pfSense OpenVPN Setup with FreeRadius3 2fa Authentication: Part 2 (FreeRADIUS 3 Setup)

Part 1: OpenVPN Setup
Part 2: FreeRADIUS3 Setup
Part 3: Final Setup – Connecting the Two

PART 2: FreeRADIUS 3 Setup (standalone installation)

Begin simply by installing the FreeRADIUS 3 (current version: 0.15) package by going to System: Package Manager: Available Packages and clicking install.

Once installed, we’ll begin the setup by going into the Services menu, then FreeRADIUS.

From here we will start by setting up a new listening interface for FreeRADIUS.  Go to the Interfaces tab and click Add.

Interface IP Address: – unless you plan on utilizing freeRADIUS authentication for other purposes outside of your pfSense installation you will want to limit this to localhost only.
Port: [keep default]
Interface Type: Authentication
IP Version: [keep default] (unless you are using IPv6/both for LAN)
Description: Enter a description here for the interface’s purpose.
Once done, hit Save.

We will now add a NAS client.  Navigate to the NAS / Clients tab, then click Add.

Client IP Address: Again, you will want to bind this to localhost (
Client IP Version: IPv4 (unless using IPv6/both)
Client Shortname: Enter a name that identifies the NAS’ purpose like “OpenVPN”
Client Shared Secret: Use a password generator to create a 31-char password.  You will need this again later in setup so record it somewhere.
Description: Enter a description of the purpose of the NAS (“OpenVPN Auth”, etc.)
Once done, hit Save.

We will now add FreeRADIUS as an authentication server so it’s available within pfSense.  Go into the System menu, then User Manager, then the Servers tab.  Click Add.

Change Type to RADIUS.

Descriptive Name: Short description of server purpose
Hostname or IP Address: localhost (
Shared Secret: Enter here the shared secret you generated in previous step.
Services Offered: Change to Authentication
Authentication port: [keep default]
Accounting port: [NA] – not used with accounting option off
Authentication Timeout: [blank]

Once complete, hit Save.

We can now create our first user to test authentication and make sure we have everything properly configured so far between pfSense + FreeRADIUS.

Go into the Services menu and go to FreeRadius, then the Users tab.  Click Add.

Username: whatever you wish
Password: leave blank as we will be configuring OTP + PIN method
Password Encryption: [keep default]
One-Time Password: Click to Enable
OTP Auth Method: Change to Google-Authenticator
Init-Secret: Click to Generate OTP Secret
PIN: Choose a 4-8 character pin
Time Offset: [keep default]
QR Code: Click Generate QR Code

At this point you will want to open Google Authenticator on your mobile device and scan the QR barcode to add.

Successfully added it should display “FreeRADIUS (%username%)” and your current OTP.
Click Save at the bottom of the screen.

Now we will test authentication to confirm that our PIN + Google Auth OTP are functioning correctly.  Go to the Diagnostics menu, then Authentication.

Change the Authentication Server to your new FreeRadius server.
Username: username
Password: PIN followed by OTP
If unsuccessful, try waiting 60 seconds for the OTP code to change and try again.  If it is still not working, go back into the new user you created. Generate a new Init-Secret + QR code, save, and try again.
If all went well you should get a message back that you’ve authenticated successfully and you can move on to the next step.  You may want to review other general settings within the FreeRADIUS package especially if you’d to configure extra logging features, etc.  Note you do not need to enable “Mobile-One-Time-Password Support” for Google Authenticator use.