Nordvpn IPsec Mikrotik Routing

RouterOS General
1

Dear Experts,

I have Nordvpn running on my Mikrotik and i wish to route some destination address to use this VPN not all the traffic. I cannot find a way to route some destination ip range to use this VPN. Is it possible to route some destination address or destination ip range to use this connection?

Thanks.

2

The easiest way is to configure connection-mark=via-NordVPN in the /ip ipsec mode-config row you use for the NordVPN identity, and use mangle rules to assign that connection-mark to connections you want to use the VPN:
/ip firewall mangle
add chain=prerouting dst-address-list=VPN-destinations connection-mark=no-mark action=mark-connection new-connection-mark=via-NordVPN
add chain=output dst-address-list=VPN-destinations connection-mark=no-mark action=mark-connection new-connection-mark=via-NordVPN

The first rule handles packets from LAN, the second one handles packets sent by the router itself (such as DNS queries). Populate the address list VPN-destinations with the addresses and ranges you want to be routed via the VPN.

If you want to prevent traffic to those destinations from being sent out if the VPN is down, you’ll need another step - translate the connection-mark to some routing-mark for outgoing traffic, and create a default route with that routing-mark with gateway set to br-blackhole, where br-blackhole is a bridge interface with no member ports:

/interface bridge add name=br-blackhole protocol-mode=none

/ip route add routing-mark=NordVPN-only gateway=br-blackhole

/ip firewall mangle add chain=prerouting in-interface-list=!WAN connection-mark=via-NordVPN action=mark-routing new-routing-mark=NordVPN-only

You have to decide what you want to do with DNS queries when/if the VPN is down.

3

Hello mikrotik experts & users!

I have a strange problem after configuring NordVPN IKEv2 IPsec tunnel.
I followed their instructios step by step, and it works. When I run speedtest, I see the server location correspondent to choosen NordVPN server location and I’m satisfyed with up/down speed.
It works ok with my laptop (Macbook Air), and Mac mini. It also work on my other windows laptop.

Here comes the problem;
Problem comes with Android devices Fire stick 4K and other Android TVbox (Tanix mx3 mini). For example, Fire stick says it cannot connect to Amazon server, or for example sometimes when it connects or for example on other Android TV box, Youtube app doesn’t start a video (but I see live icons like it has internet connection.
When I run Analiti app, download speed shows ok, but upload can’t even start test.
If i just disable Fire stick local adresses assignet to VPN tunnel in Firewall / Adresses list, everything works fine, so obviously it is kind of VPN tunnel problem.
But even stranger, I have IPTV app (TiVi Mate), on Fire stick and Android TV box, and this app runs perfectly through VPN, and Youtube app doesnt ???

I’m quite shure that I’ve configured VPN on mikrotik ok (it’s explained in tutorial very well), and other than this tunnel, my mikrotik is practicly on default settings.

Have any of you similar problems with Fire stick and Nord VPN?
If I run NordVPN app on Fire stick, it rons without problems. So could it be in codecs or protocols issue?

PS
I’m a newbie, not network expert, I configured it step by step following tutorial. Mikrotik router is Mikrotik hEX S (RB760iGS)
If it will be needed, I can put config. here. Thank you for all kind friends who are willing to help!

4 
/ip ipsec policy
move *ffffff destination=0
add action=none dst-address=168.192.88.0/24 src-address=0.0.0.0/0 place-before=1

Replace 168.192.88.0/24 by your own local network.

http://forum.mikrotik.com/t/mtu-troubles-using-ikev2-providers-like-nordvpn-work-around/135154/1

5

OMG, it works now! Thank you so much!

I actualy saw earlier your linked topis and by advice there, I tryed to press “Preview” my written post, and it opens in very short time, so I had no doubt in MTU. Obviously, I did not done this throughly.

Thanks again, but beware; More questions are comming because I very much love RouterOS and my hEX S router :slight_smile:
I’m starting to configuring more and more local network settings (of course, god bless backup :)))

6

Sindy helped me on this one and I could not done it without Sindy’s help I would not solved it. I don’t understand why Mikrotik development is not picking up on this solution !

7

Hi

I have a hAP Lite and have set up the nordvpn as per the instructions on this and nordvpn web site, as a standard router the bandwidth reads as 56Mb down and 20Mb up, with the vpn in situ the dowload is about 17Mb which is OK but the upload is basically nothing.1 or less. Is there something silly I am doing?

Cheers Pete

8

Most often people forget to exclude the traffic which should go via IPsec VPN from fasttracking. So if you have a chain=forward action=fasttrack-connection … rule in /ip firewall filter, disable it and test the speed using a new test connection. If it helps, and if you use the device also for normal access to internet, you may want to selectively exclude only the IPsec VPN traffic from fasttracking. If so, post your complete configuration export, minus sensitive data - see my automatic signature below for a mini-howto.

9

I wrote a mini guide here that covers fasttrack, MSS reduction and killswitch: http://forum.mikrotik.com/t/nordvpn-ipsec-ikev2-killswitch-for-ros6/144817/1

10

Thanks, it was indeed the fastrack causing the problem, though runing a speedtest I get the top speed downloading but uploading seems to hang for a few seconds and then starts climbing upto about half the normal bandwidth, I also have a strange behaviour, when connected to NordVPN UK host BBC detects it as if I am not in the UK and blocks the UK contentet such as Iplayer. I am in the UK and just trying to set up a permanent VPN through the router.

11

Make sure you are using NordVPN DNS provided by VPN server.

12

Very strange, if I use the router address as dns server with the NordVPN then it shows the dns as in frankfurt, if I override the dns in the client settings it is all OK.I might add that the dynamic and fixed ip addresses are te NordVPN dns’s

13

So the problem with the BBC not recognising I’m in the UK is explained here by NordVPN

‘We have contacted the technicians regarding this issue, and it seems that the DNS requests are not going through a VPN tunnel. Therefore, we can say that the connection is leaking.

Unfortunately, it seems that the issue is not related to the configuration nor to the VPN server or our infrastructure. As mentioned, your device fails to forward the DNS requests to the VPN tunnel. Lastly, we recommend upgrading or downgrading device firmware. If nothing works - contact the manufacturer’s support.’

14

I add static dns forward record and want the dns query via ipsec, the connection is marked, but in ipsec/active peers txbytes and rxbytes is all 0, it looks like the connection isn’t go out via ipsec.

/ip dns static add regexp=".*\\.google\\.com\$" forward-to=8.8.8.8
/ip firewall mangle add action=mark-connection chain=output dst-address=8.8.8.8 dst-address-type=!local \
    new-connection-mark=VPN passthrough=no
15

Show the rest of the configuration. What you’ve posted looks fine (dst-address-type can be omitted but that only adds a few CPU cycles to the rule processing, it doesn’t break functionality), so the issue must be elsewhere.

16

Looks like it’s because of the src-address-list=Lan.

/ip ipsec mode-config
add connection-mark=VPN name=PureIKEV2 responder=no src-address-list=Lan \
    use-responder-dns=no