Mikrotik openVPN with 2FA - Revision history

Administrator at 09:01, 31 July 2025

2025-07-31T09:01:12Z

← Older revision		Revision as of 09:01, 31 July 2025
Line 33:		Line 33:
	A configuration file will be generated which already includes the certificates.</br>		A configuration file will be generated which already includes the certificates.</br>
	Now you can log in with the RADIUS user by entering the username, prefix+OTP, and the certificate export password. The latter can be saved so it’s not requested again.		Now you can log in with the RADIUS user by entering the username, prefix+OTP, and the certificate export password. The latter can be saved so it’s not requested again.
			[[Category:2FA]][[Category:OpenVPN]][[Category:Mikrotik]]

Administrator: /* User Creation */

2025-07-22T07:15:04Z

User Creation

← Older revision		Revision as of 07:15, 22 July 2025
Line 14:		Line 14:
	In User Manager, create a user.<br>		In User Manager, create a user.<br>
	Set a password that will serve as the prefix for the password to be entered before the OTP code.</br>		Set a password that will serve as the prefix for the password to be entered before the OTP code.</br>
			It can be void if you wish to authenticate with OTP code only.<br>
	In the OTP Secret field, enter a Base32 HASH. You can generate one here: [https://emn178.github.io/online-tools/base32\_encode.html](https://emn178.github.io/online-tools/base32_encode.html) <br>		In the OTP Secret field, enter a Base32 HASH. You can generate one here: [https://emn178.github.io/online-tools/base32\_encode.html](https://emn178.github.io/online-tools/base32_encode.html) <br>
	For example, entering `giovanni12` returns `M5UW65TBNZXGSMJS`.</br>		For example, entering `giovanni12` returns `M5UW65TBNZXGSMJS`.</br>

Administrator: /* Prerequisites */

2025-07-22T07:14:04Z

Prerequisites

← Older revision		Revision as of 07:14, 22 July 2025
Line 6:		Line 6:
	=== Prerequisites ===		=== Prerequisites ===

	* RADIUS installed, configured, and activated. Make sure to click the \[INCOMING] button and enable the flag		* RADIUS installed, configured, and activated. Make sure to click the [INCOMING] button and enable the flag
	* User Manager installed and configured to use RADIUS		* User Manager installed and configured to use RADIUS
	* If you want to use 2FA for Winbox login: go to SYSTEM→USERS, click \[AAA], check "Use RADIUS", and define the access group (read, full, write)		* If you want to use 2FA for Winbox login: go to SYSTEM→USERS, click [AAA], check "Use RADIUS", and define the access group (read, full, write)
	* If you want to use it for OpenVPN: in RADIUS→General, enable the PPP usage flag; then in PPP, click \[Authentication & Accounting] and enable "Use Radius"		* If you want to use it for OpenVPN: in RADIUS→General, enable the PPP usage flag; then in PPP, click [Authentication & Accounting] and enable "Use Radius"

	=== User Creation ===		=== User Creation ===

Administrator: /* Configuration for OpenVPN */

2025-07-22T07:13:15Z

Configuration for OpenVPN

← Older revision		Revision as of 07:13, 22 July 2025
Line 21:		Line 21:
	=== Configuration for OpenVPN ===		=== Configuration for OpenVPN ===
	In the connection profile (PPP→Profiles), under Limits, set "Only One" to YES. (Important for stability, based on forum advice. Otherwise, the connection often drops.)<br>		In the connection profile (PPP→Profiles), under Limits, set "Only One" to YES. (Important for stability, based on forum advice. Otherwise, the connection often drops.)<br>
			'''Configure TCP protocol''': MIKROTIK implementation of openvpn UDP is terrible. Use UDP only in case your connection is '''very''' affordable, otherwise it will keep on resetting every few minutes.<br>
	Create an address pool in IP→POOL.<br>For example, if the server's OpenVPN local address is 10.90.0.1, you can create a pool named `OVPN_pool` with addresses 10.90.0.2–10.90.0.15.</br>		Create an address pool in IP→POOL.<br>For example, if the server's OpenVPN local address is 10.90.0.1, you can create a pool named `OVPN_pool` with addresses 10.90.0.2–10.90.0.15.</br>
	In the User Manager user form, add the attribute `Framed-Pool` with the value `OVPN_pool`.</br>		In the User Manager user form, add the attribute `Framed-Pool` with the value `OVPN_pool`.</br>

Administrator: /* Configuration for OpenVPN */

2025-07-21T09:24:06Z

Configuration for OpenVPN

← Older revision		Revision as of 09:24, 21 July 2025
Line 27:		Line 27:
	At this point, the FILES section will contain a certificate and a key (.crt and .key) accordingly.</br> <br>Also export the CA to obtain a `.crt` file in Files.</br>		At this point, the FILES section will contain a certificate and a key (.crt and .key) accordingly.</br> <br>Also export the CA to obtain a `.crt` file in Files.</br>
	Now you can export the OpenVPN configuration file from the server form via \[Export .ovpn].</br>		Now you can export the OpenVPN configuration file from the server form via \[Export .ovpn].</br>
	~~Modify the file and set `reneg-sec 36000`, otherwise the connection will need re-authentication every hour.</br>~~
	Insert the public IP for access.<br>		Insert the public IP for access.<br>
	Select the exported CA certificate from the dropdown menu.</br>Do the same for the user certificate and key.</br>		Select the exported CA certificate from the dropdown menu.</br>Do the same for the user certificate and key.</br>
	A configuration file will be generated which already includes the certificates.</br>		A configuration file will be generated which already includes the certificates.</br>
	Now you can log in with the RADIUS user by entering the username, prefix+OTP, and the certificate export password. The latter can be saved so it’s not requested again.		Now you can log in with the RADIUS user by entering the username, prefix+OTP, and the certificate export password. The latter can be saved so it’s not requested again.

Administrator: Created page with "Here is the English translation of your article with all MediaWiki markup preserved: --- == 2FA Authentication with Mikrotik == === Prerequisites === * RADIUS installed, configured, and activated. Make sure to click the \[INCOMING] button and enable the flag * User Manager installed and configured to use RADIUS * If you want to use 2FA for Winbox login: go to SYSTEM→USERS, click \[AAA], check "Use RADIUS", and define the access group (read, full, write) * If..."

2025-07-21T09:23:04Z

Created page with "Here is the **English translation** of your article with all **MediaWiki markup preserved**: --- == 2FA Authentication with Mikrotik == === Prerequisites === * RADIUS installed, configured, and activated. Make sure to click the \[INCOMING] button and enable the flag * User Manager installed and configured to use RADIUS * If you want to use 2FA for Winbox login: go to SYSTEM→USERS, click \[AAA], check "Use RADIUS", and define the access group (read, full, write) * If..."

New page

Here is the **English translation** of your article with all **MediaWiki markup preserved**:

---

== 2FA Authentication with Mikrotik ==
=== Prerequisites ===

* RADIUS installed, configured, and activated. Make sure to click the \[INCOMING] button and enable the flag
* User Manager installed and configured to use RADIUS
* If you want to use 2FA for Winbox login: go to SYSTEM→USERS, click \[AAA], check "Use RADIUS", and define the access group (read, full, write)
* If you want to use it for OpenVPN: in RADIUS→General, enable the PPP usage flag; then in PPP, click \[Authentication & Accounting] and enable "Use Radius"

=== User Creation ===
In User Manager, create a user. 
Set a password that will serve as the prefix for the password to be entered before the OTP code.
In the OTP Secret field, enter a Base32 HASH. You can generate one here: [https://emn178.github.io/online-tools/base32\_encode.html](https://emn178.github.io/online-tools/base32_encode.html) 
For example, entering `giovanni12` returns `M5UW65TBNZXGSMJS`.
The Base32 code will then be used in Google Authenticator to generate a token.
Test the login by accessing the console

=== Configuration for OpenVPN ===
In the connection profile (PPP→Profiles), under Limits, set "Only One" to YES. (Important for stability, based on forum advice. Otherwise, the connection often drops.) 
Create an address pool in IP→POOL. For example, if the server's OpenVPN local address is 10.90.0.1, you can create a pool named `OVPN_pool` with addresses 10.90.0.2–10.90.0.15.
In the User Manager user form, add the attribute `Framed-Pool` with the value `OVPN_pool`.
Alternatively, if you want to assign a static IP, use the attribute `Framed-IP-Address` and specify the address.
Create a certificate using the local CA (the same one used for the OpenVPN server certificate) and export it with a passphrase.
At this point, the FILES section will contain a certificate and a key (.crt and .key) accordingly. Also export the CA to obtain a `.crt` file in Files.
Now you can export the OpenVPN configuration file from the server form via \[Export .ovpn].
Modify the file and set `reneg-sec 36000`, otherwise the connection will need re-authentication every hour.
Insert the public IP for access. 
Select the exported CA certificate from the dropdown menu.Do the same for the user certificate and key.
A configuration file will be generated which already includes the certificates.
Now you can log in with the RADIUS user by entering the username, prefix+OTP, and the certificate export password. The latter can be saved so it’s not requested again.