OpenVPN + TOTP. How to get QR code?

[dym8]

Hello.

I have OpenVPN server setup and TOTP authentication is enabled. But when user setups his Google Authenticator I have to make QR-code for him by myself. Is there way to get QR-code by an user himself without my action?

Thank you.

[franco]

The feature was added in 21.1:

https://github.com/opnsense/changelog/blob/6bdcd81f348e5171bbee6240666404525c990f14/community/21.1/21.1#L49

You can find the setting under System: Settings: Administration: User OTP seed. Select a group to permit OTP regeneration and then go to Lobby: Password page with the respective user to view the QR code once while creating a new token.


Cheers,
Franco

[dym8]

Thank you.
But I didn't understand how it can helps me. Can you describe step by step?
What I did.
1. I created a new AD user.
2. I imported this one to Opnsens here System > Access > Users
3. I created a new group OTP and selected it here System> Settings> Administration > User OTP seed
4. I added a new user into this group
5. I tried to login by this user into Lobby and got Wrong username or password

The log file shows "user testvpn could not authenticate for WebGui. [using OPNsense\Auth\Services\WebGui + OPNsense\Auth\Local]"

What do I have to do?

[franco]

Obviously you need to let the user log in on the GUI with the password page privilege in order to serve a a new OTP token...


Cheers,
Franco

[dym8]

Thank you so much for your help. Well done.