Free, Secure and Strong — 2FA for Mikrotik and VPN

Gints Kirsteins
May 3, 2019 · 8 min read

I live in a house where almost everything is automated. And I mean literally. Lights, doors, shades all are integrated into our famil’s Apple HomeKit. We are receiving messages when washing machine ends it’s cycle. Tumble dryer informs us that clothes are ready. That’s my hobby and my kids and wife have to live with it. I am using Domoticz as a central hub for all my devices and Homebridge to share them within my family.

If something is not working in my home setup, I start to get angry phone calls immediately. It’s like a part time IT support job for a small company. Fortunately, it happens less and less often now, but when it happens I have to connect to my home network.

To connect to my home’s Mikrotik router I am using IPsec over L2TP VPN and Notakey Authenticator app for a second factor from my smart phone. I decided to use second factor to be sure that nobody even with my credentials could connect to my home.

Notakey is a system for strong authentication and authorization, Notakey Authentication Appliance (NAA) is a Linux-based virtual machine, which contains the core Notakey API software, a RADIUS proxy for transparently integrating into existing RADIUS-based workflows, a SSO web service for SAML and OAuth and other standard authentication support and various plugins for integration with cloud and local services.

Notakey Latvia has prepared a licensing policy where 25 users license is for free. Should be enough for households and small enterprises.

I am going to briefly explain how to setup Notakey Appliance and configure Mikrotik router to get free 2FA.

My home setup looks like that:

My home setup

What do we need to proceed?

  1. Domain name under our control (DDNS should work as well)

You have to add service record like this:

_notakey2._tcp.example.com SRV 1 10 443 2fa.example.com

ntk cfg set :auth_domain example.com

Or you can configure appliance without service domain:

$ ntk cfg set :auth_domain https://2fa.example.com

$ ntk as restart

More information here:

Notakey Product Announcements

2. Server to run Notakey appliance

3. Radius server (for login into Mikrotik router(s) and VPN)

I am using user manager package that comes with RouterOS for free, so I do not need an extra server for that

4. Smartphone (iPhone or Android) with Notakey Authenticator installed

5. Port forwarding to VM. (443 and 80)

443 is needed to discover services. 80 for Let's encrypt to renew ssl certificate if HTTP method is used.

6. Public internet access from NTK appliance (to get updates and send notifications)

If you want to limit public access in your firewall, then ensure access to those hosts:

index.notakey.com

repo.notakey.com

messenger.notakey.com

How to setup?

1. Download VM here:

https://www.notakey.com/downloads/

I am using VirtualBox. VMware image has to be imported into VirtualBox. Network interface should be bridged. I have reduced RAM from the default 4096 to 2048 as there are just 5 users and just three services running. I am using Notakey Windows Credential provider to authenticate W10 workstations as well.

2. Run VM and log into appliance ssh ntkadmin@xxx.xxx.xxx.xxx

By default naa vm uses ntkadmin:ntkadmin

Congrats you are in:

[ntkadmin@ntknode/dc1]$

Update all packages:

[ntkadmin@ntknode/dc1]$ ntk sys update

3. Let’s setup the main parameters. Setup wizard should be used to guide you through the initial setup process. Just type in CLI:

[ntkadmin@ntknode/dc1]$ ntk wizard

Values you have to set prior authentication server launch are:

• host — your domain

• cluster.bootstrap_expect — number of expected nodes (in our case 1)

• cluster.is_root — first one is 1, others 0

• node.advertise_ip — machine ip

• ssl.acme.status (on/off) — on (we relay on Let's encrypt here)

• ssl.acme.email (Let’s encrypt will send warnings and error messages to this e-mail)

4. Now you have to start data store (cluster with one node)

[ntkadmin@ntknode/dc1]$ ntk cluster start

5. Web dashboard is ready to launch now

[ntkadmin@ntknode/dc1]$ ntk as start

7. Wait to allow webservice to load and the go to https://our.domain.com in your web browser. If port forwarding works correctly, SSL should be issued by then and valid.

Welcome screen

8. Now is the time to upload the license.

You can get the license here: https://www.notakey.com/license-request/. The license will be tied to your chosen domain name.

9. Set administrator username and password

10. Setup your Notakey Authenticator app to log in as administrator into the dashboard.

(Remember, if you are trying to do this from your local network, make sure url is working. Make static DNS entry or add two rules to the router's firewall. Try to access the page from yout phone’s web browser.)

11. Now you are in the dashboard. In the first page you see license status, last authentication and onboarding activities. Under the Applications tab go to Manage and choose Create an application

12. Name your application and choose security level — password or software. Password protected means that all private keys are backed by phone’s hardware. Password protected keys also are not accessible on a locked phone. Software level means that keys are stored inside the app’s controlled environment. You can use them with the phone security features off. I recommend to use the first method.

You can upload your custom pictures here to set the look and feel on your application. You will be able to do it later as well.

13. Now you can start to define users. Create each user manualy or you can use external user db.

For Radius choose to use external users source (Radius). Go to tab User sources-> Create new user source -> RADIUS_AUTH

If you do not have Radius server installed go to point 19. in this guide and follow Radius setup instruction. (You can use this server for VPN authentication and to log in into your mikrotik routers)

14. You have to set onboarding requirements — how to link your phone's public key to the new user created. You can combine those requirements. If you want to use sms method and not receiving message just write to the support, some countries might be not activated yet. If you are from India, then SMS feature does not work for you at all. In case you are using external user source, do not forget to enable remote authentication by editing Simple Credential settings and checking -> Authenticate against remote AUTH user sources.

15. Now you can start to onboard users. They have to add your service domain in the mobile (Notakey Authenticator) app. Go to settings tab and tap add domain. There is QR code in the NAA under the settings tab. You can scan that code from Notakey Authenticator app as well. To onboard users with QR code you should configure authentication domain with CLI:

[ntkadmin@ntknode/dc1]$ ntk cfg setc :auth_domain 2fa.notakey.com

otherwise fallback domain may be used incorrectly.

Success. (SSL certificate should be valid)

Go to the services tab and tap on Mikrotik 2FA service to start onboarding process. In my case I have a simple method set — with username and password. If you have 1 device restriction, then even with right username and password 2nd device onboarding is not allowed.

16. Let’s check app connectivity. From web dashboard go to Mikrotik 2FA -> Users-> name and click on Show, then in the user view you will be able to send test notification to the user’s device.

So far so good, let start to configure Mikrotik router.

17. Set up VPN, you can do this in the Quick Set tab in Winbox by clicking VPN checkbox or you can set up everything manually. I assume you know how to do it.

18. Or you can set up Radius server and use it for authentication. (pam_radius auth module will work as well, I tested with Ubuntu and it worked like charm)

a. Install User Management package https://wiki.mikrotik.com/wiki/User_Manager/Getting_started

b. Add user. The username should be the same as in the appliance. If during onboarding process you use external user source then username automatically will be the same. (In such a case Mikrotik User Management or other Radius server should be configured before onboarding process.)

c. Add Notakey appliance to the list of allowed routers and configure secret. If you have configured cluster, then add all instances with radius proxy running.

19. Now we are ready to configure Authentication Proxy to work with our Radius server. Log into appliance ssh ntkadmin@xxx.xxx.xxx.xxx Use global values with adding “:” before key. An useful feature if using cluster as all machines will use the same values from cluster value store and you have to configure them just once.

Values we have to set:

{

“vpn_port_in”: “1812”,

“vpn_port_out”: “1812”,

“vpn_radius_address”: “10.0.1.1”, (Mikrotik ip in our case)

“vpn_secret_in”: “super_secret”, (this should match with secret on mikrotik)

“vpn_secret_out”: “super_secret”, (this should match with radius server secret)

“vpn_access_id”: “3ce56493–344b-4b0c-b20c-e8ec9h306d1g “,

“vpn_message_ttl”: “30”,

“message_title”: ““My radius authentication””,

“message_description”: ““Allow {0} login?””

}

vpn_access_id You can find in the web dashboard, where you created the application.

Your application name-> Settings

[ntkadmin@ntknode/dc1]$ ntk cfg setc :notakey.proxy.vpn_port_in 1812 [ntkadmin@ntknode/dc1]$ ntk cfg setc :notakey.proxy.vpn_port_out 1812

[ntkadmin@ntknode/dc1]$ ntk cfg setc :notakey.proxy.vpn_radius_address 10.0.1.1

[ntkadmin@ntknode/dc1]$ ntk cfg setc :notakey.proxy.vpn_secret_in super_secret

[ntkadmin@ntknode/dc1]$ ntk cfg setc :notakey.proxy.vpn_secret_out super_secret

[ntkadmin@ntknode/dc1]$ ntk cfg setc :notakey.proxy.vpn_access_id 3ce56493–344b-4b0c-b20c-e8ec9h306d1g

[ntkadmin@ntknode/dc1]$ ntk cfg setc :notakey.proxy.vpn_message_ttl 30

[ntkadmin@ntknode/dc1]$ ntk cfg setc :notakey.proxy.message_title “My radius authentication”

[ntkadmin@ntknode/dc1]$ ntk cfg setc :notakey.proxy.message_description “Allow {0} login?”

Now start authentication proxy:

[ntkadmin@ntknode/dc1]$ ntk ap start

21. Time to configure Mikrotik router

Choose RADIUS tab and configure your NAA server IP as Radius server. Change default timeout to something bigger. If you want to use Radius server for log into Mikrotik check login box as well.

Go to PPP->Secrets and push PPP Authentication&Accounting button, check Radius

That’s all, 2FA is set.

Enjoy and be safe.

P.S. This video shows how it works when everything is configured properly:

Thanks to Ingemārs Ašmanis

Gints Kirsteins

Written by

Co-founder at www.notakey.com, entrepreneur

More From Medium

Related reads

Also tagged Authentication

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade