I set up a vpn client on my ros. And I made some mangle rules to let my clients behind ros to access websites(example.com) through vpn tunnel, it works like a charm. And I want to make some scripts on ros self to test, unfortunately, I found the ros can’t access example.com through the vpn tunnel. The reason I want my ros to use vpn to access the example.com is that website is unreachable directly through local ISP provided internet connection. Can someone help me out ?
The mangle rules you have created in prerouting chain have to be created in output chain as well to be applied to router initiated connections.
Is there anything I am missing? I use following rules for ros self, not working. sstp-linode is the ros vpn client connection. 192.168.6.1 is my ros lan ip.
/ip route
add check-gateway=ping distance=1 gateway=sstp-linode routing-mark=linode_gfw
add check-gateway=ping distance=1 dst-address=8.8.8.8/32 gateway=sstp-linode
/ip firewall mangle
add action=mark-routing chain=output dst-address-list=!novpn dst-address-type=\
!local log-prefix=linode_gfw new-routing-mark=linode_gfw passthrough=no \
src-address=192.168.6.1
/ip firewall nat
add action=dst-nat chain=dstnat dst-address-list=!novpn dst-port=53 log-prefix=\
google_dns protocol=udp src-address=192.168.6.1 to-addresses=8.8.8.8 \
to-ports=53
You cannot dstnat in firewall nat output chain (known limitation).
But you can update upstream server in dns settings and mark routing in firewall mange output chain.
/ip firewall mangle
add action=mark-routing chain=output dst-address=8.8.8.8 dst-port=53 new-routing-mark=via-vpn passthrough=yes protocol=udp
thanks for your prompt reply,nescafe2002. I tried your rule, there is no package pass the rule, very strange.
Let ros itself to use vpn tunnel is very different with other clients behind ros. Finally I have to manually get the target web IP and add it into route table to let it pass vpn tunnel, now it’s working. It’s just a work around. I appreciate if someone have better solution.