• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

Company · Blog · Newsletter · Events · Partner Program

Downloads      Support      Security     Admin Login
Rublon

Rublon

Secure Remote Access

  • Product
    • Regulatory Compliance
    • Use Cases
    • Rublon Reviews
    • Authentication Basics
    • What is MFA?
    • Importance of MFA
    • User Experience
    • Authentication Methods
    • Rublon Authenticator
    • Remembered Devices
    • Logs
    • Single Sign-On
    • Access Policies
    • Directory Sync
  • Solutions
    • MFA for Remote Desktop
    • MFA for Remote Access Software
    • MFA for Windows Logon
    • MFA for Linux
    • MFA for Active Directory
    • MFA for LDAP
    • MFA for RADIUS
    • MFA for SAML
    • MFA for RemoteApp
    • MFA for Workgroup Accounts
    • MFA for Entra ID
  • Customers
  • Industries
    • Financial Services
    • Investment Funds
    • Retail
    • Technology
    • Healthcare
    • Legal
    • Education
    • Government
  • Pricing
  • Docs
Contact Sales Free Trial

Multi-Factor Authentication (2FA/MFA) for MikroTik VPN

Multi-Factor (MFA) and Two-Factor Authentication (2FA) for MikroTik VPN (L2TP with IPSec, SSTP, PPTP, OVPN)

February 8, 2021 By Rublon Authors

Last updated on February 6, 2025

Overview of MFA for MikroTik VPN

Multi-Factor Authentication (MFA) for MikroTik VPN is an additional security measure that requires users to present two forms of authentication to gain access to the MikroTik VPN. The user must first enter their Active Directory / RADIUS username and password to complete the initial authentication process. Afterward, they must go through secondary authentication via an authentication method like a Mobile Push or Email Link. After successfully completing both steps of authentication, they are granted access to the desired resource. Activating 2FA or MFA for MikroTik VPN reduces the possibility of a hacker accessing resources even if they have the user’s login details.

Rublon supports the following MikroTik VPN protocols:

  • PPTP
  • L2TP with IPSec
  • SSTP
  • OVPN

Supported Authentication Methods

Authentication Method Supported Comments
Mobile Push ✔ N/A
WebAuthn/U2F Security Key – N/A
Passcode ✔ N/A
SMS Passcode – N/A
SMS Link ✔ N/A
Phone Call ✔ N/A
QR Code – N/A
Email Link ✔ N/A
YubiKey OTP Security Key ✔ N/A

Demo Video of MFA for MikroTik VPN

Before your start

You need to install and configure Rublon Authentication Proxy itself before configuring MikroTik VPN to work with it. Read the Rublon Authentication Proxy and follow the steps in the Installation and Configuration sections. Afterward, follow the Configuration section in this document.

Ensure that you have properly set up your authentication source, that is an external Identity Provider (IdP) like FreeRADIUS, FreeIPA, OpenLDAP or Microsoft Active Directory.

You will need a MikroTik RouterOS management tool of your choice, e.g. Winbox, Webfig. This tutorial shows the configuration using Webfig.

Configuration of MFA for MikroTik VPN

Follow these steps to enable Rublon 2FA in MikroTik.

MikroTik

1. Open Webfig.

2. Navigate to the menu on the left, and select the RADIUS tab.

3. Click Add New to configure your Rublon Authentication Proxy as a RADIUS server.

4. Check ppp and ipsec in the Service section.

5. Enter the address of the Rublon Authentication Proxy in the Address field.

6. Set Protocol to udp.

7. Enter the RADIUS Secret from Rublon Authentication Proxy in the Secret field.

8. Change the default timeout to 30000 ms.

Note

30000 ms is enough for most cases. However, some of our customers had to increase the timeout to 60000 ms to achieve a smooth experience.

9. Click OK to save the changes.

10. Navigate to the menu on the left, and select the PPP tab.

11. Select the Interface tab and then click PPTP Server, SSTP Server, L2TP Server, or OVPN Server depending on which one you are using.

12. Check pap and uncheck every other checkbox in Authentication. Click OK.

13. Select the Secrets tab, and click the PPP Authentication & Accounting button.

14. Check Use Radius, uncheck Accounting, and click OK to finish the configuration and enable Rublon 2FA in your VPN.

Windows VPN

1. On your Windows operating system, go to Settings → Network & Internet → VPN and select Add a VPN connection.

2. Fill in the form and click Save. Refer to the following image and table.

VPN ProviderWindows (in-built)
Connection nameMikroTik
Server name or addressEnter the IP address of your server
VPN typeSelect your VPN Type. We chose L2TP/IPsec with pre-shared key, but you have to select the one you use in MikroTik.
Pre-shared keyEnter the RADIUS_SECRET from Rublon Authentication Proxy.
Type of sign-in infoUser name and password
User name (optional)Your user name.

If you don’t specify the optional User name and Password when adding a new connection, you will be asked to provide the credentials every time you connect to the VPN.
Password (optional)Your password.

If you don’t specify the optional User name and Password when adding a new connection, you will be asked to provide the credentials every time you connect to the VPN.

3. Go to Control Panel → Network and Sharing Center and select Change adapter options.

4. Right-click your newly-created MikroTik connection and select Properties.

5. Select the Security tab.

6. Select Allow these protocols and then check the Unencrypted password (PAP) checkbox.

7. Click OK to save the changes.

Connect to MikroTik VPN using MFA for MikroTik VPN

The following example depicts Rublon 2FA with MikroTik VPN with Rublon 2FA.

Note the following:

  • User name and Password have not been specified while adding the VPN connection to make the illustration of the Two-Factor Authentication process clearer.
  • Mobile Push has been set as the second factor in Rublon Authentication Proxy configuration (AUTH_METHOD was set to push).

1. Select your connection, and click Connect.

2. A window will appear. Provide your credentials and click OK.

3. You will be sent an automatic push notification on your phone.

4. Tap APPROVE.

5. You will be successfully logged in to the VPN.

Troubleshooting

Blast-RADIUS Vulnerability Protection

RADIUS integrations may enforce the validation of the Message-Authenticator RADIUS attribute as part of their mitigations for the Blast-RADIUS vulnerability.

The Rublon Authentication Proxy supports the Message-Authenticator attribute starting from version 3.5.3. The Rublon Auth Proxy uses the force_message_authenticator option in the configuration file (set to true by default) to safeguard against Blast-RADIUS attacks.

If you are experiencing issues with your RADIUS integration, ensure that the force_message_authenticator is set to true.

If you are using Rublon Authentication Proxy 3.5.2 or older, update to the newest available version.

If you receive more than one Mobile Push when attempting to connect to your VPN service, you have to increase the timeout in MikroTik (change Timeout set in the RADIUS tab if you are using Webconfig). We recommend you increase the timeout to at least 60000 ms. The reason for multiple notifications is most often that a user accepts a push notification just before MikroTik resends the packet (which happens after the timeout has passed).

If you encounter any issues with your Rublon integration, please contact Rublon Support.

Related Posts

Rublon Authentication Proxy

Rublon Authentication Proxy – Integrations

Filed Under: Documentation Tagged With: MikroTik, RAP, Rublon Authentication Proxy

Primary Sidebar

Contents

  • Overview of MFA for MikroTik VPN
  • Supported Authentication Methods
  • Demo Video of MFA for MikroTik VPN
  • Before your start
  • Configuration of MFA for MikroTik VPN
    • MikroTik
    • Windows VPN
  • Connect to MikroTik VPN using MFA for MikroTik VPN
  • Troubleshooting
  • Related Posts
Try Rublon for Free
Start your 30-day Rublon Trial to secure your employees using multi-factor authentication.
No Credit Card Required


Footer

Product

  • Regulatory Compliance
  • Use Cases
  • Rublon Reviews
  • Authentication Basics
  • What is MFA?
  • Importance of MFA
  • User Experience
  • Authentication Methods
  • Rublon Authenticator
  • Remembered Devices
  • Logs
  • Single Sign-On
  • Access Policies
  • Directory Sync

Solutions

  • MFA for Remote Desktop
  • MFA for Windows Logon
  • MFA for Remote Access Software
  • MFA for Linux
  • MFA for Active Directory
  • MFA for LDAP
  • MFA for RADIUS
  • MFA for SAML
  • MFA for RemoteApp
  • MFA for Workgroup Accounts
  • MFA for Entra ID

Industries

  • Financial Services
  • Investment Funds
  • Retail
  • Technology
  • Healthcare
  • Legal
  • Education
  • Government

Documentation

  • 2FA for Windows & RDP
  • 2FA for RDS
  • 2FA for RD Gateway
  • 2FA for RD Web Access
  • 2FA for SSH
  • 2FA for OpenVPN
  • 2FA for SonicWall VPN
  • 2FA for Cisco VPN
  • 2FA for Office 365

Support

  • Knowledge Base
  • FAQ
  • System Status

About

  • About Us
  • Blog
  • Events
  • Co-funded by the European Union
  • Contact Us

  • Facebook
  • GitHub
  • LinkedIn
  • Twitter
  • YouTube

© 2025 Rublon · Imprint · Legal & Privacy · Security

  • English