Again surfshark and vpn connecting problems/performance

muhlpaul · August 21, 2020, 9:32am

Hello,

i already read some other articles about mtu problems in ipsec vpn connections etc..
yesterday i installed my RB3011 from the scratch with the doc on the surfshark website…
maybe i was missing some basic installation commands for the router..
ether1 - wan uplink to a fritzbox (ip 192.168.0.1)
ether 2 - 10 local-bridge for clients… (ip-range 192.168.1.0/24)
its seems working but i realised a very slow traffic, websites were not found etc.. its seemed also be a DNS problem…
than i tried soime workaround f.ex. http://forum.mikrotik.com/t/mtu-troubles-using-ikev2-providers-like-nordvpn-work-around/135154/1 etc.
it was not really better and maybe i set a wrong command.. today in the morning i have the vpn connection established but i have no internet via vpn.
the reconnect is very fast.. it seems well.. but i have no dns i think…
here my config:

# aug/21/2020 11:21:33 by RouterOS 6.48beta27
# software id = 9G7D-Y22A
#
# model = RouterBOARD 3011UiAS
# serial number = 8EED0A5703C6
/interface bridge
add name=bridge-local
/ip ipsec mode-config
add name=DEBD responder=no src-address-list=local
/ip ipsec policy group
add name=DEBD
/ip ipsec profile
add name=DEBD
/ip ipsec peer
add address=surfshark-server exchange-mode=ike2 name=DEBD profile=\
    DEBD
/ip ipsec proposal
add lifetime=1h name=DEBD pfs-group=none
/ip pool
add name=local-dhcp ranges=192.168.1.50-192.168.1.250
/ip dhcp-server
add address-pool=local-dhcp disabled=no interface=bridge-local name=\
    dhcp-local
/interface bridge port
add bridge=bridge-local interface=ether2
add bridge=bridge-local interface=ether3
add bridge=bridge-local interface=ether4
add bridge=bridge-local interface=ether5
add bridge=bridge-local interface=ether6
add bridge=bridge-local interface=ether7
add bridge=bridge-local interface=ether8
add bridge=bridge-local interface=ether9
add bridge=bridge-local interface=ether10
/ip address
add address=192.168.0.254/24 interface=ether1 network=192.168.0.0
add address=192.168.1.1/24 interface=bridge-local network=192.168.1.0
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.0.1 gateway=192.168.1.1 \
    netmask=24
/ip dns
set servers=192.168.0.1
/ip firewall address-list
add address=192.168.1.0/24 list=local
/ip firewall nat
add action=masquerade chain=srcnat disabled=yes out-interface=ether1
/ip ipsec identity
add auth-method=eap certificate=surfshark_ikev2.crt_0 eap-methods=\
    eap-mschapv2 generate-policy=port-strict mode-config=DEBD password=\
    mypasswd peer=DEBD policy-template-group=DEBD username=\
    myuser
/ip ipsec policy
add action=none dst-address=192.168.1.0/24 src-address=0.0.0.0/0
add dst-address=0.0.0.0/0 group=DEBD proposal=DEBD src-address=0.0.0.0/0 \
    template=yes
/ip route
add distance=1 gateway=192.168.0.1
/system clock
set time-zone-name=Europe/Madrid
/system ntp client
set enabled=yes primary-ntp=130.60.204.10

Hope to find help here to get it running basically…

kind regards,

olly

shogunx · August 23, 2020, 11:53pm

Sounds like the same problem I had. Fix for me was to modify the fasttrack rule in the forward chain of the firewall rules so that it wouldnt match ipsec packet - do this by adding “connection-mark=!ipsec” to the rule.

muhlpaul · August 28, 2020, 5:09pm

The dns problem i soluted.. was something wrong in the basic setup.. but now i have since 2 days the dropping vpn every 15 seconds.. it was working a few days.. but than dropping now every 15 seconds… i have no idea… i remember an article about this, but didnt find it again… any idea ??
i have 2 ubnt switches where the rb is connected before going to the router… i will check when connecting directly to the router …so both networks are on the same switch.. but only one dhcp server…

AlexS · August 28, 2020, 11:49pm

surfshark have changed the way they do dns. I am having the same problem - working fine for 5 months.

if you check the logs. routeros see the dns change and brings down the ipsec tunnel creates to new destination address .. then when it changes again .. loop de loop

pick one ip and use that address

I had actually come here to find out how to turn that feature off . only do a dns look up when the link is down

shogunx · August 29, 2020, 4:48am

I have run into this same issue in the last week - only got my hEX about a week ago, tunnel worked fine for a week then suddenly started dropping all the time. Cause seems to be Surfshark have (recently I guess) dropped the TTL on their DNS records to 5 seconds. Combined with the fact that their VIPs all round robin a bunch of different IPs, you get a different server every time, and as you noticed the existing SA is torn down as invalid. I have opened a ticket with surfshark about this but so far they haven’t been willing to admit they changed anything.

In the mean time, you can work around by by using a scheduled script to set a static DNS entry on the router. Details here http://forum.mikrotik.com/t/ikev2-sa-killed-after-5-seconds-due-to-short-dns-ttl-surfshark/142543/1

muhlpaul · August 29, 2020, 8:43am

Hello,

setting a local dns name with the static ip of the manually found ip adress of the surfshark.vpn-server is working…
but i didnt find any information how to setup the scheduled script to renew this static dns by RB start and when dropping the line f.ex…
any idea ?
shogunx can you maybe compare your script ?
What about only to request that script by rb start and after dropping the line and not every 8 hours ?

msatter · August 29, 2020, 10:07am

Create two schedules. One set to on-start and the second to the interval you want to use.

Any static DNS entries survive a reboot but could be out of sync with the current Surfshark sequence.

muhlpaul · August 29, 2020, 10:58am

i am nog so familiar with scripting of that kind… has anyone an idea how to do ?

Rock · September 4, 2020, 7:13am

My sollution
http://forum.mikrotik.com/t/ikev2-sa-killed-after-5-seconds-due-to-short-dns-ttl-surfshark/142543/1