TOTP VPN issues

[cs@ithandsfree.com]

Since the upgrade 2FA using either google or MS authenticators are resulting in authentication failures.
Once I changed the authentication to "local database" then Users could authenticate and connect to the vpn.

Things working perfectly find prior to the update.

I have already verified; time servers on the appliance, the phone used with the the Authenticator app and desktop

The TOTP is setup for 60 seconds duration and 10 seconds grace.  Even when the grace period is extended to 15, the authentication fails.

I also created a new user, new user certificated and OTP seed however the issue continues with existing and new users.

I have also installed the latest version of the openvpn software "openvpn-connect-v3-windows-x86" as I noticed in the logs that opn sense was using tls 1.3.
The logs are just showing authentication failed?

Not sure where to go from here.

*edited: nov-12-2021 @ 8:09pm EST*

After some additional testing I have found after the update the OPT Seed is generating via the QR Code 30 second timer sessions.  This is an issue as the Access Server setup for TOTP was configured for 60 seconds.  Now after the update, I did notice the '60 seconds' custom setting was cleared and I thought that was an error however it may have been by design.  The problem this causes is that all existing Users have authenticators setup using the 60 second timer and this is why authentication is failing.
It does not seem to matter what ever setting I make in the section "Time window", Opnsense seems to be generating authenticator timers setups of 30 seconds.

I have confirmed even using the previously release OTP Seed QR code, it is creating a 30 second timer authenticator where as Users have 60 second timers.

Thus something has changed with the update and not sure if it is a bug, I am guessing it is since this forced 30 second time negates the option to set the Time Window to 60 seconds.

So the solution is, for Users to delete their current authenticator and then generate a new one and to have the OTP Access Server to be configured with no Time Window defined thus leaving it to the default.

Perhaps OPNsense Dev's will resolve this, as Users have complained with a 30 second timer.

[bimbar]

Seems to me the user otp setup just doesn't care about any 2FA servers, it's just always doing 30 seconds.

You can generate an OTP for a user without even having a 2FA server. I'd bet it also doesn't care about token length.
If you set the OTP time on said server to 60 seconds, that seems to work however, as my 30 second OTP doesn't work at all anymore.
Testing shows, that differing OTP times do not sometimes generate the same OTP token, but instead generate completely different numbers.

So, I'd suggest either sticking to the default settings or not using the QR code or generating your own QR code, or just use the OTP key itself. I'd just use the default - it's not that important.