Ukraine flag

We stand with our friends and colleagues in Ukraine. To support Ukraine in their time of need visit this page

> MikroTik VPN 2FA

MikroTik VPN 2FA

This guide describes how to enable Protectimus Two-Factor Authentication (2FA) for users connecting to MikroTik VPN.

The Protectimus two-factor authentication system can be integrated with MikroTik VPN via RADIUS authentication protocol. For this purpose, you need to install an on-premise Protectimus RADIUS Server component and configure the MikroTik VPN to refer to the Protectimus RADIUS Server for user authentication.

See how Protectimus two-factor authentication solution works for MikroTik VPN in the scheme below. How to set up  MikroTik two-factor authentication via RADIUS

1. How MikroTik VPN Two-Factor Authentication (2FA) Works

After integrating MikroTik VPN with the Protectimus MFA system, your users will need to pass two stages of authentication to connect to MikroTik VPN:
  1. Enter their username and password.
  2. Enter the one-time passcode, which is only valid for 30 seconds.

To generate one-time passcodes, the following types of two-factor authentication tokens will be available to your users:
  • Classic and programmable hardware OTP tokens that look like keyfobs and plastic cards;
  • 2-factor authentication app Protectimus SMART OTP on iOS and Android;
  • Any other 2-factor authentication apps that support TOTP auth standard, including Google Authenticator;
  • Delivery of one-time passwords using chatbots in Telegram, Messenger, or Viber;
  • SMS authentication;
  • Delivery of one-time passwords via email.

It is a challenging task for the intruder to hack two authentication factors that differ in their nature (something the user knows and owns) and use them simultaneously within 30 seconds (the time when the one-time password remains active). That is why two-factor authentication is one of the best security measures for MikroTik VPN.

2. How to Enable MikroTik VPN 2FA

You can set up MikroTik VPN two-factor authentication (2FA) with Protectimus using the RADIUS protocol:
  1. Get registered with Protectimus SAAS Service or install the On-Premise 2FA Platform and configure basic settings.
  2. Install and configure Protectimus RADIUS Server.
  3. Configure MikroTik VPN Client.
  4. Configure Windows VPN.

2.1. Get Registered and Configure Basic Protectimus Settings

  1. Register with the Protectimus Cloud Service and activate API or install the Protectimus On-Premise Platform (if you install Protectimus Platform on Windows, check the RProxy box during the installation).
  2. Add Resource.
  3. Add Users.
  4. Add Tokens or activate Users’ Self Service Portal.
  5. Assign Tokens to Users.
  6. Assign Tokens with Users to the Resource.

2.2. Install and Configure Protectimus RADIUS Server

Detailed instructions for installing and configuring the Protectimus RADIUS Server for MikroTik VPN 2-factor authentication using RADIUS are available here.

2.3. Configure MikroTik VPN Client

  1. Open Webfig.
  2. Navigate to the menu on the left, and select the RADIUS tab.
  3. Click Add New to configure your Protectimus RADIUS Server as a RADIUS server.
  4. Check ppp and ipsec in the Service section.
  5. Check login in the Service section.
  6. Indicate the IP of the server where the Protectimus RADIUS Server is installed.
  7. Set Protocol to udp.
  8. Indicate the shared secret you created in the Protectimus radius.yml file (radius.secret property).
  9. Change the default timeout to 30000 ms or higher.
  10. Click OK to save your settings.
MikroTik VPN 2FA setup - step 1
  1. Navigate to the menu on the left, and select the PPP tab.
  2. Select the Interface tab and then click PPTP Server, SSTP Server, L2TP Server, or OVPN Server depending on which one you are using.
  3. Check pap and uncheck every other checkbox in Authentication. Click OK.
  4. Select the Secrets tab, and click the PPP Authentication & Accounting button.
MikroTik VPN two-factor authentication setup - step 2
  1. Check Use Radius, and click OK to finish the configuration and enable Protectimus two-factor authentica in your VPN.

2.4. Configure Windows VPN

  1. On your Windows operating system, go to Settings –> Network & Internet –> VPN and select Add a VPN connection.
  2. Fill in the form and click Save. Refer to the following image and table.
VPN Provider Windows (in-built)
Connection name MikroTik
Server name or address Enter the IP address of your server
VPN type Select your VPN Type. We chose L2TP/IPsec with pre-shared key, but you have to select the one you use in MikroTik.
Pre-shared key Indicate the shared secret you created in the Protectimus radius.yml file (radius.secret property) when configuring Protectimus RADIUS Server
Type of sign-in info User name and password
User name (optional) Your user name
Password (optional) Your password

Windows VPN  setup - step 1
  1. Go to Control Panel → Network and Sharing Center and select Change adapter options.
  2. Right-click your newly-created MikroTik connection and select Properties.
  3. Select the Security tab.
  4. Select Allow these protocols and then check the Unencrypted password (PAP) checkbox.
  5. Then click OK to save the changes.
Windows VPN  setup - step 2
Integration of two-factor authentication (2FA/MFA) for your MikroTik VPN is now complete. If you have other questions, contact Protectimus customer support service.
Last updated on 2022-12-21