You could argue VPN uses 2FA by design, at least when you use TLS client certificates and XAUTH. The username and password for XAUTH is two things you only know (typically these would be specific only to this user) and the client certificate is something you only have (client certificates ought to be unique to each client).
If however, you mean a two step verification using an Out-Of-Band mechanism, then this may be possible when using an external RADIUS server in combination with e.g. Google Authenticator, or other token based mechanism. I'd be interested to know the specifics if someone has deployed such a system.