022, 05:19:56 pm
-
I have setup TOTP for vpn connection and it is working. I have tested it using the tester function (cool feature) and using a vpn client. That is all good. But, in my testing I figured out that I can access the vpn using either local account + OTP or just using the local account. This surprised me since I double checked and see that the local + OTP is select for Openvpn connection. In fact, as I previously stated, that the local account works as well.
So back to research, reading forum posts, reading documents, searching other sites.
Now it seems that on an opnsense device (this is install is on Proctectli FW4B) that one either has the local account login enable (by default) or disabled. It cannot be an AND it is OR.
I thought that I could use the local account + OTP for vpn and then local only for GUI and management. Am I wrong, is it either local account only OR local + OTP (or some other method (LDAP or AD or RAIDUS)?
Can I not set up a group for VPN access and have just that group use the local + OTP?
Other questions:
Assuming that it is one or the other authentication option,
Then the root will need an OTP to use the GUI? Or any other admin?
SSH is therefore essential if it is OR ? (Why is SSH disabled by default?)
A backup version stored securely is even more essential incase OTP gets corrupted by an update or power surge or the electron devils scrambling a bit or two.
Any suggestions or knowledge or guidance would be appreciated.