CHR/MKT Openvpn 2FA with Freeradius and Google Authenticator.

Ezequiel Arielli
3 min readAug 19, 2019

Hello guys,

Today i will write about to configure Google Authenticator 2FA with OPENVPN in Mikrotik/CloudHostedRouter using FreeRadius and Linux PAM module.


  • Mikrotik/CloudHostedRouter
  • VPN Openvpn
  • Ubuntu Instance(Freeradius)
  • Mobile Test

1- Install this packages in Ubuntu Server.

ubuntu@ip-10-0-9-99:~$ sudo apt-get update
ubuntu@ip-10-0-9-99:~$ sudo apt-get install freeradius libpam-google-authenticator -y

If you use Ubuntu 18 or Ubuntu 16 freeradius path is different:

Ubuntu 16: /etc/freeradius/Ubuntu 18: /etc/freeradius/3.0/

In my case I use Ubuntu 16

We’ll now need to find the lines user = and group =.
The default configuration is set to freerad. Change both of them to root.

ubuntu@ip-10-0-9-99:~$ sudo vi /etc/freeradius/radiusd.conf

Now you need comment the default configuration in this file:

ubuntu@ip-10-0-9-99:~$ sudo vi /etc/freeradius/users

Comment the lines simliar the video and add this configuration:

NAS-IP-Address == Mikrotik IP)

DEFAULT         Group == "radius-disabled", Auth-Type := Reject
Reply-Message = "Your account has been disabled."
DEFAULT Auth-Type := PAM
MikroTik-Group := "write"
DEFAULT Auth-Type := Pam, NAS-IP-Address ==
Service-Type = Framed-User,
Framed-Protocol = PPP,
MikroTik-Group := "write"
ubuntu@/:~$ sudo vi /etc/freeradius/sites-enabled/default

Change the next lines:

# Pluggable Authentication Modules.
# pam

We now need to uncomment the pam line to enable it. It should look like this now:

# Pluggable Authentication Modules.

Finally, the last FreeRADIUS config file that we need to change is the


This is where we can set up our secret key that is used by the clients to connect to the RADIUS server.

Now you need configure GoogleAuthenticator PAM module in Freeradius

sudo vi /etc/pam.d/radiusd

Now you need enable Radius Server in CloudRouter/Mikrotik firewall.

# Secret configure in Freeradius Clients and Ubuntu Server IP-Address.

Now are ready to create a VPN USER and Google Authenticator Token/QR.

Ready to add token secret or QR in Google Authenticator.

Insert user password+GoogleAuthenticator

Insert password+GoogleAuthenticator

The connection is Succes you can check the Logs in FreeRadius Server

Later, you can create the users full automated with CI | We are use Jenkins .