Looking to force VLAN500 to go through a VPN client, because some lousy person went and torrented on the guest network. Don’t want to get any DMCA notices.
Since I have a VPS with 4TB monthly bandwidth running wireguard and ipsec, I’d like to just force all traffic on VLAN500 to output to the VPN.
Do I have to run the VPN client on the RB4011? Is it possible to run it on say a KVM VPS on my proxmox node, then just forward/masquerade all traffic from their to the VPN using wireguard/openvpn?
I ask because with pfSense in the past I had OpenVPN client then simply forced the gateway for the Guest vlan to use openvpn.
VLAN500 = 172.16.0.0/24
Thank you for reading and your time, it’s very appreciated :).
I managed to figure it out.
https://wiki.mikrotik.com/wiki/Manual:IP/IPsec#RouterOS_client_configuration
Followed the Mikrotik client guide, and used https://github.com/hwdsl2/setup-ipsec-vpn on my VPS to make the Road Warrior setup using IKEv2 with RSA authentication.
Worked like a charm, but some things the wiki left out is that I had to import the cert (.p12) twice in order to get the private key and the user cert.
However after that it worked like a charm, just had to go and set a final rule, ip → ipsec → mode configs → change ike2-rw settings to have a src address list called local, then go to ip → firewall → src address list, add the ip range of VLAN500 (in my situation).
That was it, other than opening ports 500, 4500, and 1701 in input chain, everything worked.
The guest VLAN now is being VPN’d.
Only thing left to figure out is how to kill switch the guest VLAN if the VPN is down.
This guide was perfect: http://forum.mikrotik.com/t/nordvpn-ipsec-ikev2-killswitch-for-ros6/144817/1
That’s it, everything is now working with killswitch tested.
MikroTik is fantastic, so many excellent resources on this forum.