Free, Secure and Strong — 2FA for Mikrotik and VPN
I live in a house where almost everything is automated. And I mean literally. Lights, doors, shades all are integrated into our famil’s Apple HomeKit. We are receiving messages when washing machine ends it’s cycle. Tumble dryer informs us that clothes are ready. That’s my hobby and my kids and wife have to live with it. I am using Domoticz as a central hub for all my devices and Homebridge to share them within my family.
If something is not working in my home setup, I start to get angry phone calls immediately. It’s like a part time IT support job for a small company. Fortunately, it happens less and less often now, but when it happens I have to connect to my home network.
To connect to my home’s Mikrotik router I am using IPsec over L2TP VPN and Notakey Authenticator app for a second factor from my smart phone. I decided to use second factor to be sure that nobody even with my credentials could connect to my home.
Notakey is a system for strong authentication and authorization, Notakey Authentication Appliance (NAA) is a Linux-based virtual machine, which contains the core Notakey API software, a RADIUS proxy for transparently integrating into existing RADIUS-based workflows, a SSO web service for SAML and OAuth and other standard authentication support and various plugins for integration with cloud and local services. You can even protect systems you don’t have access to by moving them behind a reverse proxy. Here is more: https://github.com/notakey-examples/blackbox-webapp-2fa-howto
Notakey Latvia has prepared a licensing policy where 10 users license is for free. Should be enough for households and small enterprises.
I am going to briefly explain how to setup Notakey Appliance and configure Mikrotik router to get free 2FA.
My home setup looks like that:
What do we need to proceed?
- Domain name under our control (DDNS should work as well)
You have to add service record like this:
_notakey2._tcp.2fa.example.com SRV 1 10 443 2fa.example.com
ntk cfg set :auth_domain example.com
Or you can configure appliance without service domain:
$ ntk cfg set :auth_domain https://2fa.example.com
$ ntk as restart
More information here:
2. Server to run Notakey appliance
3. Radius server (for login into Mikrotik router(s) and VPN)
Not anymore. [I am using user manager package that comes with RouterOS for free, so I do not need an extra server for that. ]
Now Radius server plugin is available and there is no need to configure user manager or any other external radius server. Just follow steps in this guide: Radius service plugin.
4. Smartphone (iPhone or Android) with Notakey Authenticator installed
5. Port forwarding to VM. (443 and 80)
443 is needed to discover services. 80 for Let's encrypt to renew ssl certificate if HTTP method is used.
6. Public internet access from NTK appliance (to get updates and send notifications)
If you want to limit public access in your firewall, then ensure access to those hosts:
index.notakey.com
repo.notakey.com
messenger.notakey.com
How to setup?
1. Build your VM:
.. by following instructions here: https://documentation.notakey.com/naa/#appliance-installation
I have added two videos to guide you through the process. If you choose to follow the video instructions, continue from point 11.
2. Run VM and log into appliance ssh ntkadmin@xxx.xxx.xxx.xxx
Congrats you are in:
[ntkadmin@ntknode/dc1]$
Update all packages:
[ntkadmin@ntknode/dc1]$ ntk sys update
3. Let’s setup the main parameters. Setup wizard should be used to guide you through the initial setup process. Just type in CLI:
[ntkadmin@ntknode/dc1]$ ntk wizard
Values you have to set prior authentication server launch are:
• host — your domain
• cluster.bootstrap_expect — number of expected nodes (in our case 1)
• cluster.is_root — first one is 1, others 0
• node.advertise_ip — machine ip
• ssl.acme.status (on/off) — on (we relay on Let's encrypt here)
• ssl.acme.email (Let’s encrypt will send warnings and error messages to this e-mail)
If you choose to use your own certificate, check it here: https://www.ssllabs.com/ssltest
Certificate should be trusted and with no chain issues, otherwise app will not connect to the NAA and will not sign requests.
4. Now you have to start data store (cluster with one node)
[ntkadmin@ntknode/dc1]$ ntk cluster start
5. Web dashboard is ready to launch now
[ntkadmin@ntknode/dc1]$ ntk as start
7. Wait to allow webservice to load and the go to https://our.domain.com in your web browser. If port forwarding works correctly, SSL should be issued by then and valid.
8. Now is time to get the license.
You can generate up to 25 users license for free directly from the web interface. If you need more than 25 — write a message to support. If you have a problem with acquiring the license — check time on your VM.
9. Set administrator username and password
10. Setup your Notakey Authenticator app to log in as administrator into the dashboard.
(Remember, if you are trying to do this from your local network, make sure url is working. Make static DNS entry or add two rules to the router's firewall. Try to access the page from yout phone’s web browser.)
11. Now you are in the dashboard. In the first page you see license status, last authentication and onboarding activities. Under the Applications tab go to Manage and choose Create an application
12. Name your application and choose security level — password or software. Password protected means that all private keys are backed by phone’s hardware. Password protected keys also are not accessible on a locked phone. Software level means that keys are stored inside the app’s controlled environment. You can use them with the phone security features off. I recommend to use the first method.
You can upload your custom pictures here to set the look and feel on your application. You will be able to do it later as well.
13. Now you can start to define users. Create each user manualy or you can use external user db.
For Radius choose to use external users source (Radius). Go to tab User sources-> Create new user source -> RADIUS_AUTH
If you do not have Radius server installed go to point 19. in this guide and follow Radius setup instruction. (You can use this server for VPN authentication and to log in into your mikrotik routers)
14. You have to set onboarding requirements — how to link your phone's public key to the new user created. You can combine those requirements. If you want to use sms method and not receiving message just write to the support, some countries might be not activated yet. If you are from India, then SMS feature does not work for you at all. In case you are using external user source, do not forget to enable remote authentication by editing Simple Credential settings and checking -> Authenticate against remote AUTH user sources.
15. Now you can start to onboard users. They have to add your service domain in the mobile (Notakey Authenticator) app. Go to settings tab and tap add domain. There is QR code in the NAA under the settings tab. You can scan that code from Notakey Authenticator app as well. To onboard users with QR code you should configure authentication domain with CLI:
[ntkadmin@ntknode/dc1]$ ntk cfg setc :auth_domain 2fa.notakey.com
otherwise fallback domain may be used incorrectly.
Success. (SSL certificate should be valid)
Go to the services tab and tap on Mikrotik 2FA service to start onboarding process. In my case I have a simple method set — with username and password. If you have 1 device restriction, then even with right username and password 2nd device onboarding is not allowed.
16. Let’s check app connectivity. From web dashboard go to Mikrotik 2FA -> Users-> name and click on Show, then in the user view you will be able to send test notification to the user’s device.
So far so good, let start to configure Mikrotik router.
17. Set up VPN, you can do this in the Quick Set tab in Winbox by clicking VPN checkbox or you can set up everything manually. I assume you know how to do it.
18. Now you can set up Radius server and use it for authentication. (pam_radius auth module will work as well, I tested with Ubuntu and it worked like charm) Jump to point 19 if you are using Radius plugin as suggested previousy.
a. Install User Management package https://wiki.mikrotik.com/wiki/User_Manager/Getting_started
b. Add user. The username should be the same as in the appliance. If during onboarding process you use external user source then username automatically will be the same. (In such a case Mikrotik User Management or other Radius server should be configured before onboarding process.)
c. Add Notakey appliance to the list of allowed routers and configure secret. If you have configured cluster, then add all instances with radius proxy running.
19. Now we are ready to configure Authentication Proxy to work with our Radius server. Log into appliance ssh ntkadmin@xxx.xxx.xxx.xxx Use global values with adding “:” before key. An useful feature if using cluster as all machines will use the same values from cluster value store and you have to configure them just once.
Values we have to set:
{
“vpn_port_in”: “1812”,
“vpn_port_out”: “1812”,
“vpn_radius_address”: “10.0.1.1”, (Mikrotik ip in case you are using user_manager. In case of Radius plugin use containers name “radius” instead of ip address.)
“vpn_secret_in”: “super_secret”, (this should match with radius server secret and mikrotik secret)
“vpn_secret_out”: “Notakey”, (this should match with radius server secret)
“vpn_access_id”: “3ce56493–344b-4b0c-b20c-e8ec9h306d1g “,
“vpn_message_ttl”: “30”,
“message_title”: ““My radius authentication””,
“message_description”: ““Allow {0} login?””
}
vpn_access_id You can find in the web dashboard, where you created the application.
Your application name-> Settings
[ntkadmin@ntknode/dc1]$ ntk cfg setc ap.vpn_port_in 1812 [ntkadmin@ntknode/dc1]$ ntk cfg setc ap.vpn_port_out 1812
[ntkadmin@ntknode/dc1]$ ntk cfg setc :ap.vpn_radius_address radius
[ntkadmin@ntknode/dc1]$ ntk cfg setc :ap.vpn_secret_in Notakey
[ntkadmin@ntknode/dc1]$ ntk cfg setc :ap.vpn_secret_out Notakey
[ntkadmin@ntknode/dc1]$ ntk cfg setc :ap.vpn_access_id 3ce56493–344b-4b0c-b20c-e8ec9h306d1g
[ntkadmin@ntknode/dc1]$ ntk cfg setc :ap.vpn_message_ttl 30
[ntkadmin@ntknode/dc1]$ ntk cfg setc :ap.message_title “My radius authentication”
[ntkadmin@ntknode/dc1]$ ntk cfg setc :ap.message_description “Allow {0} login?”
More configuration keys: https://documentation.notakey.com/naa/#authentication-proxy
Now start authentication proxy:
[ntkadmin@ntknode/dc1]$ ntk ap start
21. Time to configure Mikrotik router
Choose RADIUS tab and configure your NAA server IP as Radius server. Change default timeout to something bigger. If you want to use Radius server for log into Mikrotik check login box as well.
Go to PPP->Secrets and push PPP Authentication&Accounting button, check Radius
That’s all, 2FA is set.
Enjoy and be safe.
P.S. This video shows how it works when everything is configured properly: