After the connection to the VPN server has been established you will be given an IP-address and a new route to a new host. It will look like this (please note entry DAC / 77.xxx.xxx.xxx with distance 0):
Depending on your VPN you could even get more routes than a single one to a lone host, though.
All you need to do is setup routes for that new peer. For example, I’ve configured my RouterBoard drive traffic to 0.0.0.0/0 (all possible IPs) through my VPN. That’s done in line 2 — please ignore the »routing mark« for now.
/ip route
add gateway=77.xxx.xxx.xxx distance=1 check-gateway=ping routing-mark=MyFirstVPNI assume you’ve come so far — and all your traffic will still be not directed through the VPN. That’s because the first longest prefix to match a destination address will determine which route its packets will chose. Except if you have assigned routing marks, that is. Routes for them are being looked up first.
You can assign routing marks to packets like this:
/ip firewall nat
add action=masquerade chain=srcnat out-interface=MyFirstVPN
/ip firewall mangle
entry 1
add action=mark-routing chain=prerouting dst-address=!192.168.0.0/22
new-routing-mark=MyFirstVPN src-address=192.168.0.111
entry 2
add action=mark-routing chain=prerouting comment=“DSCP=1 is YourApp.exe” dscp=1
dst-address=!192.168.0.0/22 new-routing-mark=MyFirstVPN»Entry 1« results in that all packets from host 192.168.0.111 will go through the VPN. Except if they’re meant for your local network, 192.168.0.0/22.
»Entry 2« requires that your application (or operating systems) assigns DSCP=1 to packets send by a set of programs. No matter which host sends them, as soon as DSCP is 1 everything goes through the VPN. That could be Firefox which you want to automatically go through your VPN for, say, Hulu or Netflix.
Whenever your VPN connection goes down the gateway (77.xxx.xxx.xxx in my example) becomes unreachable and the default route through the regular gateway is taken. If you do not want that then remember to create a new rule for that:
/ip firewall filter
for entry 1 (permits NTP and PPTP, though)
add action=drop chain=forward dst-address=!192.168.0.0/22 dst-port=!53,1723 out-interface=
ether1-gateway protocol=tcp src-address=192.168.0.111
add action=drop chain=forward dst-address=!192.168.0.0/22 dst-port=!53 out-interface=
ether1-gateway protocol=udp src-address=192.168.0.111
for entry 2
add action=drop chain=forward comment=“YourApp.exe via VPN only” dscp=1 out-interface=ether1-gateway––––
Using Windows you can assign DSCP values to applications using the »group policy editor«. Hit Win+R, enter »gpedit.msc«. Computer Configuration → Windows Settings → Policy-based…
You need to add this to your registry to have Windows actually send DSCP values:
Windows to send DSCP.reg
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\QoS]
“Do not use NLA”=“1"To get you started, an excerpt from the rules I’ve collected:
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\QoS\PuTTY (AF4)]
“Version”=“1.0”
“Application Name”=“putty.exe”
“Protocol”=“TCP”
“Local Port”=”"
“Local IP”=""
“Local IP Prefix Length”=“"
“Remote Port”="”
“Remote IP”=“"
“Remote IP Prefix Length”="”
“DSCP Value”=“56”
“Throttle Rate”=“-1”
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\QoS\Firefox for Hulu]
“Version”=“1.0”
“Application Name”=“firefox.exe”
“Protocol”=“TCP”
“Local Port”=“"
“Local IP”="”
“Local IP Prefix Length”=“"
“Remote Port”="”
“Remote IP”=“"
“Remote IP Prefix Length”="”
“DSCP Value”=“2”
“Throttle Rate”=“-1”
I found this, but it is not working for me (I do not know why). 
