Community discussions

MikroTik App
 
MrHae
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 62
Joined: Wed May 26, 2021 7:40 pm

Wireguard / 2FA

Wed Oct 05, 2022 5:03 pm

Hey Guys,

i love the uncomplicated way how WireGuard works and the Users are much more confident with a stable working VPN.

But in nearest time i need to secure these way with 2FA.

I just read some threads where they hint to UserManager and OTP Secret. But i really need some more help with this.

Where do i get der OTP Secret? Do i need to setup any Server for this? Mainly we use Microsoft Authenticator App.
Can anybody maybe give me an example how to configure and Wireguard VPN with 2FA using the Usermanger?
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 681
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: Wireguard / 2FA

Wed Oct 05, 2022 5:05 pm

You can't Wireguard doesn't have any accounting as far as I know.
2FA with userman
 
MrHae
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 62
Joined: Wed May 26, 2021 7:40 pm

Re: Wireguard / 2FA

Wed Oct 05, 2022 5:17 pm

You can't Wireguard doesn't have any accounting as far as I know.
2FA with userman
Yes i found this wiki but there is no description from where i get the OTP Secret
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard / 2FA

Wed Oct 05, 2022 5:29 pm

Not helpful but wondered if tailscale does this.......
https://tailscale.com/kb/1075/multi-factor-auth/

About WireGuard and 2FA/MFA login

WireGuard® is a modern and fast encrypted networking protocol that offers a number of performance benefits over traditional VPNs and TLS. Among other important features, WireGuard uses Curve25519 for key exchange, which keeps the negotiation phase extremely lightweight and fast. It also has a very low cost per live session, so it can keep direct connections open to a large number of nodes at once.

Tailscale builds on top of WireGuard by adding automatic mesh configuration, single sign-on (SSO), 2-factor/multi-factor authentication (2FA/MFA), NAT traversal, TCP transport, and centralized Access Control Lists (ACLs).
Last edited by anav on Wed Oct 05, 2022 5:31 pm, edited 1 time in total.
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 681
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: Wireguard / 2FA

Wed Oct 05, 2022 5:30 pm

 
MrHae
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 62
Joined: Wed May 26, 2021 7:40 pm

Re: Wireguard / 2FA

Mon Oct 10, 2022 5:28 pm

Hey,

as far as i unterstand its more a Problem of the Client as an Problem with the Server.

I've found the tunsafe Client as a github Project, as far as i understand i just have to add this line to my ServerConfig

[Peer]
RequireToken = totp-sha1:SECRET,digits=6,period=30,precision=15


and if i use my WG Conf Files with tunsafe Client i will get an TOTP

Is there any Option to configure the whole Server Conf file at the Mikrotik or must it been added by the developers as an "checkbox"?
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Wireguard / 2FA

Mon Oct 10, 2022 5:47 pm

Main problem is that WG is just tunnels with static config using only keys, there's no support for anything else. So if you see WG with 2FA, it's either something extra aside handling it and controlling WG layer (Tailscale) or custom extension to standard WG (TunSafe):
This implementation is a TunSafe specific and experimental extension to the protocol. We would love to find a variant of this proposal, or another solution that can provide the same functionality across other WireGuard implementations. We think a standardized way of doing two-factor authentication would be hugely beneficial to the WireGuard community.
They're right, some standard way would be nice, but AFAIK, currently there isn't any.
 
MrHae
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 62
Joined: Wed May 26, 2021 7:40 pm

Re: Wireguard / 2FA

Mon Oct 10, 2022 5:52 pm

Main problem is that WG is just tunnels with static config using only keys, there's no support for anything else. So if you see WG with 2FA, it's either something extra aside handling it and controlling WG layer (Tailscale) or custom extension to standard WG (TunSafe):
This implementation is a TunSafe specific and experimental extension to the protocol. We would love to find a variant of this proposal, or another solution that can provide the same functionality across other WireGuard implementations. We think a standardized way of doing two-factor authentication would be hugely beneficial to the WireGuard community.
They're right, some standard way would be nice, but AFAIK, currently there isn't any.
experimental or not, if it works it is much more secure an "easy" to implement. At the moment i am thinking about a web based solution where the user has to login an has to enable his wireguard peer manual an if the connection closes or is restartet by any other IP than it disables. But thats much more work to do and so unflexy
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Wireguard / 2FA

Mon Oct 10, 2022 6:12 pm

It may work, but non-standard is bad. Even if MikroTik implemented this extension, it still wouldn't work with any standard WG client. And then someone else would come with own incompatible solution, because they wouldn't like this one for some reason. And someone else would implement that. And there could be more, so in the end we'd end up with several incompatible WGs, that's not good. WG with more features could be nice, but it needs to be joint effort resulting in standard supported by everyone.
 
MrHae
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 62
Joined: Wed May 26, 2021 7:40 pm

Re: Wireguard / 2FA

Mon Oct 10, 2022 9:05 pm

But on Server side there is nothing more to implement as the posibility to set this Parameter or not

On „normal“ Wireguard Servers you only add the line and go for it.

And that is per Peer so you can decide which peer becomes totp and which not
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Wireguard / 2FA

Mon Oct 10, 2022 10:29 pm

Did you test it with normal server (e.g. standard unmodified Linux WG) and did it work? I didn't study it in detail, but from the quick look, if it's extension to protocol, standard server wouldn't have any support for it.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard / 2FA

Tue Oct 11, 2022 12:46 am

No reason why MT couldnt hook checking the radius server as the first step after the initial handshake on the server side and making it an entry on the client side of MT.
So if there is a value (entry) for the new parameter on the client side, (yes,no), the router knows that it needs to check the radius server for the credentials embedded after the MT tunnel is established prior to allowing any traffic.
 
MrHae
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 62
Joined: Wed May 26, 2021 7:40 pm

Re: Wireguard / 2FA

Tue Oct 11, 2022 9:07 am

No reason why MT couldnt hook checking the radius server as the first step after the initial handshake on the server side and making it an entry on the client side of MT.
So if there is a value (entry) for the new parameter on the client side, (yes,no), the router knows that it needs to check the radius server for the credentials embedded after the MT tunnel is established prior to allowing any traffic.
yes this would be a good way too, the company i work for wants to certificate with ISO27001 and i think if we dont can implement some version of 2fa with Mikrotik VPN they will cut out these Product out of our Portfolio...
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Wireguard / 2FA

Tue Oct 11, 2022 12:23 pm

You know that whatever like this would be added, it would have to be supported by both sides, right? So unless you'd be satisfied only by MikroTik<->MikroTik interoperability, or maybe including some other client using same non-standard implementation, it wouldn't help you, because no standard client would work with it.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard / 2FA

Tue Oct 11, 2022 2:12 pm

That is correct SOB, it would at least allow anybody with an MT to MT scenario to make use of the radius server capability to simulate 2FA.
This would encourage folks to get an MT for home :-)
This would encourage folks to get an MT small form factor wifi device to take on the road (for hotel wifi etc.).

Note: This would also work with any android or IOS device connecting via wirequard and useing the IOS or android MT app to connect to the router.

I think this is enough utility and coverage to justify the addition. But heck what do I know. :-)

Who is online

Users browsing this forum: Bing [Bot], dredex, Fl3tch, Google [Bot], infabo, patrikg, phascogale, sebus46 and 38 guests