Access to specify webpage using an especfic interface VPN

MikrotikHap · February 24, 2018, 3:30pm

Hello friends I have one question, I have a Mikrotik wap configure with a l2tp client interface with vpn it´s works ok and when I active l2tp interface all trafic go through VPN, so I want to know if it´s possible that only a webpage like for example www.google.com go via vpn and other website go via eth interface to my ISP router.

Actually I have 3 interfaces Eth0, Wlan0 and l2tp interface, to get that vpn client works I only add a Mangle rule and NAT rule

Antd this is my router table

Actually I only can to decide if I want that all trafic go via vpn or via eth changing in mangle rule the ip range to choose the computer that output via VPN

sindy · February 24, 2018, 6:25pm

The key is that you need to route-mark already the initial SYN packet of each connection to these sites, but that packet carries neither the site name nor the tls host id. The only packet which does contain the name is the DNS query.

So unless the web services you want to access via the VPN run on a fixed set of IP addresses, you have to extract the addresses for your marking rule from DNS responses.

There is currently no way to extract IP adresses for DNS answers coming spontaneously (as a result of client’s queries) into address lists and refer to them in your route-mark rules in mangle table. So instead you have to periodically run a script resolving all the domain names you need to access via VPN to IP addresses and then extracting the result from the dns cache and updating the address list used by the mangle rule.

However, if you use the whole thing to bypass some restrictions of your ISP, don’t forget that the DNS queries themselves must be sent via the VPN as well - first because the ISP may restrict also DNS queries regarding these domains, and second because the DNS answer may be different depending on with which source IP address the query has come.

So your script would be based on the following:

[me@myTik] > resolve server=x.x.x.x domain-name=google.com
[me@myTik] > ip dns cache print detail where name=google.com
Flags: S - static
 0   name="google.com" address=216.58.215.78 ttl=1m43s

And you would use a separate mangle rule to route DNS requests to server x.x.x.x via the VPN.

MikrotikHap · February 25, 2018, 10:09am

The key is that you need to route-mark already the initial SYN packet of each connection to these sites, but that packet carries neither the site name nor the tls host id. The only packet which does contain the name is the DNS query.

So unless the web services you want to access via the VPN run on a fixed set of IP addresses, you have to extract the addresses for your marking rule from DNS responses.

There is currently no way to extract IP adresses for DNS answers coming spontaneously (as a result of client’s queries) into address lists and refer to them in your route-mark rules in mangle table. So instead you have to periodically run a script resolving all the domain names you need to access via VPN to IP addresses and then extracting the result from the dns cache and updating the address list used by the mangle rule.

However, if you use the whole thing to bypass some restrictions of your ISP, don’t forget that the DNS queries themselves must be sent via the VPN as well - first because the ISP may restrict also DNS queries regarding these domains, and second because the DNS answer may be different depending on with which source IP address the query has come.

So your script would be based on the following:
[me@myTik] > resolve server=x.x.x.x domain-name=google.com
[me@myTik] > ip dns cache print detail where name=google.com
Flags: S - static
 0   name="google.com" address=216.58.215.78 ttl=1m43s
And you would use a separate mangle rule to route DNS requests to server x.x.x.x via the VPN.

Thanks very much I have created an ip list with the ip of the site that I want to go via vpn and then I add the list in the mangle rule as destination list and it´s works fine.

I created a script that update the list every day to prevent if the website change the Ip address.