I have been looking at options for setting up 2-factor authentication when connecting to a Mikrotik VPN. I have seen Rublon and Miniorange as probably the most referenced options, but I’m wondering if anyone here has an open-source/free option that works. My organization is not against paying for a solution, but if there is an option that doesn’t need to be paid for, that is always preferred. This is a mandatory item for Cyber security insurance, so I am just looking at all of my options. Yes we can self-host, and we do have our own SMS gateway if that’s required. Thanks
1 Like
Hmm I wonder if hotspot, user manager etc… could provide some sense of authenticated login…
I am not aware of 2 factor authentication like a rolling code device, or popup on the smartphone or via any one of the popular apps for smart phones yet being available for RoS.
Read this thread for ideas!!!
http://forum.mikrotik.com/t/feature-request-two-factor-authentication/60077/38
Hotspot could be an option but it’s not functioning correctly in ros7.
Should be fine with ros6.
I am interested in other options too…
Thanks, I will check out the article and look into Hotspot. I think this will be a fun project or at least a learning experience. I never know which one to expect.
You can use Radius for authentication purpouse and enable any of the many 2FA plugins. Check, as an example, FreeRadius with Google Authenticator or Latch (from ElevenPath)
Thanks, This looks like it may be the way to. Ill do some research.
2FA on mikrotik can be users-passwords + certificates. If you want MFA, probably external radius.
We are using user passwords and certificates already, but the insurance company says that does not qualify as 2 factor (we had the same thought) We got radius working yesterday so today I am going to try to tackle Google authenticator. we spent a few hours running the freeradius debugger to find all the little pieces that aren’t covered in the tutorials
Good work! Keep us up to date on progress!!
would be great if you share them.
By the way, using https://www.notakey.com/products/ might a less headache alternative, depending on the amount of users.
The tutorial is here: https://gintskirsteins.medium.com/free-secure-and-strong-2fa-for-mikrotik-and-vpn-ed2b5ae6d2de
A different but related question, would it be possible to use WireGuard VPN, which lands the user on a Hotspot?
Theoretically: why not ? It’s an interface carrying IP like so many other ones.
Theoretically 
I haven’t done a WireGuard setup yet and I’m still a hotspot newbie, despite customized Hotspot to either authorize client or grant instant guest access
I was hoping to find instructions on how to do it properly.
You can use the user-manager package in ROS7.
You can add users with their pass and the OTP parameter in order to use it with Google Authenticator
I love Mikrotik. The answers always seem to be Hmmmm or it should work.
Why don’t they have definitive answers.
That’s why people use Juniper and Cisco. More money for sure but at least you know it will work.
Sounds like you also fornicate with your juniper and crisco devices.
If you want someone to hold your hand, look elsewhere.
As i understood here, there is no free option to use 2FA for Mikrotik routers!?!? If i want a free radius to validate my logins i will have to run it on a server and forward the router to that server!?
No. It looks like ROS 7’s User Manager package is a Radius server which has TOTP capabilities.
https://help.mikrotik.com/docs/display/ROS/User+Manager#UserManager-UsingTOTP(time-basedone-timepassword)foruserauthentication
I confirm, usermanager works with Google Authenticator. tested and working perfectly.
https://foisfabio.it/index.php/2024/04/19/mikrotik-otp-vpn
Does anyone have a solution to make the static-challenge setting work with OpenVPN? Or something that asks for the password and the OTP in 2 text fields?
Duo has a great solution that works really well for 2FA with MT and other solutions. Using it in a lot of places and it’s worked great for several years