i love the uncomplicated way how WireGuard works and the Users are much more confident with a stable working VPN.
But in nearest time i need to secure these way with 2FA.
I just read some threads where they hint to UserManager and OTP Secret. But i really need some more help with this.
Where do i get der OTP Secret? Do i need to setup any Server for this? Mainly we use Microsoft Authenticator App.
Can anybody maybe give me an example how to configure and Wireguard VPN with 2FA using the Usermanger?
WireGuard® is a modern and fast encrypted networking protocol that offers a number of performance benefits over traditional VPNs and TLS. Among other important features, WireGuard uses Curve25519 for key exchange, which keeps the negotiation phase extremely lightweight and fast. It also has a very low cost per live session, so it can keep direct connections open to a large number of nodes at once.
Tailscale builds on top of WireGuard by adding automatic mesh configuration, single sign-on (SSO), 2-factor/multi-factor authentication (2FA/MFA), NAT traversal, TCP transport, and centralized Access Control Lists (ACLs).
Main problem is that WG is just tunnels with static config using only keys, there’s no support for anything else. So if you see WG with 2FA, it’s either something extra aside handling it and controlling WG layer (Tailscale) or custom extension to standard WG (TunSafe):
They’re right, some standard way would be nice, but AFAIK, currently there isn’t any.
experimental or not, if it works it is much more secure an “easy” to implement. At the moment i am thinking about a web based solution where the user has to login an has to enable his wireguard peer manual an if the connection closes or is restartet by any other IP than it disables. But thats much more work to do and so unflexy
It may work, but non-standard is bad. Even if MikroTik implemented this extension, it still wouldn’t work with any standard WG client. And then someone else would come with own incompatible solution, because they wouldn’t like this one for some reason. And someone else would implement that. And there could be more, so in the end we’d end up with several incompatible WGs, that’s not good. WG with more features could be nice, but it needs to be joint effort resulting in standard supported by everyone.
Did you test it with normal server (e.g. standard unmodified Linux WG) and did it work? I didn’t study it in detail, but from the quick look, if it’s extension to protocol, standard server wouldn’t have any support for it.
No reason why MT couldnt hook checking the radius server as the first step after the initial handshake on the server side and making it an entry on the client side of MT.
So if there is a value (entry) for the new parameter on the client side, (yes,no), the router knows that it needs to check the radius server for the credentials embedded after the MT tunnel is established prior to allowing any traffic.
yes this would be a good way too, the company i work for wants to certificate with ISO27001 and i think if we dont can implement some version of 2fa with Mikrotik VPN they will cut out these Product out of our Portfolio…
You know that whatever like this would be added, it would have to be supported by both sides, right? So unless you’d be satisfied only by MikroTik<->MikroTik interoperability, or maybe including some other client using same non-standard implementation, it wouldn’t help you, because no standard client would work with it.
That is correct SOB, it would at least allow anybody with an MT to MT scenario to make use of the radius server capability to simulate 2FA.
This would encourage folks to get an MT for home
This would encourage folks to get an MT small form factor wifi device to take on the road (for hotel wifi etc.).
Note: This would also work with any android or IOS device connecting via wirequard and useing the IOS or android MT app to connect to the router.
I think this is enough utility and coverage to justify the addition. But heck what do I know.
Bringing the thread back to life
I’m actively searching for modernization of legacy VPN services that we are currently using (SSTP, L2TP/IPSec).
I love the way wireguard works on all user operating systems, but the upcoming regulations have strict instructions regarding Multi Factor Authentication on remote access.
In same matter I really need some authentication for the Wireguard, but except some custom-made server appliances running on VM or docker, I can’t find anything that is able to manipulate RouterOS and interact with the user to confirm that this connection is initiated by him.
I have idea how it could be managed but I’m not a developer and can not do it myself.
If anyone is willing to help, we may be able to bring it to life and help all poor souls around the world that need to comply )
It would be really great if Mikrotik itself can make it. I’m sure it will not be so hard to implement.
What is your idea? I really doubt that you would be able to implement anything directly on the MikroTik without using a container … and if you go the route of using a container then you should consider using TailScale instead of reinventing an advanced security feature.
For sure there will be some API connecting the router and the RADIUS/AD server and the end user. Container on the router itself or on some hypervisor.
My concept is working with the address lists. When new WG session is initiated, the IP of that interface will be in limited address list,the API will initiate a query against the radius to find out who is the user which have this IP as an attribute. If the user is not disabled and is member of specific group, then it will be considered as valid and will initiate the second factor request. For example an very simple app on the user’s phone that should be enorlled at first place. So when the API initiate the request, notification will be pushed on the phone so the user will confirn if he is the initiator. If he decline the request, that should be logged and administrator notified for possible WG config stolen. If he approve, API will log to the router and execute command that will move the IP to the appropriate address list.
Having some form of 2FA for Wireguard on the Mikrotik is well worth the effort. When I have the time, if nobody has already implemented it by then, I WILL start a project to fill this gap. TOTP is not a complicated process. I’ve already done the research on it, run some test applications with it, and understand very well the concept of TOTP.
Getting this implemented for Wireguard on Mikrotik is a different story; however, I think I might be able to configure a basic TOTP service that runs right on the Mikrotik. It will take some additional research into the RouterBoard SDK and/or scripting.
