Mikrotik and VPN for specific web sites only

6

2

Day by day the Web censorship in my country gains its strength. The obvious solution is to use VPN, but it slows down the connection and harmlessness of public VPN services can't be guaranteed.

So I thought following solution out:

The router will access most of web sites in a conventional way, but will keep a constant VPN connection which will pretend to be one additional network interface. If I access one of censored web sites, router will pass the traffic through this virtual interface.

Is this possible with RouterOS? How to do that?

My router is RB2011UiAS-2HnD-IN, RouterOS v 6.30.2.

Paul

Posted 2015-11-11T16:51:10.173

Reputation: 579

Actually, this question would be suited for the Network Engineering subsite. They will tell you that what you want cannot be achieved - a connection can either be tunneled or not. It cannot be both. Use a good VPN-Service, straight from your desktop OS, and just turn it on and off as necessary. – vic – 2015-11-11T17:20:30.057

2@vic Maybe RouterOS cannot do it, but that does not mean it is impossible. Linux policy routing can get you most of the way there, for instance, though it works on IP/CIDR ranges. But then you have the question of whether you can trust the DNS records you received... – Michael Hampton – 2015-11-11T18:29:30.083

1RouterOS can do it fine. Simple one-line iptables rule. – qasdfdsaq – 2015-11-12T14:22:49.583

Answers

8

Let's assume that you will be using a PPTP VPN just to demonstrate the commands you need to run.
Since PPTP's encryption is broken for a long time now, I suggest you use something more secure (like OpenVPN). The principle is the same regardless of which VPN/tunnel technology you use.

So first you create the VPN without adding a default gateway route.

/interface pptp-client
add add-default-route=no allow=pap,chap,mschap1,mschap2 connect-to=VPN_SERVER_IP \
dial-on-demand=no disabled=no max-mru=1440 max-mtu=1440 mrru=dis \
name=VPN_NAME password="MY_STRONG_PASSWORD" profile=default-encryption user=USERNAME

Then you create a new routing table by adding a default gateway via the VPN with a new routing mark vpn. This will allow you to route packets via the VPN.

/ip route add dst-address=0.0.0.0/0 distance=1 gateway=VPN_GATEWAY_IP routing-mark=vpn

The next route is optional in case you want to block outgoing traffic if the VPN is down:

/ip route add dst-address=0.0.0.0/0 type=unreachable distance=2 routing-mark=vpn

We also need to do some NAT for the packets that will be leaving via the VPN interface.

/ip firewall nat add chain=srcnat out-interface=VPN_NAME action=masquerade

Now we add the mangle rule that will match the destination IPs we want and do a mark-routing on them so that they will use the vpn route table we created.

/ip firewall mangle add chain=prerouting dst-address-list=VPN action=mark-routing new-routing-mark=vpn

Finally we create an Address List on the firewall with the IPs that we want to route via the VPN.

/ip firewall address-list add list=VPN address=1.1.1.1
/ip firewall address-list add list=VPN address=2.2.2.2
/ip firewall address-list add list=VPN address=3.3.3.3
/ip firewall address-list add list=VPN address=4.4.4.4

You repeat the last rule as many times as you need for as many IPs as you want to route via the VPN.

Keep in mind that the rules above do not provide any security as to who behind your router will be able to access the VPN etc. You may need to add appropriate source IPs checks on the rules to make them more secure.

Also this method will route whole IPs via the VPN. If you need to route specific ports/protocols via the VPN you simply create additional mangle rules that match whatever you need and do mark-routing on them.

Cha0s

Posted 2015-11-11T16:51:10.173

Reputation: 241

1Thanks man, works perfectly! When adding nat I had to specify also chain=srcnat and when adding mangle I had to specify chain=prerouting – pagep – 2016-09-21T17:01:18.673

Thanks for pointing that out. I've updated my answer. :) – Cha0s – 2016-09-21T20:15:59.460

Wondering, can address list be replaced with layer 7 addresses so I will be able to say forward requests for specific domain name through vpn – mac – 2017-05-21T05:41:47.140

This was very handy, I needed to specify routing via a particular connection for a couple of remote IPs but had not worked with Mangle rules before. – fencepost – 2017-08-03T14:10:26.957

1@mac In recent versions of RouterOS you can add domains in the address list and it will automatically resolve them to addresses in the same address-list. It follows the TTL of the dns record so it will automatically keep it self up to date if an IP address changes. L7 matching is kinda PITA and very resource hungry :( – Cha0s – 2017-08-03T18:40:00.330

@Cha0s Thanks a lot! I've tried your guide (including the DNS lookup through the address list) and everything works perfectly. Now I'm wondering if there is a way to automatically block the out-going connections to the addresses if the VPN connection is disconnected (or temporarily unavailable). – Andreas – 2019-01-03T23:17:35.697

1@Andreas I've updated my answer to accommodate for this scenario :) You simply add a second route of type "unreachable" with "distance" 2. This way, when the VPN is down, then the unreachable route becomes active and drops the outgoing traffic there instead of falling back to the main routing table. – Cha0s – 2019-01-04T01:38:25.817

-2

The below is a generic linux answer. I do not know if routeros has suitable functionality in it's UI and if not whether you can bypass the UI and interact with the routing/firewall/nat features in the kernel directly.

The first thing to do is to set up your VPN software and bring up the VPN interface. You should tell your VPN software NOT to make the VPN the default gateway. How exactly this is done will depend on what VPN software you are using.

You can then add specific routes to the routing table to direct traffic to certain IP addresses down the VPN.

You also need to make sure NAT is configured correctly so that the source address of packets leaving your router matches the interface they go out from. This can be done either by using the "MASQURADE" target or by setting up seperate "SNAT" rules for each interface.

Depending on the exact nature of the blocking you may find it nessacery to send some or all of your DNS traffic down the VPN. Sending all your DNS traffic down the VPN should be easy enough (just point your DNS server settings at an IP that is routed down the VPN). If (for performance or privacy reasons) you want only some of your DNS queries to go down the VPN you would need some sort of DNS proxy to split up the requests.

A further complication is if the sites you are accessing don't have stable IPs. In this case you would need a DNS proxy that could monitor replies and add routes dynamically.

plugwash

Posted 2015-11-11T16:51:10.173

Reputation: 4 587

1RouterOS does not expose any way to allow you to do anything directly to the kernel or iptables. The only way to manage MikroTik RouterOS is via a proprietary CLI (Telnet/SSH), Winbox (desktop GUI), or API. – Cha0s – 2015-11-12T12:47:41.767

Asked: 2015-11-11T16:51:10.173

Viewed: 11 245 times

Active: 2019-01-04T01:36:46.973