Hi,
I need to set up a VPN to management network / VLAN.
My preference is Wireguard, and this is already set up, but unfortunately there is no 2FA facility when doing it on Mikrotik (no tailscale / headscale for example, not without overcomplicated containers anyway)
So it seems my best option is to use the new TOTP in userman along with SSTP or OpenVPN. I can’t see any other options that would work easily.
However this then introduces the hassle of certificate renewals which I am trying to get away from (hence using wireguard as much as possible at most sites.. until 2FA really does become deemed necessary, which I think is becoming the case.. it’s hard to justify not having 2FA on VPN unless it’s IP restricted or something. stolen / exported keys from client computer is high risk).
Unless someone has other ideas for a VPN that doesn’t require regular certificate renewals, my question is around using LetsEncryt functionality in RouterOS. Can anyone suggest a method to hook the renewal system so that port 80 is opened just temporarily to allow the acme challenge to complete? Or even better, any chance Mikrotik might support the DNS challenge to work with Cloudflare’s API?
I have not tested this yet, but I suppose since OpenVPN has its own client, then it’s possible I could use this with a self-signed certificate with a long expiry, or there’s probably a setting to ignore certificate errors or something, which is not possible with inbuilt Windows SSTP (it checks validity, and it also does a CRL check so has to be public cert).
Another option, Mikrotik: DrayTek have for a long time had their own Smart VPN Client which supports all protocols offered by the router and works very well with many settings. Perhaps one day Mikrotik could have a VPN client?