This step-by-step guide shows how to enable two-factor authentication (2FA) with Google Authenticator for VPN in Nebula.
Table of Content
1. Configure 2FA on Nebula CC
1.1 Enable 2FA on Remote Access VPN Settings
1.2 Configure Cloud Authentication
1.3 Click the link in the Email
2) Configure the SecuExtender Client with 2FA
2.3 Login (Dial up the VPN tunnel)
1. Configure 2FA on Nebula CC
1.1 Enable 2FA on Remote Access VPN Settings
Navigate to
Site-wide > Configure > Firewall > Remote Access VPN
Then activate “Two-factor
authentication with Captive Portal”
1.2 Configure Cloud Authentication
Go to
Site-wide > Configure > Cloud authentication
Then create the VPN client, check the allowed to use Remote VPN, and send the information to the user.
1.3 Click the link in the Email
Go to check the email and click the link.
1.4 Begin the 2FA Process
After the login then activate the Google authenticator, then use your mobile phone to scan the QR code to install. Don’t forget to download the backup code in case lost the phone.
2) Configure the SecuExtender Client with 2FA
2.1 Configure Phase 1
Configure the Zyxel VPN client then right-click IVE_V1 and click “New VPN Gateway”
Phase 1.
Remote Gateway is NSG WAN IP address.
The Cryptography is the same as the setting in Nebula policy.
In Protocol tab, activate the Mode Config
2.2 Configure Phase 2
Create the phase 2 setting “New VPN connection”
Configure the Remote LAN address/subnet as 0.0.0.0, and ESP as same as the policy
setting in Remote VPN policy.
In scripts, configure 2FA portal page on the Automation tab. “When tunnel is open” input
the URL with https://192.168.1.1/weblogin.cgi?auth_type=vpn
Note: The URL IP address is USG FLEX LAN 1 IP. (In this case is 192.168.8.1)
Find your LAN1 IP address in USG FLEX> Interface
2.3 Login (Dial up the VPN tunnel)
X-auth windows pop up
Then the authentication page will auto pop up.
Open the Google authenticator in your mobile phone and enter the passcode.
Login successful