Hello everyone.
I want to have access to banned sites in Russia through Mikrotik hap2. I made а list of these sites.
I try to make connection to these sites through VPN.
I don’t know how exactly they do the blocking, but if you want to get around that as reliably as possible, PC shouldn’t be using 8.8.8.8 as DNS server, unless you route traffic to 8.8.8.8 via VPN. Same for router, if it has 8.8.8.8 as DNS, that should be accessed using VPN, otherwise ISP can tamper with it.
Thanks sob and then the easy way is change “use-peer-dns” back to exclusively and remove 8.8.8.8 from the DNS settings by pushing the upper triangle after 8.8.8.8 till there are no static entries anymore. You are then using only the DNS provided by the VPN.
Having local router DNS go through the VPN is a bit more difficult.
Well, sort of. The rule you posted is correct and simple. Also PC should use router (probably 192.168.x.x) as its resolver.
Main problem is that if blocking is DNS-based, you can’t trust any regular non-encrypted DNS server before you connect to VPN and use theirs. But if you want to connect to VPN using hostname, you need working DNS server. Which I guess works fine for VPN’s hostname. But if router has DNS server, it will also attempt to resolve hostnames in address list, and IP addresses it gets can be wrong. They will get fixed later after they expire and new query will use VPN’s DNS, but you don’t know how long it will take, unless you’d play with router’s cache-max-ttl (set it to lower value and after that time you can count on it being correct, if VPN stayed connected). It’s not very nice solution, but it’s simple.
Better but more complicated would be to start without any DNS resolver and use script with [:resolve server=8.8.8.8 public-vpn-134.opengw.net] to update server address in L2TP client. And then make sure that any DNS request from router will use VPN:
Other possibility could be to use DoH, it’s exactly for situations like this. You can try https://1.1.1.1/dns-query, and if it’s not blocked, it should be fine. Don’t forget to enable certificate verification and load required certificate (DigiCert Global Root CA
from https://cacerts.digicert.com/DigiCertGlobalRootCA.crt.pem). I also thought about using it only for resolving VPN server’s address, but unfortunately it seems that when router has DoH server, it always prefers it and not even VPN’s use-peer-dns=exclusively can override it.
I see my mistake with resolve, I’ll come up with better plan, but try the simple solution first, i.e. DoH. Download linked certificate, upload it to router and import it:
And did you change your PC’s DNS resolver address to this router? It seems that svoboda.org uses many different addreses with very short TTL and they are different depending on who asks. So if it should work, it’s important that you have same source for both router (for address list) and PC. And most reliable is if PC has router as resolver, because it get data from its cache.
I saw that VPN connection speed of my Mikrotik client is very very slow. If I connect to VPN server from my PC VPN connection speed is normal. And all banned sites open. Maybe this is the reason?
Very very slow can happen if you use mangle rules to change routing like you do, and if at the same time you have enabled fasttrack (rule with action=fasttrack-connection).