OPNSense – Create a new account for VPN Access

Juan Romero

23-Jul-2025

OPNSense – Create a new account for VPN Access

Create the User Account and OTP AUTH

Log into your OPNSense instance with firewall admin rights and go to System – Access – Users:

Note: Credentials for this account will be in your password vault.

At the bottom right, select add a new user:

Fill out user information as per screenshot below:

NOTE: For “Group membership” select “Users”. This user group will have the minumum privileges required for user access, and no admin rights.

Find the “OTP Seed” section and create new. The OPNSense UI will display the QR code to import in the Google auth mobile app.

NOTE: Take a screenshot of this QR code and safetly share the image with the user in your organization that'll use this VPN account.

Create the User Certificate

VPN Access as defined in OPNSense firewall requires MFA:

• Username + Password.
• Client certificate for TLS mutual authentication.
• OTP via the Google Auth app.

Go to System – Trust – Certificates:

Click add new, bottom right:

In the description field, add the username for the user account created previously:

Ensure that Type = Client Certificate:

DO NOT select self-signed. Expand the list and select your root CA PKI

Under common name, add the username for the user account created previously:

Export the OpenVPN configuration file

Go to VPN – OpenVPN – Client Esport:

Click the download icon for the desired VPN account.

What's next?

Refer to our KB article https://socfortress.supportbench.net/ar-1065/

covering how to install the OPenVPN client, import the VPN config file and connect to the VPN.