No response from NordVPN over OVPN Client config - Router OS 7.15.1

MxDx · June 19, 2024, 5:45pm

Hi, First time poster. Since NordVPN doesn’t have wireguard support I have 2 options to connect, IPSec or OVPN. I’ve tried both, I’ve followed the official tutorial and mikrotik documentation and watched a few youtube videos on Mikrotik w/ NordVPN with IPsec and while it connects, I can’t browse the internet, it’s like the tunnel get’s stuck, I’ve tried various things and can’t get it to work. I can ping 1.1.1.1 and 8.8.8.8 and IPs but anything other then ICMP doesn’t go through…

So I switched to OpenVPN client since I’m familiar with it and come from pfsense world where it worked fine. I set up the PPP interface, imported the OVPN file and connection is established, I set up my routes and NAT and I can Torch the interface and see that I’m hitting nordvpn w/ data but no response is given form the nord server. I see Tx and Tx Packets (p/s) fluctuating but no Rx or Rx Packets (p/s) when I look at the PPP Interface list. What gives?

# 2024-06-19 13:32:08 by RouterOS 7.15.1
# software id = **ELIDED**
#
# model = RB5009UPr+S+
# serial number = H.....
/interface bridge
add admin-mac=**ELIDED** auto-mac=no comment=defconf name=bridge port-cost-mode=short vlan-filtering=yes
/interface wireguard
add comment=Wirehole listen-port=13231 mtu=1420 name=wireguard1
add comment=Vultr listen-port=13232 mtu=1420 name=wireguard2
add comment=ProtonVPN listen-port=13233 mtu=1420 name=wireguard3
/interface vlan
add interface=bridge name=Guest vlan-id=2
add interface=bridge name=IoT vlan-id=3
add interface=bridge name=Kids vlan-id=4
add interface=bridge name=Management vlan-id=10
add interface=bridge name=ProV vlan-id=5
add interface=bridge name=ProV2 vlan-id=6
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec mode-config
add name=NordVPN responder=no src-address-list=VLAN6Network use-responder-dns=no
/ip ipsec policy group
add name=NordVPN
/ip ipsec profile
add name=NordVPN
/ip ipsec peer
add address=**ELIDED**.nordvpn.com disabled=yes exchange-mode=ike2 name=NordVPN profile=NordVPN
/ip ipsec proposal
add name=NordVPN pfs-group=none
/ip pool
add name=dhcp ranges=192.168.1.10-192.168.88.200
add name=dhcp_pool1 ranges=192.168.1.20-192.168.1.200
add name=dhcp_pool2 ranges=192.168.2.10-192.168.2.254
add name=dhcp_pool3 ranges=192.168.3.10-192.168.3.254
add name=dhcp_pool4 ranges=192.168.4.10-192.168.4.254
add name=dhcp_pool5 ranges=192.168.5.10-192.168.5.254
add name=dhcp_pool10 ranges=192.168.10.10-192.168.10.254
add name=dhcp_pool6 ranges=192.168.6.10-192.168.6.254
/ip dhcp-server
add address-pool=dhcp_pool1 interface=bridge name=dhcp1
add address-pool=dhcp_pool2 interface=Guest name=dhcp2
add address-pool=dhcp_pool3 interface=IoT name=dhcp3
add address-pool=dhcp_pool4 interface=Kids name=dhcp4
add address-pool=dhcp_pool5 interface=ProV name=dhcp5
add address-pool=dhcp_pool10 interface=Management name=dhcp6
add address-pool=dhcp_pool6 interface=ProV2 name=dhcp7
/ppp profile
add change-tcp-mss=yes name=NordVPN only-one=yes use-compression=no use-encryption=required use-ipv6=no use-mpls=no use-upnp=\
    no
/interface ovpn-client
add auth=sha512 cipher=aes256-cbc connect-to=**ELIDED** mac-address=**ELIDED** name=NordVPNOpenVPN port=443 \
    profile=NordVPN route-nopull=yes use-peer-dns=no user=**ELIDED** verify-server-certificate=yes
/queue type
add kind=fq-codel name=fq_codel
add kind=cake name=cake_q
/queue simple
add disabled=yes max-limit=35M/35M name=queue1 queue=fq_codel/fq_codel target=ether1 total-queue=fq_codel
/queue tree
add max-limit=30M name=queue-upload packet-mark=no-mark parent=ether1 queue=fq_codel
add max-limit=200M name=queue-download packet-mark=no-mark parent=bridge queue=fq_codel
/routing table
add comment=VultrK disabled=no fib name=useWG
add comment=ProtonRoutingTable disabled=no fib name=proton_usa
add comment=NordVPN disabled=no fib name=nordvpn-usa
/interface bridge port
add bridge=bridge comment=defconf interface=ether3 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether4 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether5 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether6 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether7 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether8 internal-path-cost=10 path-cost=10 pvid=10
add bridge=bridge comment=defconf interface=sfp-sfpplus1 internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=bridge tagged=bridge,ether5 vlan-ids=2
add bridge=bridge tagged=bridge,ether5 vlan-ids=3
add bridge=bridge tagged=ether5,bridge vlan-ids=4
add bridge=bridge tagged=bridge,ether5 vlan-ids=5
add bridge=bridge tagged=bridge untagged=ether8 vlan-ids=10
add bridge=bridge tagged=ether5,bridge vlan-ids=6
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=Management list=LAN
/interface wireguard peers
add allowed-address=10.2.0.0/24 comment=WireHolePeer endpoint-address=**ELIDED** endpoint-port=**ELIDED** interface=wireguard1 \
    name=WireholePeer18 persistent-keepalive=5s preshared-key="**ELIDED**" public-key="**ELIDED**"
add allowed-address=0.0.0.0/0 comment=VultrKVPN endpoint-address=66.XXX.XXX.XXX endpoint-port=51820 interface=wireguard2 \
    name=VultrKVPN persistent-keepalive=5s preshared-key="**ELIDED**" public-key="**ELIDED**"
add allowed-address=0.0.0.0/0 comment=ProtonUSA endpoint-address=37.XXX.XXX.XXX endpoint-port=51820 interface=wireguard3 name=\
    ProtonUSAPeer persistent-keepalive=15s public-key="**ELIDED**"
/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge network=192.168.1.0
add address=192.168.2.1/24 interface=Guest network=192.168.2.0
add address=192.168.3.1/24 interface=IoT network=192.168.3.0
add address=192.168.4.1/24 interface=Kids network=192.168.4.0
add address=192.168.5.1/24 interface=ProV network=192.168.5.0
add address=192.168.10.1/24 interface=Management network=192.168.10.0
add address=10.6.0.19 comment="Wirehole Interface" interface=wireguard1 network=10.6.0.19
add address=10.124.132.3 comment=VultrVPN interface=wireguard2 network=10.124.132.3
add address=10.2.0.2 comment=ProtonVPN interface=wireguard3 network=10.2.0.2
add address=192.168.6.1/24 interface=ProV2 network=192.168.6.0
/ip dhcp-client
add comment=defconf interface=ether1 use-peer-dns=no
add default-route-distance=2 interface=ether2 use-peer-dns=no use-peer-ntp=no
/ip dhcp-server lease
**ELIDED**
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf dns-server=192.168.1.1 gateway=192.168.1.1 netmask=24
add address=192.168.2.0/24 dns-server=192.168.2.1 gateway=192.168.2.1
add address=192.168.3.0/24 dns-server=192.168.3.1 gateway=192.168.3.1
add address=192.168.4.0/24 dns-server=192.168.4.1 gateway=192.168.4.1
add address=192.168.5.0/24 dns-server=192.168.5.1 gateway=192.168.5.1
add address=192.168.6.0/24 dns-server=192.168.6.1 gateway=192.168.6.1
add address=192.168.10.0/24 dns-server=192.168.10.1 gateway=192.168.10.1
/ip dns
set allow-remote-requests=yes servers=10.2.0.100
/ip dns static
add address=192.168.1.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.1.0/24 list="Local Networks"
add address=192.168.2.0/24 list="Local Networks"
add address=192.168.3.0/24 list="Local Networks"
add address=192.168.4.0/24 list="Local Networks"
add address=192.168.5.0/24 list="Local Networks"
add address=192.168.5.0/24 list=VLAN5Network
add address=10.0.0.0/8 list=RFC1918
add address=172.16.0.0/12 list=RFC1918
add address=192.168.0.0/16 list=RFC1918
add address=192.168.6.0/24 list=VLAN6Network
/ip firewall filter
add action=drop chain=forward comment="Drop Port DoT TLS 853 from Leaving FW" dst-port=853 protocol=tcp
add action=drop chain=forward comment="Drop QUIC Port 80" dst-port=80 protocol=udp
add action=drop chain=forward comment="Drop QUIC Port 443" dst-port=443 protocol=udp
add action=drop chain=forward comment="Block Inter VLAN Traffic" dst-address-list="Local Networks" src-address-list=\
    "Local Networks"
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" disabled=yes dst-address=127.0.0.1
add action=accept chain=input comment="DNS for All VLAN" dst-port=53 in-interface=all-vlan protocol=udp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" disabled=yes ipsec-policy=out,ipsec
add action=accept chain=forward connection-mark=under_nordvpn
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=\
    yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=change-mss chain=forward comment="MSS Clamping Required for Vultr for larger packets" new-mss=1300 out-interface=\
    wireguard2 passthrough=no protocol=tcp tcp-flags=syn tcp-mss=1300-65535
add action=change-mss chain=forward comment="MSS Clamping Required for NordVPN for larger packets" connection-state="" \
    new-mss=1450 out-interface=NordVPNOpenVPN passthrough=no protocol=tcp tcp-flags=syn
add action=mark-routing chain=prerouting disabled=yes new-routing-mark=nordvpn-usa passthrough=yes src-address-list=\
    VLAN6Network
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="Route DNS from VLAN5 to Quad 9 DNS" dst-port=53 protocol=udp src-address=\
    192.168.5.0/24 to-addresses=9.9.9.9 to-ports=53
add action=dst-nat chain=dstnat comment="Route DNS from VLAN5 to Quad 9 DNS" dst-port=53 protocol=udp src-address=\
    192.168.6.0/24 to-addresses=9.9.9.9 to-ports=53
add action=dst-nat chain=dstnat comment="Route DNS from VLAN5 to Quad 9 DNS" dst-port=53 protocol=tcp src-address=\
    192.168.5.0/24 to-addresses=9.9.9.9 to-ports=53
add action=dst-nat chain=dstnat comment="Route DNS from VLAN5 to Quad 9 DNS" dst-port=53 protocol=tcp src-address=\
    192.168.6.0/24 to-addresses=9.9.9.9 to-ports=53
add action=redirect chain=dstnat comment="Redirect other DNS services from leaving FW. " dst-port=53 protocol=tcp to-ports=53
add action=redirect chain=dstnat comment="Redirect other DNS services from leaving FW. " dst-port=53 protocol=udp to-ports=53
add action=masquerade chain=srcnat comment="Route all VPN from VLAN6 to NordVPN" out-interface=NordVPNOpenVPN routing-mark=\
    nordvpn-usa src-address=192.168.6.0/24
add action=masquerade chain=srcnat comment="Route all VPN from VLAN5 to ProtonVPN" out-interface=wireguard3 src-address=\
    192.168.5.0/24
add action=masquerade chain=srcnat comment="Route Selective VPN from LAN to Vultr" out-interface=wireguard2 src-address=\
    192.168.1.0/24
/ip ipsec identity
add auth-method=eap certificate="" eap-methods=eap-mschapv2 generate-policy=port-strict mode-config=NordVPN peer=NordVPN \
    policy-template-group=NordVPN username=z7bBXgL........
/ip ipsec policy
add dst-address=0.0.0.0/0 group=NordVPN proposal=NordVPN src-address=0.0.0.0/0 template=yes
/ip route
add comment="Route to PiHole" disabled=no distance=1 dst-address=10.2.0.100/32 gateway=wireguard1 routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wireguard2 routing-table=useWG scope=30 suppress-hw-offload=no \
    target-scope=10
add comment=RouteToProton disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wireguard3 routing-table=proton_usa scope=30 \
    suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=NordVPNOpenVPN routing-table=nordvpn-usa scope=30 \
    suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www-ssl certificate=mikrotik_self_signed disabled=no
set api disabled=yes
set api-ssl disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp \
    src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/routing rule
add action=lookup-only-in-table comment="Laptop" disabled=no src-address=192.168.1.190/32 table=useWG
add action=lookup-only-in-table comment="iPhone" disabled=no src-address=192.168.1.191/32 table=useWG
add action=lookup-only-in-table comment="VLAN5 to Proton" disabled=no src-address=192.168.5.0/24 table=proton_usa
add action=lookup-only-in-table comment="VLAN6 to NordVPN" disabled=no src-address=192.168.6.0/24 table=nordvpn-usa
/system clock
set time-zone-name=America/New_York
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

anav · June 19, 2024, 7:00pm

Yes NordLynx crappola.
I wonder if you open there app one can find all the necessary info and thus translate it to the router…
Specifically need:

a. Wireguard endpoint Port
b. Wireguard endpoint address
c. DNS server or address preferred/requested/installed by nordlynx app
d. Wireguard address assigned to my device
e. Private key assigned to me ( so that I may create the same public key you have in their database -which would used at their end as my peer public key ).
f. Public key generated by NordVPN which I use on my device peer settings.

MxDx · June 19, 2024, 7:56pm

Yeah, I was trying to do that but everything is hidden away. Can’t find anything to get wireguard going w/ NordVPN…

I wouldn’t be giving NordVPN any time of day but I already have a paid plan with them for a while and I can’t return it.

Just curious with OVPN isn’t working w/ them through mikrotik but works just fine w/ pfsense, opnsense.. Is my config alright in the mikrotik at least?

I have no issues w/ the 3 wireguard tunnels I have set up, each one works as expected.

MxDx · June 19, 2024, 10:28pm

Boom… Just needed this little hint very kind sir.. Found all the info from doing just that, there are github scripts and bunch of info on reddit to get the wireguard config. You know.. just takes someone to say a little hint to get the train moving again… Thank you.. No need for OVPN or IPSec.. wireguard ftw, works just great.