Mikrotik openVPN with 2FA

From Fvettore-WIKI

Here is the **English translation** of your article with all **MediaWiki markup preserved**:

---

2FA Authentication with Mikrotik

Prerequisites

  • RADIUS installed, configured, and activated. Make sure to click the \[INCOMING] button and enable the flag
  • User Manager installed and configured to use RADIUS
  • If you want to use 2FA for Winbox login: go to SYSTEM→USERS, click \[AAA], check "Use RADIUS", and define the access group (read, full, write)
  • If you want to use it for OpenVPN: in RADIUS→General, enable the PPP usage flag; then in PPP, click \[Authentication & Accounting] and enable "Use Radius"

User Creation

In User Manager, create a user.
Set a password that will serve as the prefix for the password to be entered before the OTP code.
In the OTP Secret field, enter a Base32 HASH. You can generate one here: [1](https://emn178.github.io/online-tools/base32_encode.html)
For example, entering `giovanni12` returns `M5UW65TBNZXGSMJS`.
The Base32 code will then be used in Google Authenticator to generate a token.
Test the login by accessing the console

Configuration for OpenVPN

In the connection profile (PPP→Profiles), under Limits, set "Only One" to YES. (Important for stability, based on forum advice. Otherwise, the connection often drops.)
Create an address pool in IP→POOL.
For example, if the server's OpenVPN local address is 10.90.0.1, you can create a pool named `OVPN_pool` with addresses 10.90.0.2–10.90.0.15.
In the User Manager user form, add the attribute `Framed-Pool` with the value `OVPN_pool`.
Alternatively, if you want to assign a static IP, use the attribute `Framed-IP-Address` and specify the address. Create a certificate using the local CA (the same one used for the OpenVPN server certificate) and export it with a passphrase.
At this point, the FILES section will contain a certificate and a key (.crt and .key) accordingly.

Also export the CA to obtain a `.crt` file in Files.
Now you can export the OpenVPN configuration file from the server form via \[Export .ovpn].
Insert the public IP for access.
Select the exported CA certificate from the dropdown menu.
Do the same for the user certificate and key.
A configuration file will be generated which already includes the certificates.
Now you can log in with the RADIUS user by entering the username, prefix+OTP, and the certificate export password. The latter can be saved so it’s not requested again.

Retrieved from "http://10.99.0.100:8087/index.php?title=Mikrotik_openVPN_with_2FA&oldid=22"