VPN with 2FA

siscom · April 9, 2026, 5:32pm

Hi All,

So, had a redundant router setup running the latest ROS version 6 and integrated with Rulon 2FA for users logging in via L2TP/IPsec server. So far so good, works perfectly.

One of the routers (a CCR1036) died and have decided to upgrade to the newest CCR2118. However, this comes with in my opinion a castrated OS. Just because the World has decided that L2TP is not the most secure, ROSv7 removes it. Since the HW is recent, I cannot reverse back to ROS v6 either.

Rublon (and all other similars out there including Duo, MiniOrange, Protectimus, etc) do not handle any other types of VPN for MFA and this leaves me in a quandry.

Have you managed to implement, at ROSv7 and above, a 2FA solution involving VPN access with 2FA and against internal RADIUS server authentication?

Thank you in advance.
M.

npeca75 · April 9, 2026, 5:55pm

did you look at this ?

/system/device-mode/print 
                 mode: advanced     
     allowed-versions: 7.13+,6.49.8+
              flagged: no           
     flagging-enabled: no           
            scheduler: yes          
                socks: yes          
                fetch: yes          
                 pptp: yes          
                 l2tp: yes          
       bandwidth-test: yes          
          traffic-gen: no           
              sniffer: yes          
                ipsec: yes          
                romon: yes          
                proxy: yes          
              hotspot: yes          
                  smb: no           
                email: yes          
             zerotier: yes          
            container: no           
  install-any-version: no           
           partitions: yes          
          routerboard: yes          
        attempt-count: 0

leonardogyn · April 9, 2026, 6:05pm

The world, and Mikrotik, are correct.

siscom · April 9, 2026, 6:25pm

No, thank you. I’ll take a look.

siscom · April 9, 2026, 6:30pm

Yes, agreed. But the option should still be available. There are many more obvious security issues but few have been chopped off like L2TP/IPsec, also from Android.

nichky · April 9, 2026, 9:49pm

OVPN does work perfectly fine with 2FA

lurker888 · April 9, 2026, 10:20pm

As hinted, it wasn't taken away, and it works perfectly. It just comes disabled by default and you have to enable it.

rextended · April 9, 2026, 11:42pm

Use "service=ipsec" instead of "service=login":