Description
Hello OPNsense team,
First of all, thank you for your great work!
I would like to request a new feature that could be helpful for environments using OpenVPN with LDAP/Active Directory (AD) and OTP authentication.
Use Case
I’ve configured an OpenVPN server with LDAP authentication via Active Directory, using the memberOf filter to allow only users in the _VPN group. Everything works well—when I add a user to the _VPN group in AD, the user is correctly created in OPNsense, and OTP is enforced.
Feature Request
It would be great if there was an option (automatic or via a button) to send the OTP QR code to the user's email address, fetched directly from their AD account (using the mail attribute). Ideally:
When a user is added from AD and OTP is enabled, the system could email them the QR code.
Alternatively, a "Send QR Code" button in the user management section of OPNsense would be sufficient and safer (avoiding automatic behavior).
This would simplify onboarding for new users without having to expose the OPNsense Web UI externally on port 443.
Why This Matters
Currently, to get users set up with OTP, I’m considering creating a guide instructing them to log into the OPNsense web portal to get their QR code. However, that requires exposing the web interface to the internet, which I would prefer to avoid for security reasons.
Question
Is this a valid feature request, or am I overlooking an existing solution or a better workflow? Any recommendations are welcome.
Thanks again for your support and the amazing work you do with OPNsense!