Last updated on February 6, 2025
Overview of MFA for MikroTik VPN
Multi-Factor Authentication (MFA) for MikroTik VPN is an additional security measure that requires users to present two forms of authentication to gain access to the MikroTik VPN. The user must first enter their Active Directory / RADIUS username and password to complete the initial authentication process. Afterward, they must go through secondary authentication via an authentication method like a Mobile Push or Email Link. After successfully completing both steps of authentication, they are granted access to the desired resource. Activating 2FA or MFA for MikroTik VPN reduces the possibility of a hacker accessing resources even if they have the user’s login details.
Rublon supports the following MikroTik VPN protocols:
- PPTP
- L2TP with IPSec
- SSTP
- OVPN
Supported Authentication Methods
| Authentication Method | Supported | Comments |
| Mobile Push | ✔ | N/A |
| WebAuthn/U2F Security Key | – | N/A |
| Passcode | ✔ | N/A |
| SMS Passcode | – | N/A |
| SMS Link | ✔ | N/A |
| Phone Call | ✔ | N/A |
| QR Code | – | N/A |
| Email Link | ✔ | N/A |
| YubiKey OTP Security Key | ✔ | N/A |
Demo Video of MFA for MikroTik VPN
Before your start
You need to install and configure Rublon Authentication Proxy itself before configuring MikroTik VPN to work with it. Read the Rublon Authentication Proxy and follow the steps in the Installation and Configuration sections. Afterward, follow the Configuration section in this document.
Ensure that you have properly set up your authentication source, that is an external Identity Provider (IdP) like FreeRADIUS, FreeIPA, OpenLDAP or Microsoft Active Directory.
You will need a MikroTik RouterOS management tool of your choice, e.g. Winbox, Webfig. This tutorial shows the configuration using Webfig.
Configuration of MFA for MikroTik VPN
Follow these steps to enable Rublon 2FA in MikroTik.
MikroTik
1. Open Webfig.
2. Navigate to the menu on the left, and select the RADIUS tab.
3. Click Add New to configure your Rublon Authentication Proxy as a RADIUS server.
4. Check ppp and ipsec in the Service section.
5. Enter the address of the Rublon Authentication Proxy in the Address field.
6. Set Protocol to udp.
7. Enter the RADIUS Secret from Rublon Authentication Proxy in the Secret field.
8. Change the default timeout to 30000 ms.
Note
30000 ms is enough for most cases. However, some of our customers had to increase the timeout to 60000 ms to achieve a smooth experience.
9. Click OK to save the changes.
10. Navigate to the menu on the left, and select the PPP tab.
11. Select the Interface tab and then click PPTP Server, SSTP Server, L2TP Server, or OVPN Server depending on which one you are using.
12. Check pap and uncheck every other checkbox in Authentication. Click OK.
13. Select the Secrets tab, and click the PPP Authentication & Accounting button.
14. Check Use Radius, uncheck Accounting, and click OK to finish the configuration and enable Rublon 2FA in your VPN.
Windows VPN
1. On your Windows operating system, go to Settings → Network & Internet → VPN and select Add a VPN connection.
2. Fill in the form and click Save. Refer to the following image and table.
| VPN Provider | Windows (in-built) |
| Connection name | MikroTik |
| Server name or address | Enter the IP address of your server |
| VPN type | Select your VPN Type. We chose L2TP/IPsec with pre-shared key, but you have to select the one you use in MikroTik. |
| Pre-shared key | Enter the RADIUS_SECRET from Rublon Authentication Proxy. |
| Type of sign-in info | User name and password |
| User name (optional) | Your user name. If you don’t specify the optional User name and Password when adding a new connection, you will be asked to provide the credentials every time you connect to the VPN. |
| Password (optional) | Your password. If you don’t specify the optional User name and Password when adding a new connection, you will be asked to provide the credentials every time you connect to the VPN. |
3. Go to Control Panel → Network and Sharing Center and select Change adapter options.
4. Right-click your newly-created MikroTik connection and select Properties.
5. Select the Security tab.
6. Select Allow these protocols and then check the Unencrypted password (PAP) checkbox.
7. Click OK to save the changes.
Connect to MikroTik VPN using MFA for MikroTik VPN
The following example depicts Rublon 2FA with MikroTik VPN with Rublon 2FA.
Note the following:
- User name and Password have not been specified while adding the VPN connection to make the illustration of the Two-Factor Authentication process clearer.
- Mobile Push has been set as the second factor in Rublon Authentication Proxy configuration (AUTH_METHOD was set to push).
1. Select your connection, and click Connect.
2. A window will appear. Provide your credentials and click OK.
3. You will be sent an automatic push notification on your phone.
4. Tap APPROVE.
5. You will be successfully logged in to the VPN.
Troubleshooting
Blast-RADIUS Vulnerability Protection
RADIUS integrations may enforce the validation of the Message-Authenticator RADIUS attribute as part of their mitigations for the Blast-RADIUS vulnerability.
The Rublon Authentication Proxy supports the Message-Authenticator attribute starting from version 3.5.3. The Rublon Auth Proxy uses the force_message_authenticator option in the configuration file (set to true by default) to safeguard against Blast-RADIUS attacks.
If you are experiencing issues with your RADIUS integration, ensure that the force_message_authenticator is set to true.
If you are using Rublon Authentication Proxy 3.5.2 or older, update to the newest available version.
If you receive more than one Mobile Push when attempting to connect to your VPN service, you have to increase the timeout in MikroTik (change Timeout set in the RADIUS tab if you are using Webconfig). We recommend you increase the timeout to at least 60000 ms. The reason for multiple notifications is most often that a user accepts a push notification just before MikroTik resends the packet (which happens after the timeout has passed).
If you encounter any issues with your Rublon integration, please contact Rublon Support.
