Mikrotik openVPN with 2FA: Difference between revisions
No edit summary |
|||
| (2 intermediate revisions by the same user not shown) | |||
| Line 6: | Line 6: | ||
=== Prerequisites === | === Prerequisites === | ||
* RADIUS installed, configured, and activated. Make sure to click the | * RADIUS installed, configured, and activated. Make sure to click the [INCOMING] button and enable the flag | ||
* User Manager installed and configured to use RADIUS | * User Manager installed and configured to use RADIUS | ||
* If you want to use 2FA for Winbox login: go to SYSTEM→USERS, click | * If you want to use 2FA for Winbox login: go to SYSTEM→USERS, click [AAA], check "Use RADIUS", and define the access group (read, full, write) | ||
* If you want to use it for OpenVPN: in RADIUS→General, enable the PPP usage flag; then in PPP, click | * If you want to use it for OpenVPN: in RADIUS→General, enable the PPP usage flag; then in PPP, click [Authentication & Accounting] and enable "Use Radius" | ||
=== User Creation === | === User Creation === | ||
In User Manager, create a user.<br> | In User Manager, create a user.<br> | ||
Set a password that will serve as the prefix for the password to be entered before the OTP code.</br> | Set a password that will serve as the prefix for the password to be entered before the OTP code.</br> | ||
It can be void if you wish to authenticate with OTP code only.<br> | |||
In the OTP Secret field, enter a Base32 HASH. You can generate one here: [https://emn178.github.io/online-tools/base32\_encode.html](https://emn178.github.io/online-tools/base32_encode.html) <br> | In the OTP Secret field, enter a Base32 HASH. You can generate one here: [https://emn178.github.io/online-tools/base32\_encode.html](https://emn178.github.io/online-tools/base32_encode.html) <br> | ||
For example, entering `giovanni12` returns `M5UW65TBNZXGSMJS`.</br> | For example, entering `giovanni12` returns `M5UW65TBNZXGSMJS`.</br> | ||
| Line 32: | Line 33: | ||
A configuration file will be generated which already includes the certificates.</br> | A configuration file will be generated which already includes the certificates.</br> | ||
Now you can log in with the RADIUS user by entering the username, prefix+OTP, and the certificate export password. The latter can be saved so it’s not requested again. | Now you can log in with the RADIUS user by entering the username, prefix+OTP, and the certificate export password. The latter can be saved so it’s not requested again. | ||
[[Category:2FA]][[Category:OpenVPN]][[Category:Mikrotik]] | |||
Latest revision as of 09:01, 31 July 2025
Here is the **English translation** of your article with all **MediaWiki markup preserved**:
---
2FA Authentication with Mikrotik
Prerequisites
- RADIUS installed, configured, and activated. Make sure to click the [INCOMING] button and enable the flag
- User Manager installed and configured to use RADIUS
- If you want to use 2FA for Winbox login: go to SYSTEM→USERS, click [AAA], check "Use RADIUS", and define the access group (read, full, write)
- If you want to use it for OpenVPN: in RADIUS→General, enable the PPP usage flag; then in PPP, click [Authentication & Accounting] and enable "Use Radius"
User Creation
In User Manager, create a user.
Set a password that will serve as the prefix for the password to be entered before the OTP code.
It can be void if you wish to authenticate with OTP code only.
In the OTP Secret field, enter a Base32 HASH. You can generate one here: [1](https://emn178.github.io/online-tools/base32_encode.html)
For example, entering `giovanni12` returns `M5UW65TBNZXGSMJS`.
The Base32 code will then be used in Google Authenticator to generate a token.
Test the login by accessing the console
Configuration for OpenVPN
In the connection profile (PPP→Profiles), under Limits, set "Only One" to YES. (Important for stability, based on forum advice. Otherwise, the connection often drops.)
Configure TCP protocol: MIKROTIK implementation of openvpn UDP is terrible. Use UDP only in case your connection is very affordable, otherwise it will keep on resetting every few minutes.
Create an address pool in IP→POOL.
For example, if the server's OpenVPN local address is 10.90.0.1, you can create a pool named `OVPN_pool` with addresses 10.90.0.2–10.90.0.15.
In the User Manager user form, add the attribute `Framed-Pool` with the value `OVPN_pool`.
Alternatively, if you want to assign a static IP, use the attribute `Framed-IP-Address` and specify the address.
Create a certificate using the local CA (the same one used for the OpenVPN server certificate) and export it with a passphrase.
At this point, the FILES section will contain a certificate and a key (.crt and .key) accordingly.
Also export the CA to obtain a `.crt` file in Files.
Now you can export the OpenVPN configuration file from the server form via \[Export .ovpn].
Insert the public IP for access.
Select the exported CA certificate from the dropdown menu.
Do the same for the user certificate and key.
A configuration file will be generated which already includes the certificates.
Now you can log in with the RADIUS user by entering the username, prefix+OTP, and the certificate export password. The latter can be saved so it’s not requested again.
