wireguard is not suitable for my scenario, but thank you for the suggestion.
Very clear, in fact, it says to contact the company where you bought it,
or pay consultants to help you,
or try the user forum to see if anyone can help you,
or learn from the software manuals.
Which of these have you done?
No pay consult, everything else tried without success.
Give the forum more time, most IPSEC experts are the busy ones around here with real jobs and family lives probably so......patience is a key, and the more they see you making an effort and learning, the more apt they are to help and the more likely you understand what they are saying. Dont give up yet!!
Often the problem is lack of or miscommunication and that is why I implore that we have standards on the forum, alas I am a lone voice LOL.
-
Let us understand the full breadth of requirements so a proper config can be discussed.
a. identify all the user(s)/device(s) including the admin, external/internal etc.
b. identify all the traffic they require to pass successfully. -
Provide a detailed network diagram
-
Provide details on ISP connection(s), static/dynamic public/private, type etc........
-
Provide details on ISP usage if multi-wan (primary/failover,LB, which users/subnets have to go out certain WANS, any incoming on particular wans for lan servers etc..)
-
Full copy of config after every set of changes so the latest facts can be used to move forward.
/export file=anynameyouwish (minus router serial number, any public WANIP information, keys etc.)
Should mention, that WIndows finicky approach to IPsec may be the heart of the matter, in that vein, I found easily in search some interesting snippets........ for example,
-
By default, the native Windows VPN client does not like the IPsec server to run on a private address behind a NAT.
-
Regarding the certificate - Windows need the same type of encryption to be used in the certificate and in the Phase 1/ Phase 2 proposals, either both must be RSA or both must be EC. But I’m not sure whether that is the actual reason for that error message - also the certificate purpose may be wrong, it must contain the tls-server bit at least in order that the WIndows embedded client wouild accept it, and if I am not mistaken, the domain name must be in the Subject-Alt-Names list, many IPsec initiators do not look for it in the Common Name field.
-
Picking the right certificate:
IKEv2 Picking the wrong client cert installed on local PC cert store - #2 by akarpas -
Hi, on the Mikrotik you can adjust MSS size for broken PMTUD via mangle rules. For more info:
/ip firewall mangle
add chain=forward action=change-mss ipsec-policy=in,ipsec protocol=tcp tcp-flags=syn \
tcp-mss=1301-65535 new-mss=1300
add chain=postrouting action=change-mss ipsec-policy=out,ipsec protocol=tcp \
tcp-flags=syn tcp-mss=1301-65535 new-mss=1300
6.Route internet traffic through ISP, only VPN traffic through IPSEC - #2 by rplant
Hi anav,
There is no window machine involved in my network.
I can run the ad guard firefox add on without any problem.
But i need to run other applications thru the vpn that don´t offer a software client. So using the router is the prefered way.
It seems to be a problem somewhere in the router configuration, as already mentioned the tunnel is established, but there is no traffic going thru it, ipleak.net shows up my original ip.
I really like the mikrotik approach and i can see that there is a nice community with people trying to help each other, wich is really great, but at the end of the day i need a functional system and it seems that i'm not able to get that going.
Thank you for your uplifting words, i understand what you are saying and i fully agree.
No worries, I just reread the thread, and it occurs to me the problem is either:
a. using adguard for DNS
OR
b. using IPSEC
Which is it?
If its IPSEC, do you mean to use the router as a server and attach clients to it remotely.
Please reread and answer the requests in my previous post.
Give the forum more time, most IPSEC experts are the busy ones around here with real jobs and family lives probably so......patience is a key, and the more they see you making an effort and learning, the more apt they are to help and the more likely you understand what they are saying. Dont give up yet!!
Often the problem is lack of or miscommunication and that is why I implore that we have standards on the forum, alas I am a lone voice LOL.
- Let us understand the full breadth of requirements so a proper config can be discussed.
a. identify all the user(s)/device(s) including the admin, external/internal etc.
b. identify all the traffic they require to pass successfully. - Provide a detailed network diagram
- Provide details on ISP connection(s), static/dynamic public/private, type etc........
- Provide details on ISP usage if multi-wan (primary/failover,LB, which users/subnets have to go out certain WANS, any incoming on particular wans for lan servers etc..)
- Full copy of config after every set of changes so the latest facts can be used to move forward.
/export file=anynameyouwish (minus router serial number, any public WANIP information, keys etc.)
I
V
It seems that the typical way to assigne a client to the vpn is to create an address list on the firewall and assign this list to the ipsec mode config.
https://mikrotikmasters.com/nordvpn-on-a-mikrotik/
Despite beeing targeted at NordVpn, this tutorial seems to do the identical steps that the adguard tutorial provides.
Still does not work for me.
Okay, so I am no expert and thus do not understand if there is any interaction or interference between DNS adguard type approaches and IPSEC,,,,,,,, probably not.
Will try to find some time to look at config just with DNS lens........
Why do you bother wit adguerd when you can easily use IP/DNS/ADLIST.... it is the same....
Well Rox, prior to advising, at least get the basic information:
according to the MT documentation, they serve different purposes.
DOH -> uses HTTPS protocol to send and receive DNS requests for better data integrity. The main goal is to provide privacy by eliminating "man-in-the-middle" attacks (MITM).
ADLIST -> By redirecting ad-related requests in this manner, the adlist feature ensures that advertisement content is not loaded, enhancing network performance and improving the user experience by reducing unwanted ad traffic.
Furthermore, where is the ADLIST curated by whom etc. With the company adguard, it is a known agent that has tremendous resources to handle load and to keep information updated in a timely fashion. Adguard DNS works against both ads, tracking and bad websites, not JUST ads.
Plus, how does one choose an adlist, it could take a reasonable person 6 months to decide, just one spot to look.................
and who makes up the lists and how often are they updated etc................ how does this compare to Adguards product??
Bottom line is that it is fair and reasonable to expect an MT admin to be able to easily setup and use adguard DNS. However, looking at MT Docs, it is not noted either way....................... ????
Compatible DoH services:
Cloudflare
Google
NextDNS
OpenDNS
Incompatible DoH services:
Mullvad
Yandex
UncensoredDNS
Quad9 (due to their migration to HTTP2 which is not currently supported in RouterOS)
Also I read recently that perhaps ROS pulls the certificate automatically???
Reading your ipsec requirements its really a false premise. You dont want the mT to be an ipsec server you want to use a third party server so that your local user can go out internet on VPN.
In which case wireguard works with such providers and is much easier to deal with.
From my experience I had no problem setting up NordVPN over ipsec following their tutorial as guideline (adapted to my setup), later switched to wireguard (even there is no official guide from them for WG) just because performance, ipsec was more cpu consuming which affected bandwidth, with wg is almost twice faster.
Focussing just on getting adguard working..............
/interface bridge
add admin-mac=##:##:##:##:##:#1 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether5 ] name=OffBridge5
/interface wifi
set [ find default-name=wifi1 ] channel.band=5ghz-ax .skip-dfs-channels=all .width=20/40/80mhz configuration.country=Germany .mode=ap .ssid=Wifi1 disabled=no name=wifi1_5ghz security.authentication-types=wpa2-psk,wpa3-psk .ft=yes
.ft-over-ds=yes
set [ find default-name=wifi2 ] channel.band=2ghz-ax .skip-dfs-channels=all .width=20/40mhz configuration.country=Germany .mode=ap .ssid=Wifi2 disabled=no interworking.ipv6-availability=not-available name=Wifi2.4
security.authentication-types=wpa2-psk,wpa3-psk .ft=yes .ft-over-ds=yes
/interface vlan
add interface=ether1 name=vlan-WAN vlan-id=7
/interface pppoe-client
add add-default-route=yes allow=pap,chap,mschap2 default-route-distance=10 disabled=no interface=vlan-WAN name=pppoe-WAN user=XXX
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port { note ether5 removed from bridge }
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=wifi15ghz
add bridge=bridge comment=defconf interface=wifi22.4
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes
/interface list member
add interface=pppoe-WAN list=WAN
add comment=defconf interface=bridge list=LAN
add interface=OffBridge5 list=LAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
add address=192.168.77.1/30 interface=OffBridge5 network=192.168.77.0
/ip dhcp-client { note: disabled }
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server lease
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set allow remote requests use-doh-server=https://d.adguard-dns.com/dns-query/XXXXXX
/ip dns static { note: change of server IPs done by adguard for initial connectiong }
add address=94.140.14.14 name=d.adguard-dns.com type=A
add address=94.140.14.15 name=d.adguard-dns.com type=A
/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input dst-address=127.0.0.1
**add action=accept chain=input comment="Lan users to services" in-interface-list=LAN **
add action=drop chain=input comment="drop all else"
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward comment="internet" in-interface-list=WAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat disabled=yes { enable when required }
add action=drop chain=forward comment="drop all else"
/ip firewall nat { note: added redirect dstnat rules for port 53 }
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add chain=dstnat action=dst-nat action=redirect protocol=udp dst-port=53
add chain=dstnat action=dst-nat action=redirect protocol=udp dst-port=53
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
/ip service
set ftp disabled=yes
set ssh disabled=yes
set telnet disabled=yes
set www disabled=yes
set winbox address=192.168.77.2/32
set api disabled=yes
set api-ssl disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" dst-port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack6" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=Europe/Berlin
/system routerboard mode-button
set enabled=yes on-event=dark-mode
/system routerboard wps-button
set enabled=yes on-event=wps-accept
/system script
add comment=defconf dont-require-permissions=no name=dark-mode owner=*sys policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=
"\r
\n :if ([system leds settings get all-leds-off] = "never") do={\r
\n /system leds settings set all-leds-off=immediate \r
\n } else={\r
\n /system leds settings set all-leds-off=never \r
\n }\r
\n "
add comment=defconf dont-require-permissions=no name=wps-accept owner=*sys policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=
"\r
\n :foreach iface in=[/interface/wifi find where (configuration.mode="ap" && disabled=no)] do={\r
\n /interface/wifi wps-push-button $iface;}\r
\n "
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN
I believe you will need to check the verify DOH box in IP DNS settings and as of 7.19 firmware the router should verify the adguard root certificate automatically.
It does. The Adguard DoH is running flawlessly, it`s the vpn that is not working.
There is zero traffic visable , not in the ipsec section nor in the firewall rules.
Once again anav, thank you for putting time and effort into this.
Hi optio,
thank you for your reply. The NordVpn is tutorial is almost identical to the AdGuard tutorial, besides having to upload the certificate for adguard manual. Adguard is not mentoning anything about the ca, but it is provided for download in the configuration settings.
I don´t think the ca is the problem, as the vpn tunnel is established.
Did you had to tweak your firewall rules?
What kind of internet-connection did you use?
I have to use pppoe with vlan7, maybe that is something to consider?!
Another question,
when i torch my pppoe-wan interface,
i can see under Src. an adguard ip using port 53.
The Dst. is my public ip and a random port for example 59992
Does this mean, DoH is not working properly ?
As I remember no, just needed to change ip address list to my LAN subnet for ipsec mode-config.
LTE, no VLAN over WAN. Maybe is MTU issue in your case?
Did you check if DoH request works from computer connected on same network when in ROS ipsec connection is established and connections to 0.0.0.0 are routed over it? You can use browser or better with cURL to force HTTP/1.1 and TLS1.2 support to check compatibility with ROS, for eg: curl -v --http1.1 --tls-max 1.2 https://94.140.15.15/dns-query?dns=AAABAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB
If above works, does same request works from ROS CLI using fetch tool: /tool/fetch url="https://94.140.15.15/dns-query?dns=AAABAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB" output=user-with-headers ?
If all above works can you replace in DoH URL in ROS DNS to use IP use-doh-server=https://94.140.15.15/dns-query just for curiosity.