NordVPN (IPSEC/IKEv2) + killswitch (For ROS6)

erkexzcx · Fri Nov 20, 2020 2:51 am

Overview

I've wasted hours making RouterOS to work perfectly with NordVPN and I wrote this guide, so you don't have to waste your time.
You must have RouterOS 6. It must be minimum version of 6.45. Some steps in ROS7 will be different.
Nearly identical setup is possible with Surfshark. See here.
To get around geo restrictions (e.g. for bbc player, Netflix content) as well as DNS leaking, you must use NordVPN DNS servers. Disclaimer: I did not test if it works.
Below steps uses the "considered to be perfectly safe" ciphers & their levels, but NordVPN does support higher levels of encryption. Check what hardware acceleration is supported by your Mikrotik router and you might want to use such encryption instead for below steps. P.S. "SHA384 hash algorithm support for phase 1" is supported since 6.48 (might be CLI only).
Instead of reducing MSS size using below given commands, one can also do this using IPSEC functionality. See here for instructions.

Preparation
1. Get recommended NordVPN server from here. In below steps I used "lv55.nordvpn.com".
2. Get your Service Credentials from here and use them for this setup.
3. Import NordVPN CA to your router:

/tool fetch url="https://downloads.nordcdn.com/certificates/root.der"
/certificate import file-name=root.der name="NordVPN CA" passphrase=""

Use-case #1: Specific traffic (by source) routed through VPN server

Example: You want only 2 LAN devices (192.168.88.10 and 192.168.88.11) to reach internet through VPN server, but the rest of LAN devices to reach internet normally (without VPN server).

# Mark traffic that you want to route through VPN server
/ip firewall address-list add address=192.168.88.10 list=under_nordvpn
/ip firewall address-list add address=192.168.88.11 list=under_nordvpn
/ip firewall mangle add action=mark-connection chain=prerouting src-address-list=under_nordvpn new-connection-mark=under_nordvpn passthrough=yes

# IPsec/IKEv2 configuration
/ip ipsec mode-config add connection-mark=under_nordvpn name="NordVPN mode config" responder=no
/ip ipsec policy group add name=NordVPN
/ip ipsec profile add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha512 name="NordVPN profile"
/ip ipsec peer add address=lv55.nordvpn.com exchange-mode=ike2 name="NordVPN server" profile="NordVPN profile"
/ip ipsec proposal add auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=0s name="NordVPN proposal" pfs-group=none
/ip ipsec identity add auth-method=eap certificate="NordVPN CA" eap-methods=eap-mschapv2 generate-policy=port-strict mode-config="NordVPN mode config" password=XXXXXXXXXX peer="NordVPN server" policy-template-group=NordVPN username=XXXXXXXXXX
/ip ipsec policy add dst-address=0.0.0.0/0 group=NordVPN proposal="NordVPN proposal" src-address=0.0.0.0/0 template=yes

# In "/ip ipsec policy" you should be able to see a new dynamic rule added next to your NordVPN policy. It MUST exist, otherwise configuration is not working.

# (OPTIONAL) Implement a killswitch
/interface bridge add name=nordvpn_blackhole protocol-mode=none
/ip route add gateway=nordvpn_blackhole routing-mark=nordvpn_blackhole
/ip firewall mangle add chain=prerouting src-address-list=under_nordvpn action=mark-routing new-routing-mark=nordvpn_blackhole passthrough=yes

# Exclude such VPN traffic from fasttrack
/ip firewall filter add action=accept chain=forward connection-mark=under_nordvpn place-before=[find where action=fasttrack-connection]

# Reduce MSS (should be about 1200 to 1400, but 1360 worked for me)
/ip firewall mangle add action=change-mss chain=forward new-mss=1360 passthrough=yes protocol=tcp connection-mark=under_nordvpn tcp-flags=syn tcp-mss=!0-1360

Use-case #2: Specific traffic (by destination) routed through VPN server

Example: You want to reach website wtfismyip.com via VPN server, but the rest of the traffic should go as it is (without VPN).

Note: You can't effectively route all the traffic of Youtube, Netflix or any other big websites through VPN. They have many different domains and IP addresses which constantly change. Instead, route all the traffic of your device through VPN.

Note 2: You might be able to route all traffic of the company, but you might end up routing 30-40% of the websites under NordVPN if company uses popular hosting, e.g. Amazon AWS or Linode. For example, Mikrotik.com resolves to "159.148.147.196". Quick google revealed the Mikrotik has it's own ASN which contains 512 ips, or in other words, If you wish to access Mikrotik services/websites under NordVPN, you should add 159.148.147.0/24 and 159.148.172.0/24 to your address list using this (2nd) method.

# Mark traffic that you want to route through VPN server
/ip firewall address-list add address=wtfismyip.com list=under_nordvpn
/ip firewall mangle add action=mark-connection chain=prerouting dst-address-list=under_nordvpn new-connection-mark=under_nordvpn passthrough=yes

# IPsec/IKEv2 configuration
/ip ipsec mode-config add connection-mark=under_nordvpn name="NordVPN mode config" responder=no
/ip ipsec policy group add name=NordVPN
/ip ipsec profile add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha512 name="NordVPN profile"
/ip ipsec peer add address=lv55.nordvpn.com exchange-mode=ike2 name="NordVPN server" profile="NordVPN profile"
/ip ipsec proposal add auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=0s name="NordVPN proposal" pfs-group=none
/ip ipsec identity add auth-method=eap certificate="NordVPN CA" eap-methods=eap-mschapv2 generate-policy=port-strict mode-config="NordVPN mode config" password=XXXXXXXXXX peer="NordVPN server" policy-template-group=NordVPN username=XXXXXXXXXX
/ip ipsec policy add dst-address=0.0.0.0/0 group=NordVPN proposal="NordVPN proposal" src-address=0.0.0.0/0 template=yes

# In "/ip ipsec policy" you should be able to see a new dynamic rule added next to your NordVPN policy. It MUST exist, otherwise configuration is not working.

# (OPTIONAL) Implement a killswitch
/interface bridge add name=nordvpn_blackhole protocol-mode=none
/ip route add gateway=nordvpn_blackhole routing-mark=nordvpn_blackhole
/ip firewall mangle add chain=prerouting dst-address-list=under_nordvpn action=mark-routing new-routing-mark=nordvpn_blackhole passthrough=yes

# Exclude such VPN traffic from fasttrack
/ip firewall filter add action=accept chain=forward connection-mark=under_nordvpn place-before=[find where action=fasttrack-connection]

# Reduce MSS (should be about 1200 to 1400, but 1360 worked for me)
/ip firewall mangle add action=change-mss chain=forward new-mss=1360 passthrough=yes protocol=tcp connection-mark=under_nordvpn tcp-flags=syn tcp-mss=!0-1360

Sob · Fri Nov 20, 2020 6:44 am

That killswitch is not great (*). Quite dangerous in fact. It will kill bidirectional communication to internet (under normal circumstances = when nobody is trying to get you), but it doesn't prevent leaking packets.

For example, if client uses VPN to ask some super secret DNS queries, they will go out to ISP when VPN is down. This killswitch doesn't prevent that. It doesn't matter how far will they get, there won't be any response coming back. But the point is, someone will have chance to see them. I chose DNS, because query is just one UDP packet and it can contain sensitive data.

And the lack of responses, well, it's not exactly true. There could be someone in ISP's network (Men in Black, ...) waiting for exactly this mistake. They can send fake responses to you. In fact, they can give you full internet access. They'll know that your LAN subnet is behind your router, so they will know where to route responses. And doing outgoing srcnat for you, so that the internet will work, is no problem either. And you won't know that you're not doing your super secret stuff through VPN (unless there's some IP-based blocking on target servers, or something else you'd notice).

Bad enough? It's even worse, they don't have to wait, they can sabotage (block) your connection to VPN server any time they want and get your secret traffic this way.

I'd use something else, for example (only briefly tested, improvements are welcome):

/interface bridge
add name=vpn-blackhole protocol-mode=none
/ip route
add gateway=vpn-blackhole routing-mark=to_vpn
/ip firewall mangle
add chain=prerouting src-address-list=under_vpn action=mark-routing new-routing-mark=to_vpn passthrough=yes

Empty bridge is used as default gateway with alternative routing table "to_vpn". Everything from address list "under_vpn" (from your mode config) gets routing mark "to_vpn", so it will use this routing table. When VPN is down, packets will try to go to empty bridge and won't get anywhere. With VPN up, it will work, because of how IPSec works, it steals packets just before they are sent out, encrypts them and creates different packets. And those are output packets from router and there's new routing decision for them.

--
(*) Original version excluded outgoing traffic from NAT using accept rule in srcnat chain. Running tunnel adds dynamic srcnat rule at the top, so it has priority. With tunnel down, the traffic would go out with original source address (private address from LAN subnet), so communication with internet would not work, because servers can't send responses to private addresses, and ISP should drop such traffic anyway.

erkexzcx · Fri Nov 20, 2020 9:42 am

That killswitch is not great. Quite dangerous in fact.

Thank you for your feedback. I completely agree with you, and after testing your provided commands seems that it's working perfectly. +1 for brief explanation.

I've updated commands in initial post. If someone has any better suggestions - let me know and I will update accordingly.

msatter · Fri Nov 20, 2020 2:47 pm

Should I see traffic when I torch the bridge acting as blackhole for the VPN when it is going up or down?

The only traffic I saw was ARP. When I re-enable my own killswitch lines (dst 100.69.69.69) then those lines in NAT do catch traffic.

Looking in /IP routing the PPPoE-out has a distance of zero and the blackhole an distance of one. I can't set the blackhole to zero.

erkexzcx · Fri Nov 20, 2020 4:45 pm

Should I see traffic when I torch the bridge acting as blackhole for the VPN when it is going up or down? The only traffic I saw was ARP. When I re-enable my own killswitch lines (dst 100.69.69.69) then those lines in NAT do catch traffic.

I see the same...

Looking in /IP routing the PPPoE-out has a distance of zero and the blackhole an distance of one. I can't set the blackhole to zero.

it does not matter since you specify which routing mark to use. You can even set distance to 10 and it would still work.

EDIT: I wrote some crap in this commented. Deleted it. :)

Sob · Fri Nov 20, 2020 5:59 pm

The bridge is like any other non-point-to-point interface. If you use it as gateway, router needs to get MAC addresses for target IP addresses, to be able to send data to them, so it sends ARP requests. And in this case can't get any response.

ztx · Thu Dec 24, 2020 6:56 am

With use case #2, how to killswitch websites like youtube.com that with multiple IP address?

erkexzcx · Thu Dec 24, 2020 12:55 pm

With use case #2, how to killswitch websites like youtube.com that with multiple IP address?

You can't, because:

Note: You can't effectively route all the traffic of Youtube, Netflix or any other big websites through VPN. They have many different domains and IP addresses which constantly change. Instead, route all the traffic of your device through VPN.

I've updated those steps and given above quoted note. You need to route all the traffic of your device through VPN in order to achieve this. See 2nd method again for updated steps.

ztx · Thu Dec 24, 2020 1:24 pm

With use case #2, how to killswitch websites like youtube.com that with multiple IP address?
You can't, because:
Note: You can't effectively route all the traffic of Youtube, Netflix or any other big websites through VPN. They have many different domains and IP addresses which constantly change. Instead, route all the traffic of your device through VPN.
I've updated those steps and given above quoted note. You need to route all the traffic of your device through VPN in order to achieve this. See 2nd method again for updated steps.

Thanks!

starleaf · Thu Dec 24, 2020 9:03 pm

Hi, have a bit of a problem to get it working with multiple VLANs. So, I tried some tweaks but I'm a bit confused, so I like some inputs. For if I understand the packet flow it should not work but it does. Or I think it does, for I get the result I want. But as you see below here, I have put in some extra thing. For in the original one you will not be able to reach other VLANs.

/ip firewall mangle
add action=mark-connection chain=postrouting new-connection-mark=under_vpn out-interface-list=!ALL_LAN passthrough=yes src-address-list=HOST-NeedVPN
add action=change-mss chain=forward connection-mark=under_vpn new-mss=1360 passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=!0-1360
add action=mark-routing chain=prerouting connection-mark=under_vpn new-routing-mark=to_vpn passthrough=yes src-address-list=HOST-NeedVPN

But the thing that make me confuse is that I can mark in postrouting and use it in prerouting, does it only work for its Ikev2/IPsec? Or maybe it does not work but I think it dose for I get the result I except when the tunnel is down. 😊 (I'm pretty new to Mikrotik, but I rely don’t like it when it just works but I don’t know how)

Sob · Thu Dec 24, 2020 11:56 pm

It's the killswitch, it affects all packets from hosts listed in "under_vpn" list, including those to other local subnets.

Your modification kind of breaks the killswitch, because it now works only for packets with connection-mark=under_vpn, but you set that when first packet goes out, so only subsequent ones will be affected, i.e. the first one will leak out when VPN is down.

That also answers your question, how mark set in postrouting can work in prerouting. It can, but not for same packet. Connection marks are like that, router automatically identifies packets that belong to same connection and assigns connection mark to them (that differs from packet and routing marks).

What you want is for killswich to always work, but exclude local subnets. One way is to add dst-address-list=!<list of all local subnets> to it. Another is using routing rules:

/ip route rule
add action=lookup-only-in-table dst-address=<local subnet 1> table=main
add action=lookup-only-in-table dst-address=<local subnet 2> table=main
...

I prefer the latter, because it can also help with other things. For example, if you'd be doing hairpin NAT to your internal server, then this one would work, while the former wouldn't (without additional changes).

starleaf · Fri Dec 25, 2020 10:41 am

It's the killswitch, it affects all packets from hosts listed in "under_vpn" list, including those to other local subnets.

Your modification kind of breaks the killswitch, because it now works only for packets with connection-mark=under_vpn, but you set that when first packet goes out, so only subsequent ones will be affected, i.e. the first one will leak out when VPN is down.

That also answers your question, how mark set in postrouting can work in prerouting. It can, but not for same packet. Connection marks are like that, router automatically identifies packets that belong to same connection and assigns connection mark to them (that differs from packet and routing marks).

What you want is for killswich to always work, but exclude local subnets. One way is to add dst-address-list=!<list of all local subnets> to it. Another is using routing rules:
Code: Select all
/ip route rule
add action=lookup-only-in-table dst-address=<local subnet 1> table=main
add action=lookup-only-in-table dst-address=<local subnet 2> table=main
...
I prefer the latter, because it can also help with other things. For example, if you'd be doing hairpin NAT to your internal server, then this one would work, while the former wouldn't (without additional changes).

Tanks lot for the clarifying and solution.
It worked grate, I used the router rules with summarization.

msatter · Sat Dec 26, 2020 11:40 am

I see in the use cases the following line which is obsolete if you do that directly in IPSEC Policy.

It is this line in mangle:

# Reduce MSS (should be about 1200 to 1400, but 1360 worked for me)
/ip firewall mangle add action=change-mss chain=forward new-mss=1360 passthrough=yes protocol=tcp src-address-list=under_vpn tcp-flags=syn tcp-mss=!0-1360

My posting about this and Sindy was the one who solved it: viewtopic.php?f=2&t=154449&p=763404&hil ... 88#p763404

/ip ipsec policy
move *ffffff destination=0
add action=none dst-address=192.168.88.0/24 src-address=0.0.0.0/0 place-before=1

The first line is I think not needed anymore because it will be always at the top in policy. I have used here an internal network: 192.168.88.0/24 and you have to adapt it to the internal network you are using to connect to the router providing IKEv2.

Also NordVPN and other allow to use SHA384 in profiles which gives a higher level of encrypting in phase 1 of the connection.

erkexzcx · Sat Dec 26, 2020 6:13 pm

@msatter - thanks for your input.

I don't actually see it as a improvement to my given guide. I mean it does work, but using simple a mangle rule is a more dynamic way of dealing with VPN traffic.

e.g. in address-list I gave domain which is being resolved by Mikrotik router. If it's updated, then it's also being routed through VPN. This wouldn't be the case with ipsec policies. I would need to update it manually then.

Am I missing something here?

Also NordVPN and other allow to use SHA384 in profiles which gives a higher level of encrypting in phase 1 of the connection.

I've heard about it, but it's not "officially" supported as per here. I believe SHA256 is enough as of now, but it's up to the user to increase it.

msatter · Sat Dec 26, 2020 7:55 pm

It is for sync that is needed and RouterOS does not know where to sent those returning packets to. Those packets are now sent to where they are expected and being processed to lower the MTU till no, please lower the MTU are send anymore.

IKEv2/IPsec significantly increases the security and privacy of users by employing strong cryptographic algorithms and keys. NordVPN uses NGE (Next Generation Encryption) in IKEv2/IPsec. The ciphers used to generate Phase1 keys are AES-256-GCM for encryption, coupled with SHA2-384 to ensure integrity, and combined with PFS (Perfect Forward Secrecy) using 3072-bit Diffie-Hellman keys. IPsec then secures the tunnel between the client and server, using the strong AES-256. The protocol provides the user with peace-of-mind security, stability, and speed. That’s why it is highly recommended by NordVPN and is used by default in the NordVPN apps for iOS and macOS.

Source: https://support.nordvpn.com/FAQ/1047408 ... choose.htm

RouterOS does not support AES-256-GCM so that is not possible.
Update: the router I have can do also CGM but most others do not and no mentioning of SHA384.

Releasenotes latest stable 6.48: *) ipsec - added SHA384 hash algorithm support for phase 1

Update2: NordVPN also supports DH19 - ecp256

/ip ipsec profile add name="NordVPN" hash-algorithm=sha384 enc-algorithm=aes-256 dh-group=ecp256,modp3072

erkexzcx · Sun Dec 27, 2020 5:15 pm

Thanks for all the input! I've updated instructions accordingly.

mclarencar · Mon Jan 04, 2021 1:41 am

I'm glad I find this guide. Just wanna say thanks!

yo3gjc · Thu Jan 07, 2021 7:51 pm

Works like a charm with Windows but still have issues with Android devices with TCP MSS 1360. Any way to guess the sweet size?
Tnx and HNY!

UPDATE
upgraded to v 6.48 (rel Dec, 22, 2020)and retested with Android. Now is working, before upload on Android was almost zero

DOMIN · Wed Jan 13, 2021 8:43 pm

Please tell me how to correctly forward the port for example for torrent in this configuration?

erkexzcx · Sat Jan 16, 2021 12:47 am

Please tell me how to correctly forward the port for example for torrent in this configuration?

1. How is it related to this thread?
2. Why would you need port forward for...torrents?

DOMIN · Sat Jan 16, 2021 11:43 am

1. How is it related to this thread?
2. Why would you need port forward for...torrents?

1. IPSEC/IKEv2, NORDvpn no support port forwarding, but other service give this option.
2. for torrent or for sharing something.
I apologize, if offtopic, but this topic seems close and I didn't want to create a separate topic for such a small question

msatter · Sat Jan 16, 2021 12:30 pm

You mark connections in Mangle with the connection mark op the VPN connection.You have so full control of which traffic is going throuh the VPN based on type, port, dest/src address or domain through a addres-list.

ztx · Wed Jan 27, 2021 7:37 am

/ip firewall mangle add action=mark-connection chain=prerouting dst-address-list=under_vpn new-connection-mark=under_vpn passthrough=yes

Since connection is marked, what about use mark routing in the killswitch base of the connection-mark

/ip firewall mangle add chain=prerouting connection-mark=under_vpn action=mark-routing new-routing-mark=to_vpn passthrough=yes

msatter · Wed Jan 27, 2021 1:55 pm

Because routing is not used it is indeed free to be used as the trigger for the killswitch. I am using several VPN providers and connections so mark IKEv2 traffic with a single routing mark and the distrubution is done be connection marking.

This gives a lot of flexability in the end.

sparx · Wed Jan 27, 2021 11:45 pm

Hi, i have the hex S router and i followed the instructions in the first post to the letter, only changing the nordvpn server and password, and not implementing the kill switch.
all the configuration was done after the router was reset to factory defaults, FW 6.48.
when i try to use a pc through the vpn connection its everything is fine,
but when trying to access through android devices its like only very few sites actually work.
youtube.com is accessible but videos dont play through the browser, amazon.com is not opening at all, cant connect to ring cameras, etc.
ive tried lowering the mss value to 1200, but it had not effect.
will really appreciate a point in the right direction on this.
thank you !

ztx · Thu Jan 28, 2021 4:21 am

/ip firewall mangle add action=mark-connection chain=prerouting dst-address-list=!no_vpn dst-address-type=!local new-connection-mark=under_vpn passthrough=yes
/ip firewall mangle add chain=prerouting connection-mark=under_vpn action=mark-routing new-routing-mark=to_vpn passthrough=yes

The above config doesn't work, there are tx and rs packages on vpn_blackhole. add dst-address-list=!no_vpn, it worked. where is the problem?

ztx · Mon Feb 01, 2021 2:36 am

Hi, i have the hex S router and i followed the instructions in the first post to the letter, only changing the nordvpn server and password, and not implementing the kill switch.
all the configuration was done after the router was reset to factory defaults, FW 6.48.
when i try to use a pc through the vpn connection its everything is fine,
but when trying to access through android devices its like only very few sites actually work.
youtube.com is accessible but videos dont play through the browser, amazon.com is not opening at all, cant connect to ring cameras, etc.
ive tried lowering the mss value to 1200, but it had not effect.
will really appreciate a point in the right direction on this.
thank you !

I'm using android phone, VPN setup on router, without chang mss, some app like twitter, gmail and google account in setting can't work, but they can access in web browser, set mss to 1360 all worked.
For youtube, See post #8 by erkexzcx.

With use case #2, how to killswitch websites like youtube.com that with multiple IP address?
You can't, because:
Note: You can't effectively route all the traffic of Youtube, Netflix or any other big websites through VPN. They have many different domains and IP addresses which constantly change. Instead, route all the traffic of your device through VPN.
I've updated those steps and given above quoted note. You need to route all the traffic of your device through VPN in order to achieve this. See 2nd method again for updated steps.

I modified the mark connection, youtube worked.

/ip firewall mangle add action=mark-connection chain=prerouting dst-address-list=!no_vpn dst-address-type=!local new-connection-mark=under_vpn passthrough=yes

MatthewWillis · Fri Feb 26, 2021 2:49 am

Thanks to the author for this comprehensive guide! The solutions described in the post do an excellent job. I recently purchased a router from Mikrotik and I like to use it, but since I like to use Nord VPN in my work, I also had to face some problems. Fortunately, Use-case # 2 from the guide helped to solve the problem. Thanks again!

AWDGuy · Sun Mar 21, 2021 5:41 pm

Great thread. Thank you.

I am trying to do the opposite of Use-case #2... with SurfShark which appears to have a similar ip sec setup
Use-case #4: Specific traffic (by destination address and/or destination port preferably) routed AROUND (bypass)VPN server
Intent is for all traffic to go through the tunnel except my work SSL VPN connections to go straight to ISP. Will likely add other bypass destination ports/protocols. For now just trying to make it work for all HTTP/HTTPS for easy testing.
Tried what I read for some of the Netflix bypasses, but can't make it work. Everything still goes through the vpn tunnel, but they appear to be suggesting routing-marks, not connection-marks...
Currently setup like Use-Case #1 plus marked route to ISP and mangle for any dest port 80,443...

/ip route add distance=1 gateway=96.38.160.1 routing-mark=BypassVPN 
/ip firewall mangle add action=mark-routing chain=prerouting dst-port=80,443 new-routing-mark=BypassVPN passthrough=no protocol=tcp src-address=10.236.1.0/24

erkexzcx · Sun Mar 21, 2021 6:09 pm

Does something like this do the trick?

/ip firewall mangle add action=mark-connection chain=prerouting dst-port=!80,443 new-connection-mark=under_nordvpn passthrough=yes protocol=tcp

AWDGuy · Sun Mar 21, 2021 10:22 pm

Does something like this do the trick?

/ip firewall mangle add action=mark-connection chain=prerouting dst-port=!80,443 new-connection-mark=under_nordvpn passthrough=yes protocol=tcp

Thank you. Yes, I think, as you wrote it, that would work for global ports like that, or one specific destination, but what about multiple exceptions?
SSL VPN to work IP
80,443 to any site I want location services to work (Banking, Home Depot, Yelp)
FTPS to my web host
Not sure how to fit that in a single Mangle
My intent was to mark traffic I don't want in the tunnel instead of that I do. Each way has its own challenges though as I am seeing.

erkexzcx · Sun Mar 21, 2021 10:29 pm

but what about multiple exceptions?

Honestly I don't know.

If I were you, I would just do something like this:

/ip firewall mangle add action=mark-connection chain=prerouting dst-port=80,443 new-connection-mark=novpn passthrough=yes protocol=tcp
/ip firewall mangle add action=mark-connection chain=prerouting dst-address=123.123.123.123 new-connection-mark=novpn passthrough=yes
/ip firewall mangle add action=mark-connection chain=prerouting connection-mark=!novpn new-connection-mark=under_nordvpn passthrough=yes

AWDGuy · Mon Mar 22, 2021 12:09 am

If I were you, I would just do something like this:

Thank you. Burned too much time on this for now... Will revisit later. Something about my config makes it all or nothing regardless.

lenart · Sat Mar 27, 2021 8:38 pm

I've been trying to implement this particular setup (specifically number 3) but I don't seem to be having any luck whatsoever, every time I add an IP address to my list, that particular device cannot connect to the internet anymore. I'm out of options when it comes to debugging steps so I would like to ask your help.

So far, I have been able to determine that:

The connection to NordVPN is setup, as I can see an active peer with traffic, I can see installed SAs for that peer and a dynamic policy is generated for the NordVPN peer

The policy generates no-track rules and a src-nat rule is generated for the connection as well

Running a ping and trace-route to 8.8.8.8 from the Mikrotik device with the NordVPN IP address as src-address shows that the connection exits on the other side of the VPN and the ping times are significantly higher then when running the same ping through my ISP

Any attempt to connect to the internet through NordVPN from a device inside my network by adding its IP address to the VPN list however does not work. It is like the return traffic gets to the Mikrotik device correctly but is not sent to the client.

Here are my IPSec settings for NordVPN

/ip ipsec profile
add dh-group=ecp256,modp3072 enc-algorithm=aes-256 hash-algorithm=sha384 \
    name="NordVPN profile"
/ip ipsec peer
add address=us8452.nordvpn.com exchange-mode=ike2 name="NordVPN peer" \
    profile="NordVPN profile"
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc,aes-128-cbc lifetime=0s \
    name="NordVPN proposal" pfs-group=none
/ip ipsec policy
add dst-address=0.0.0.0/0 group=NordVPN proposal="NordVPN proposal" \
    src-address=0.0.0.0/0 template=yes

/ip ipsec mode-config
add connection-mark=NordVPN name=NordVPN responder=no
    
/ip ipsec identity
add auth-method=eap certificate=NordVPN eap-methods=eap-mschapv2 \
    generate-policy=port-strict mode-config=NordVPN notrack-chain=prerouting \
    password=[password] peer="NordVPN peer" \
    policy-template-group=NordVPN username=[username]

Here are my firewall rules

/ip firewall filter
# Input chain rules
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN

# Forward chain rules
add action=accept chain=forward comment="Don't fasttrack NordVPN traffic" connection-mark=NordVPN dst-address-list=localnet
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-mark=!ipsec connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid 
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN

/ip firewall mangle
add action=mark-connection chain=forward comment="Mark outgoing IPSec connections" ipsec-policy=out,ipsec new-connection-mark=ipsec passthrough=yes
add action=mark-connection chain=forward comment="Mark incoming IPSec connections" ipsec-policy=in,ipsec new-connection-mark=ipsec passthrough=yes
add action=mark-connection chain=prerouting comment="Mark NordVPN IPSec traffic" connection-mark=!ipsec dst-address-list=!localnet,ipsec-remote new-connection-mark=NordVPN passthrough=yes src-address-list=NordVPN
add action=change-mss chain=forward connection-mark=NordVPN new-mss=64 passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=!0-64

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none 

/ip firewall raw
add action=notrack chain=prerouting comment="notrack ipsec to local" disabled=yes dst-address-list=localnet src-address-list=ipsec-remote
add action=notrack chain=prerouting comment="notrack lcoal to ipsec" disabled=yes dst-address-list=ipsec-remote src-address-list=localnet

My question, do I have a glaring error in one of my rules? Or do I have a glaring error in the order of my rules? If not that, what debugging steps can I perform to figure out what went wrong?

Thank you in advance.

erkexzcx · Sat Mar 27, 2021 10:03 pm

Hi,

Try to move below rules to the top and try again. Kill NordVPN IPSEC connection, clear conntrack list and try again.

add action=mark-connection chain=prerouting comment="Mark NordVPN IPSec traffic" connection-mark=!ipsec dst-address-list=!localnet,ipsec-remote new-connection-mark=NordVPN passthrough=yes src-address-list=NordVPN
add action=change-mss chain=forward connection-mark=NordVPN new-mss=64 passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=!0-64

also those rules seem a bit odd to me. Why MSS 0-64? Or like "connection-mark=!ipsec". I am not sure since your configuration has quite a lot of customization and it's hard to say from your rules.

Also try to get rid of killswitch implementation for testing. For testing I like wtfismyip.com website as it shows your public IP which will change when you start using NordVPN. :)

lenart · Sat Mar 27, 2021 11:20 pm

Hi,

Try to move below rules to the top and try again. Kill NordVPN IPSEC connection, clear conntrack list and try again.
Code: Select all
add action=mark-connection chain=prerouting comment="Mark NordVPN IPSec traffic" connection-mark=!ipsec dst-address-list=!localnet,ipsec-remote new-connection-mark=NordVPN passthrough=yes src-address-list=NordVPN
add action=change-mss chain=forward connection-mark=NordVPN new-mss=64 passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=!0-64
also those rules seem a bit odd to me. Why MSS 0-64? Or like "connection-mark=!ipsec". I am not sure since your configuration has quite a lot of customization and it's hard to say from your rules.

Also try to get rid of killswitch implementation for testing. For testing I like wtfismyip.com website as it shows your public IP which will change when you start using NordVPN. :)

Thanks, I've just tried that but it didn't work as expected. The MTU clamping is set to 64 cos that was the packet size that did not show up as corrupted in the Mikrotik ping tool. It is for testing purposes and should work well enough for ping messages.

I got rid of the 'connection-mark=ipsec' rules just to make sure that it didn't make a difference but that did not help either.

I have the sense that this is a firewall issue so your suggestion strengthens my suspicion. I think it would be best to redesign the firewall rules offline, clear the current ones and load the new set. Any tips on what diagnostics I can perform?

lenart · Mon Mar 29, 2021 3:06 am

Found the solution for my setup, turns out I had the [notrack-chain] option set to [prerouting] and that didn't work at all. I changed it to [output] and suddenly everything started working like a charm.

peer=NordVPN peer auth-method=eap eap-methods=eap-mschapv2 mode-config=NordVPN 
      notrack-chain="output" certificate=NordVPN username=[username] 
      password=[password] generate-policy=port-strict policy-template-group=NordVPN

lenart · Tue Mar 30, 2021 11:53 am

@lenart, thanks, it worked for me!

Great, I've revised my configuration after monitoring the firewall rules though, turns out that in this particular setup you don't need any no-track rules generated at all, so removing the no-track completely is the best advice. It's empty be default when creating a new identity so that is why nothing shows up in any of the config rules at the top of this thread.

msatter · Tue Mar 30, 2021 12:18 pm

I implemented it manually so I could do it all in one line for all expected IKEv2 connections. I use an address list, on which all external addresses are listed.

/ip firewall raw
add action=notrack chain=prerouting protocol=ipsec-esp src-address-list=IKEVtraffic
add action=notrack chain=output protocol=ipsec-esp dst-address-list=IKEVtraffic

Traffic entering the connections will use costly processing time and by NoTracking it the IPSEC traffic manager (policies?) of ROuterOS will still grab it but it won't be in connections. It gives you about 30% of saving in processor time used for IPSEC-ESP traffic. As you can see I have one line for incoming traffic (prerouting) and one for outgoing traffic (output).

ps. you don't have to use an address list if you don't have any other ipsec-esp traffic! Just No-Track all ipsec-esp traffic then.

peruzzi · Wed Mar 31, 2021 5:54 pm

Here are my IPSec settings

thank you!

evangelion69 · Fri May 14, 2021 12:06 am

Tip: username and password for NordVPN connection on router, is different than you using for log in their web page. Must use "Service credentials (manual setup)" from "https://my.nordaccount.com/pl/dashboard/nordvpn/"

erkexzcx · Mon May 31, 2021 8:34 pm

I've updated few steps and done general cleanup.

/ip firewall raw
add action=notrack chain=prerouting protocol=ipsec-esp src-address-list=IKEVtraffic
add action=notrack chain=output protocol=ipsec-esp dst-address-list=IKEVtraffic

I cannot get this to work, even with simple "add action=notrack chain=output protocol=ipsec-esp" bytes counter is just not increasing. What I am doing wrong? Regular rule above fasttrack works wonderfully tho...

msatter · Tue Jun 01, 2021 12:33 am

The NordVPN server addresses need to be in that addresslist.

If you remove the need for the external addresses, the lines will notrack any IKEv2 traffic.

ax0x01 · Wed Jun 02, 2021 12:49 am

Hey everyone,

I have a similar setup:
- Where a list of ip address go through VPN only
- The rest go through WAN
but for some reason I made less steps to get same results, but it works (and no letters from provider so far)

I was wondering, what did I miss, and how dangerious is my setup

# add to list
/ip firewall address-list add address=192.168.88.8 list=vpn_p2p_users

# create profile
/ip ipsec policy group add name=NordVPN
/ip ipsec profile add name=NordVPN
/ip ipsec peer add address=us8657.nordvpn.com exchange-mode=ike2 name=us8657.nordvpn.com profile=NordVPN
/ip ipsec proposal add name=NordVPN pfs-group=none
/ip ipsec identity add auth-method=eap certificate="" eap-methods=eap-mschapv2 generate-policy=port-override mode-config=NordVPN username=your_service_login password=*** peer=us8657.nordvpn.com policy-template-group=NordVPN
/ip ipsec policy add dst-address=0.0.0.0/0 group=NordVPN proposal=NordVPN src-address=0.0.0.0/0 template=yes

/ip ipsec mode-config add name=NordVPN responder=no src-address-list=vpn_p2p_users

# killswitch
/ip firewall nat add action=return chain=srcnat src-address-list=vpn_p2p_users

erkexzcx · Sat Jun 05, 2021 3:39 pm

Added this note to the main post:

Note 2: You might be able to route all traffic of the company, but you might end up routing 30-40% of the websites under NordVPN if company uses popular hosting, e.g. Amazon AWS or Linode. For example, Mikrotik.com resolves to "159.148.147.196". Quick google revealed the Mikrotik has it's own ASN which contains 512 ips, or in other words, If you wish to access Mikrotik services/websites under NordVPN, you should add 159.148.147.0/24 and 159.148.172.0/24 to your address list using this (2nd) method.

aleksey34546 · Thu Jun 24, 2021 2:04 pm

I've updated few steps and done general cleanup.

/ip firewall raw
add action=notrack chain=prerouting protocol=ipsec-esp src-address-list=IKEVtraffic
add action=notrack chain=output protocol=ipsec-esp dst-address-list=IKEVtraffic
I cannot get this to work, even with simple "add action=notrack chain=output protocol=ipsec-esp" bytes counter is just not increasing. What I am doing wrong? Regular rule above fasttrack works wonderfully tho...

it works if you make longer distance on default route. sat
/ip dhcp-client
add default-route-distance=10 disabled=no interface=bridgeWAN

aleksey34546 · Thu Jun 24, 2021 2:06 pm

Hey everyone,

I have a similar setup:
- Where a list of ip address go through VPN only
- The rest go through WAN
but for some reason I made less steps to get same results, but it works (and no letters from provider so far)

I was wondering, what did I miss, and how dangerious is my setup

# add to list
/ip firewall address-list add address=192.168.88.8 list=vpn_p2p_users

# create profile
/ip ipsec policy group add name=NordVPN
/ip ipsec profile add name=NordVPN
/ip ipsec peer add address=us8657.nordvpn.com exchange-mode=ike2 name=us8657.nordvpn.com profile=NordVPN
/ip ipsec proposal add name=NordVPN pfs-group=none
/ip ipsec identity add auth-method=eap certificate="" eap-methods=eap-mschapv2 generate-policy=port-override mode-config=NordVPN username=your_service_login password=*** peer=us8657.nordvpn.com policy-template-group=NordVPN
/ip ipsec policy add dst-address=0.0.0.0/0 group=NordVPN proposal=NordVPN src-address=0.0.0.0/0 template=yes

/ip ipsec mode-config add name=NordVPN responder=no src-address-list=vpn_p2p_users

# killswitch
/ip firewall nat add action=return chain=srcnat src-address-list=vpn_p2p_users

looks pretty nice, can anyone more profound check the way especially the kill switch?

msatter · Thu Jun 24, 2021 2:46 pm

The "kill-switch" uses a return which ends further processing by the lines that are underneath it in the NAT.

That traffic ends there if it can't be routed in a other way. I prefer to tar-pit or route it to a non existing target (100.69.69.69).

IJsblok · Tue Jun 29, 2021 5:15 pm

Thanks for this great guide!
I set it up and it all works.
I chose the first option where ALL traffic is redirected through the VPN tunnel. But since my router is actually jus a part of a small LAN , I cannot reach the other local subnets anymore from the subnet where I configured the VPN connection (10.0.1.0/24).
I Already setup RIP for this. The Mikrotik router uses two bridges, one "untagged" an one with VLAN 50 which are trunked on one interface. The VPN connection is configured on the bridges with VLAN 50 in it.
I can reach all other subnets form the untagged bridge. Also, the VPN connection works fine over the VLAN 50 bridge. In the routing tables I can see all subnets routed. But since of course I configured to have all traffic go through the VPN tunnel, concluding these meant for the local subnets, the connection is now effectively gone.

My questions is: how can I pass ALL traffic through the tunnel, EXCEPT all traffic meant for 192.168.x.x?

billtrik · Mon Sep 13, 2021 5:35 pm

I tried method #1 and it works very well.
I am having problems with making method #2 work thought.

After applying the commands as described, it still does not work.
Instead of showing me the country that the VPN is connected to, I get my home country.

Could it be that some detail was lost on one of the updates of the commands on the main post?
I did a diff between #1 and #2 and the only difference was the third command: `firewall mange` command on which had `dst-*` on #2 instead of `src-*` on #1.
Could this really be the only difference between the 2 methods?

erkexzcx · Sun Sep 19, 2021 9:36 am

Could this really be the only difference between the 2 methods?

Basically both methods are the same and works the same. Except the killswitch - it cannot use connection marking therefore there is difference is between src/dst. If you ignore killswitch part, it should be practically the same (as long as you mark required connections for NordVPN)...

Could it be that some detail was lost on one of the updates of the commands on the main post?
I did a diff between #1 and #2 and the only difference was the third command: `firewall mange` command on which had `dst-*` on #2 instead of `src-*` on #1.
Could this really be the only difference between the 2 methods?

Check your commands one by one. Use WinBox as it's easier to see in GUI which settings are applied. Maybe you are missing something. Maybe you are confusing something. If 1st method worked, then 2nd should also definitely work too.

erkexzcx · Sun Sep 19, 2021 9:44 am

My questions is: how can I pass ALL traffic through the tunnel, EXCEPT all traffic meant for 192.168.x.x?

I would probably something like this:

/ip firewall mangle add action=mark-connection chain=prerouting new-connection-mark=unmarkable_nordvpn passthrough=yes src-address=192.168.x.x
/ip firewall mangle add action=mark-connection chain=prerouting connection-mark=!unmarkable_nordvpn new-connection-mark=nordvpn passthrough=yes src-address=192.168.0.0/16

msatter · Sun Sep 19, 2021 2:40 pm

If you don't use router marking then you could use that, as marker to kill of traffic that is escaping the VPN dynamic SRC-NAT while VPN is being initiated or just have been terminated.

I even use one line for SRC-NAT and one for DST-NAT:

add action=src-nat chain=srcnat routing-mark=Leak-IKEV to-addresses=100.69.69.68
add action=dst-nat chain=dstnat routing-mark=Leak-IKEV to-addresses=100.69.69.69 connection-mark=no-mark

Traffic connection marked is first marked with the routing-mark Leak-IKEV, indicating if this mark is seen it should be Blackholed.

I have this lines in place so that I can see counters/logging of what traffic is blackholed.

secretgarden · Mon Sep 20, 2021 12:42 am

I didn't even realize you could do this with Nord, thanks!!

mehdi1980 · Tue Oct 19, 2021 7:36 am

routing with mange is possible ?

I set 2 ipsec but routing not possible

MHO · Tue Oct 19, 2021 7:47 pm

Tip: username and password for NordVPN connection on router, is different than you using for log in their web page. Must use "Service credentials (manual setup)" from "https://my.nordaccount.com/pl/dashboard/nordvpn/"

this fixed my EAP failures. thanks

Initially, i got the ike2/ipsec tunnel up to uk server without issues, traffic flowing via the tunnel but i also was suffering from sloooow browsing performance. i did not do mss mangle rules, implemented the ipsec policy icmp instead (below default and above the other policies)

posting.php?mode=quote&p=886319

i had to disable the fasttrack filter and mangle entries completely in order to get it to work
browsing is now lightning fast, killswitch works (but have to check on the first few leaked packets as was suggested here)
so probably my fasttrack mangle setup is wrong, but so far happy that it works

labomba · Sun Oct 31, 2021 12:19 pm

hi,
after implementing kill switch:

# Implement a killswitch
/interface bridge add name=nordvpn_blackhole protocol-mode=none
/ip route add gateway=nordvpn_blackhole routing-mark=nordvpn_blackhole
/ip firewall mangle add chain=prerouting src-address-list=local action=mark-routing new-routing-mark=nordvpn_blackhole passthrough=yes

port forwarding stopped working.

src-address-list=local >> this is address range 192.168.88.0/24

i have one port forward rule:
192.168.1.111 : 8080 >> 192.168.88.111 : 8080

RobZA · Tue Nov 23, 2021 7:57 pm

OP, thank you for your config and many hours trying to get this working!

Its a bit more advanced than the standard setup that Nord/Mikrotik provide on the forums, but well worth the extra effort....especially the 'kill switch' and MTR options. (hint: use Sindy's workaround) Its also beneficial for n00bs to understand the power of RouterOS. (yes, i'm a n00b and learnt a f*ton! ...and still learning )

I used the first option and added any single internal IP to the list to be routed via the NordVPN IPSEC tunnel. I also have a Pi-hole configured that goes out via the tunnel that queries the up stream Nord (in my case) DNS servers. If you're serious about privacy.....get your DNS in check!!!!1one

Best to backup your config before trying this out!

emailchina · Sun Nov 28, 2021 1:57 pm

# Exclude such VPN traffic from fasttrack
/ip firewall filter add action=accept chain=forward connection-mark=under_nordvpn place-before=[find where action=fasttrack-connection]

This command is wrong as if the heart version removed this function I am using V6.49.1 he will prompt an error, I am copy and paste is to modify what? Can you give me the correct command to copy in, thank you!

emailchina · Sun Nov 28, 2021 2:02 pm

# Exclude such VPN traffic from fasttrack
/ip firewall filter add action=accept chain=forward connection-mark=under_nordvpn place-before=[find where action=fasttrack-connection]
This one prompts when I copy and paste it in.#####no such item#####
This command is wrong as if the heart version removed this function I am using V6.49.1 he will prompt an error, I am copy and paste is to modify what? Can you give me the correct command to copy in, thank you!

emailchina · Sun Dec 05, 2021 11:40 am

Can you reply to me when you see it? Should I add a command before what you

xmasvacation · Mon Dec 13, 2021 12:27 am

Hi there, I came to this thread after trying the directions on the NordVPN site, and got excited because its working for so many people, but the configuration isn't working for me. I would like to have two devices on my network, an Apple TV and a laptop access the VPN connection, and the rest to not.

I have a set of Google Wifi Mesh devices behind a hap RB750Gr3, that uses a PPPoE connection to a CenturyLink ONT (see below for a quick diagram). I'm a tech savvy person with a basic understanding of networking. When I visit wtfismyip.com it's my regular IP, so I tried including 192.168.88.251 in the firewall address list, but to no avail. Is there a NAT issue here? Does anyone have an idea about what I might be doing wrong? Thank you in advance for any help or ideas.

Screen Shot 2021-12-12 at 2.19.02 PM.png

And here's the output of /export:

# dec/12/2021 14:07:30 by RouterOS 6.47.1
# software id = Z46B-UBXL
#
# model = RB750Gr3
/interface bridge
add admin-mac=C4:AD:34:C6:1E:0A auto-mac=no comment=defconf name=bridge protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] advertise=10M-full,100M-full,1000M-full,2500M-full,5000M-full,10000M-full
set [ find default-name=ether2 ] advertise=10M-full,100M-full,1000M-full,2500M-full,5000M-full,10000M-full
/interface vlan
add interface=ether1 name=e1-v201 vlan-id=201
/interface pppoe-client
add add-default-route=yes disabled=no interface=e1-v201 max-mru=1492 max-mtu=1492 name=pppoe-out1 password=<password> user=<username>
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip ipsec mode-config
add connection-mark=under_nordvpn name="NordVPN mode config" responder=no
/ip ipsec policy group
add name=NordVPN
/ip ipsec profile
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha512 name="NordVPN profile"
/ip ipsec peer
add address=in104.nordvpn.com exchange-mode=ike2 name="NordVPN server" profile="NordVPN profile"
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=0s name="NordVPN proposal" pfs-group=none
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
/user group
set full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.88.1 name=router.lan type=A
/ip firewall address-list
add address=192.168.86.80 list=under_nordvpn
add address=192.168.86.84 list=under_nordvpn
/ip firewall filter
add action=accept chain=forward connection-mark=under_nordvpn
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-connection chain=prerouting new-connection-mark=under_nordvpn passthrough=yes src-address-list=under_nordvpn
add action=change-mss chain=forward connection-mark=no-mark new-mss=1452 out-interface=pppoe-out1 passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=1301-65535
add action=change-mss chain=forward connection-mark=under_nordvpn new-mss=1360 passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=!0-1360
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface=pppoe-out1
/ip ipsec identity
add auth-method=eap certificate="NordVPN CA" eap-methods=eap-mschapv2 generate-policy=port-strict mode-config="NordVPN mode config" password=<service password> peer="NordVPN server" policy-template-group=NordVPN username=<service username>
/ip ipsec policy
add dst-address=0.0.0.0/0 group=NordVPN proposal="NordVPN proposal" src-address=0.0.0.0/0 template=yes
/system clock
set time-zone-name=America/Los_Angeles
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

grumpazoid · Sat Jan 22, 2022 3:48 pm

Thanks for your guide.
I am testing a similar setup but using the settings for keepsolidvpn as per their page https://www.vpnunlimited.com/help/manua ... kev2-setup.

I have it working but I can only pass the dns test at ipleak.net by manually assigning dns to the clients. A dynamic DNS server is shown on the router in IP DNS but If I use the router address for the client DNS, requests are still sent via my normal upstream DNS.

Is this behaviour expected?

lenart · Sat Jan 22, 2022 4:28 pm

Hi there, I came to this thread after trying the directions on the NordVPN site, and got excited because its working for so many people, but the configuration isn't working for me. I would like to have two devices on my network, an Apple TV and a laptop access the VPN connection, and the rest to not.

Given your setup I don't seen how you could accomplish that. The Google Mesh device is NAT-ing all connections so by the time the packets reach the Mikrotik device, they're all coming from the 192.168.88.251 address. There is no way for the Mikrotik device to recognize the devices behind the Google Mesh device.

I have no experience with Google Mesh devices and a quick search on the admin interface suggests to me that Google doesn't really offer a lot of control. That being said, there might be some configuration option that would allow you to set these devices up in Access Point mode. That way you get full control back over your network traffic.

Good luck.

msatter · Sat Jan 22, 2022 7:09 pm

Is this behaviour expected?

Yes, see the manual:

When both static and dynamic servers are set, static server entries are more preferred, however, it does not indicate that static server will always be used (for example, previously query was received from a dynamic server, but static was added later, then a dynamic entry will be preferred).

If you only want to use dynamic leave static empty.

grumpazoid · Sun Jan 23, 2022 12:10 pm

Thanks for pointing out that DNS information.

I would much rather have a static DNS in as well, so I believe my only option is therefore to define DNS in the client.
At this point I only need one client to use the VPN - a TV streaming device. DNS is not manually configurable.

My solution for this:
All my other clients get their DNS via DHCP which point them to my local pihole.
I have found that I can create a DHCP server entry for just the client in question, with its own DNS address - e.g. VPN providers, Cloudflare etc.
This appears to work.as I guess 192.168.0.X is more specific than 192.168.0.0/24. When tested with a PC, ipleak,net is indicating that the DNS query from the PC is indeed getting sent over the VPN connection.

Edit.
I'm not sure this is going to work. I am going to use a VPN connection designed for watching TV streaming...the address is therefore very likely to change each time. Is there another way to allocate the dynamic DNS address to the DHCP client?

Edit2 No all looks good, the dynamic DNS is staying the same so must get changed at the VPN provider end.

grumpazoid · Mon Jan 24, 2022 2:14 pm

For me the kill switch is not working. It stops all VPN users traffic no matter if the VPN is up or not. If I disable the killswitch routing rule everything works again.
Maybe because I am using VLANs on the bridge?

For now I have implemented a killswitch by excluding VPN users from the NAT masquerade rules. Works well and I still have access to LAN clients.

cracyfloyd · Tue Feb 22, 2022 10:50 am

Thnx for all here.

I there an easy way to find the best MTU to use ?

avraamd · Sat Apr 16, 2022 1:28 pm

How do you implement the kill switch in ROS? The routing mark is missing from route in ROS7

# (OPTIONAL) Implement a killswitch
/interface bridge add name=nordvpn_blackhole protocol-mode=none
/ip route add gateway=nordvpn_blackhole routing-mark=nordvpn_blackhole
/ip firewall mangle add chain=prerouting src-address-list=under_nordvpn action=mark-routing new-routing-mark=nordvpn_blackhole passthrough=yes

hkusulja · Sat Apr 23, 2022 9:18 am

Hello, i have latest stable RouterOS 7.2.1
i am using scenario #1, by source, and without killswitch.
implemented all without errors
however, it does not work, no nat rules are generated, nor ip ipsec active peers / installed SAs etc.
Mangle rule for connection tracking based on ip firewall source / address list fetches the traffic.
How to troubleshoot further? it seems that ipsec mode config is setup correct, but not applying, what should be different for RouterOS 7.2.1 ?
fast track temporary disabled also

jd1919 · Thu May 05, 2022 11:24 pm

How do you implement the kill switch in ROS7? The routing mark is missing from route in ROS7

# (OPTIONAL) Implement a killswitch
/interface bridge add name=nordvpn_blackhole protocol-mode=none
/ip route add gateway=nordvpn_blackhole routing-mark=nordvpn_blackhole
/ip firewall mangle add chain=prerouting src-address-list=under_nordvpn action=mark-routing new-routing-mark=nordvpn_blackhole passthrough=yes

Have the same question. The only thing that holds me on ROS6.

evangelion69 · Sat May 21, 2022 5:52 pm

Any idea how to eable nordvpn interface only at one port?

msatter · Sat May 21, 2022 6:50 pm

/ip firewall mangle add action=mark-connection chain=input in-interface=ether2 new-connection-mark=VPN passthrough=yes

Marking connections coming on ether2 with connection mark VPN. You can set more specific filters and you have to change the name of the connection mark.

msatter · Sat May 21, 2022 6:55 pm

Have the same question. The only thing that holds me on ROS6.

In RouterOS you first have to define the route before you can refer to it.

/routing table
add  fib name=nordvpn_blackhole

nickba · Sat Jun 04, 2022 10:34 pm

Hello,

Sorry if my question is silly, I am new to the Mikrotik world! I am trying to follow this tutorial and everything works, except the killswitch! I am on ROS 7.2.3 and here is what I tried to create the killswitch:

/routing table add fib name=nordvpn_blackhole

After that, I inserted the killswitch commands, but when I insert this command, I get an error "expected end of command (line 1 column 41)":

/ip route add gateway=nordvpn_blackhole routing-mark=nordvpn_blackhole

Could you please inform how can I implement the killswitch in ROS7.2.3? Thanks in advance!

Sob · Sat Jun 04, 2022 10:37 pm

Routes in v7 have "routing-table" instead of "routing-mark".

nickba · Sat Jun 04, 2022 10:39 pm

Hi, thanks for replying. So I just need to replace the "routing-mark" to "routing-table" ?

Do I need to edit this line too?

/ip firewall mangle add chain=prerouting src-address-list=under_nordvpn action=mark-routing new-routing-mark=nordvpn_blackhole passthrough=yes

msatter · Sat Jun 04, 2022 11:13 pm

Yes.

No, in the rules/lines (new-)routing-mark is still being used.

nickba · Sat Jun 04, 2022 11:39 pm

Thanks everyone, I was able to insert all killswitch commands, but after the following command, I completely lose internet connection on the IPs under the address-list.

/ip firewall mangle add chain=prerouting src-address-list=under_nordvpn action=mark-routing new-routing-mark=nordvpn_blackhole passthrough=yes

If I go to the Firewall mangle and disable it, I can access the internet again. So the killswitch is not working as it should. Any tips about this issue?

msatter · Sun Jun 05, 2022 12:23 am

A basic way is to add a second route that takes over when when the dynamic route of the VPN is deactivated.

/ip route
add blackhole disabled=no distance=254 dst-address=0.0.0.0/0 routing-table=under_nordvpn scope=30 target-scope=10

Then why not move also to WireGuard when using NordVPN?

nickba · Sun Jun 05, 2022 1:01 am

A basic way is to add a second route that takes over when when the dynamic route of the VPN is deactivated.
Code: Select all
/ip route
add blackhole disabled=no distance=254 dst-address=0.0.0.0/0 routing-table=under_nordvpn scope=30 target-scope=10
Then why not move also to WireGuard when using NordVPN?

Hi, thanks for replying. I tried the suggested command but I got an error. I think it is because I don't have a routing table with the name under_nordvpn. Sorry, I am really a newbie with Mikrotik. Could you elaborate? Here is the error: "input does not match any value of routing-table"

msatter · Sun Jun 05, 2022 1:17 pm

Hmm that seems not to be possible and the IKEv2 connect directly to WAN and in my case that is the PPPoE.

The thread is marked only for ROSv6 so even the writer didn't found a way to implement also the kill-switch.

nickba · Sun Jun 05, 2022 8:18 pm

Hmm that seems not to be possible and the IKEv2 connect directly to WAN and in my case that is the PPPoE.

The thread is marked only for ROSv6 so even the writer didn't found a way to implement also the kill-switch.

Thanks for replying, so it is not possible to implement a kill switch on ROS7?

msatter · Sun Jun 05, 2022 11:32 pm

When the connection is active you see an dynamic line appear in NAT.

Copy that line and change the action dst-addres to 100.69.69.69 and save. That IP goes nowhere.

When the VPN goes down this line is still there and also it catch traffic when the VPN is still cranking up.

nickba · Mon Jun 06, 2022 12:01 am

When the connection is active you see an dynamic line appear in NAT.

Copy that line and change the action dst-addres to 100.69.69.69 and save. That IP goes nowhere.

When the VPN goes down this line is still there and also it catch traffic when the VPN is still cranking up.

Thank you very much for your attention! Unfortunately I will not be able to test it for a while, as I downgraded to ROS6. In ROS6 everything works fine and with a huge bonus: the speed is way higher!

On ROS7 I was getting about 230/230 Mbps down/up and with ROS6 I am getting 450/250 Mbps down/up. My internet is 600/300 Mbps. My router is the RB4011.

One last question, is there a way that I could still access my modem setup page while I am connected to the VPN? I am connected to the modem with PPPoE and I have an WAN IP defined on the same modem network, so I can access the modem when I type its IP which is 192.168.15.1 from my internal network which is 192.168.0.x. If I try to access the modem from an IP in the under_nordvpn list, I cannot access it. So could you please help me with that?

nickba · Tue Jun 07, 2022 8:33 pm

Hello again,

Just replying to myself and to help others: I was able to access the modem setup page putting its address(Dst. Address: ! 192.168.15.1) in the mangle rule that marks the VPN connection and in the mangle rule that sends the to the blackhole. It is working. Do you have any comments about that?

own3r1138 · Tue Jun 07, 2022 9:41 pm

@nickba

Do you have any comments

From what I understand this is your network diagram.

Internet<----------->ISP<------------>Modem<-------PPPOE-DHCP-DNS--------->MT<-------- DHCP-DNS-VPN----------->Clients

If the answer is yes, you should design your network with minimal few running services as possible.

Internet<----------->ISP<------------>Modem<-------bridge--------->MT<--------PPPOE OUT-DHCP-DNS-VPN----------->Clients

msatter · Thu Jun 16, 2022 11:30 am

*** WARNING WARNING WARNING ***

DON'T RESET your NordVPN account password when you notice that you can't login to your account on the NordVPN website.

You will lose the usage of your VPN connections because you are forced to use a multi factor authentication on the same device, through the NordVPN APP.
There is not APP for the routers or the Linux shells.

Support is not responding on this because they are most likely overloaded on this topic of users that can't use their paid VPN anymore.

Bye.

msatter · Fri Jun 17, 2022 1:00 pm

*** Update ***
My support e-mails went unanswered so I tried chat. I had all the info ready and the terminal running to try suggestions and after the person had to check thing out a solution was given.

Using the browser can be avoided by using the legacy mode of the Linux client with the command: nordvpn login --legacy

How long this is kept working is unknown but at-least I can get now my updated private-key for Wireguard this way. It would be much nicer if that private-keys could be set/changed on the account pages like Mullvad and ProtonVPN allow.

I moved on from IKEv2 to WireGuard and how to get that working is for you to find out.

Bye

MikeKulls · Sun Aug 07, 2022 3:17 pm

@msatter - thanks for your input.

I don't actually see it as a improvement to my given guide. I mean it does work, but using simple a mangle rule is a more dynamic way of dealing with VPN traffic.

The method proposed by msatter allows the MTU issue to be dealt with in the way it was designed to be handled. It allows the maximum MTU to be used and doesn't just blindly set the MTU to a lower value.

Michael33333 · Sat Sep 17, 2022 9:46 pm

Hi everyone and thanks for this awesome guide, i actually spent too much time before found it. But i need some help. I used to use PPTP client for my purposes (some devices in local network should strictly go only through VPN), it was going by this

/ip route rule add action=lookup-only-in-table src-address="LOCAL_IP" table="PPTP_CLIENT_NAME"

But now i have no idea how to realise it with NordVPN(IPSEC/IKEv2), could anyone help me?

nickba · Sun Mar 12, 2023 11:30 pm

Hello,

I hope someone is able to help me. From time to time my VPN just becomes dead(cannot send or receive any traffic) and I need manually to flush the SA keys.
I was thinking about writing a script to ping through the VPN and if it shows it is dead, I can flush the keys. My question is how can I do that as the ping command does not pass through the VPN?

nickba · Thu Mar 16, 2023 1:19 am

Can someone please shed some light?

hardrock · Tue Jul 04, 2023 8:45 am

**update 09/07/23 > Have read some articles but still not been able to get this working..Any help appreciated.

Hi all, I've been able to follow and setup nord #1 instructions it works well but I want to be able to reach my LAN network (192.168.0.0/24) which sits behind the mikrotik so i can access my CCTV camera's through the mikrotik's wifi.

The mikrotik obtains an IP 192.168.0.20 from the DHCP LAN network and the mikrotik bridge network is default 192.168.88.0/24. Running ROS6.

Could someone please advise the additional config required to allow access to the LAN through the mikrotik WiFi connection. Thanks

sohel07 · Thu Aug 31, 2023 9:53 pm

Does anybody convert this for ROS7? VPN kill switch doesn't work.

msatter · Thu Aug 31, 2023 10:38 pm

Why use IKEv2while there is Wireguard on ROSv7!?

https://nordvpn.com/blog/nordlynx-protocol-wireguard/

viewtopic.php?t=183525

vizinet · Tue Oct 17, 2023 9:09 pm

I love you, man! I've been searching for NordVPN tutorials which worked but the internet speed was so slow until today. I had only been using SmartDNS, which worked excl Netflix. By the way, it also works on RouterOS 7+. Thank you once again.

valnuke · Fri Mar 29, 2024 12:47 am

thank you man, great help

Who is online