LDAP, 2FA (Google Authenticator) and OPENVPN

[gbr]

Hi,

Still running 20.7.5. I can/will upgrade if necessary.

I've been mandated to add 2FA to our VPN logins. It looks like OPNSense can do it, but it's not straight forward with LDAP (AD).

1. Do I still need to import my LDAP users? I can't figure out how... obviously missing something here.
2. Does anyone else do LDAP <--> 2FA <--> OPENVPN? How does it work for you?
3. Is it possible to stage this in (per user) so I don't have a massive support issue when things roll out?

Thanks,
Gerald

[gbr]

I found this. Haven't tested yet, but looks good. https://nick.bouwhuis.io/2020/01/26/opnsense-activedirectory-openvpn-totp/#:~:text=Descriptive%20name%3A%20Uberkek%20AD%20Type%3A%20LDAP%20%2B%20Timebased,mode%3A%2010%3E%20Reverse%20token%20order%3A%20Checked%2C%20or%20unchecked