Authinator3
Authinator is a web login gateway for firewalls: authenticate over HTTPS, click once, and your current IP address is granted passage through the firewall. Everyone else sees a wall.
It solves the classic remote-access dilemma. Leaving management ports (SSH, VPN, admin panels) open to the internet invites the whole world to knock; port-knocking schemes are brittle and awkward to use from a phone or a borrowed machine. Authinator replaces both with something anyone can operate: a login page.
How it works
- The firewall runs a minimal HTTPS site — on OpenBSD, the stock
httpdandslowcgi, confined to the system’s web chroot. No third-party web stack. - You authenticate, and Authinator adds your source IP to a dedicated packet filter (pf) table. The firewall ruleset grants access only to addresses in that table.
- An audit view lists currently authorized addresses — with reverse-DNS names, whois lookup links, the date each was cleared through, and one-click removal. Separate tables distinguish transient logins from long-standing friends.
The design follows the same philosophy as everything we build: default-deny, explicit allow. The firewall stays dark to the internet at large; access is a deliberate, audited, per-address grant — and revoking it is one click.
Pedigree
Authinator has guarded our own production gateways in one form or another
since 2007 — first as an Apache CGI driving pfctl, later rebuilt for
OpenBSD’s native chroot’d web server with direct pf access (no sudo, no shell
calls). Installation on a fresh firewall is a single idempotent step.
Status
Authinator is deployed with our firewall consulting engagements, typically
alongside OpenBSD/pf gateway builds. Authinator3 — a modernized
cross-platform release in Go: OpenBSD and Linux (nftables), one
self-contained binary per platform, confined by pledge/unveil on
OpenBSD and a locked-down systemd service on Linux — is in active
development.
Downloads
Signed binaries for OpenBSD (amd64/arm64) and Linux (amd64/arm64) will be published on this page with the first tagged release, together with the source repository. Until then, contact us for early access or evaluation.