Hi Guys,
I have used the ProtonVPN setup guide for Mikrotik with success but I have a couple of questions for you gurus.
https://protonvpn.com/support/vpn-mikrotik-router/
The IPsec VPN tunnel is up and working, but I feel that there maybe still something wrong, or suboptimal with my config.
- How can I automatically obtain the DNS server from the IPsec connection to ProtonVPN (I am currently defining it statically)
- ProtonVPN says it’s important to remove the “fastrack” rules from the firewall, but I was not able to remove the “default” rule
Could you guys take a look at my config and help, please?
Thanks in advance
mar/12/2022 09:11:37 by RouterOS 6.49.4
software id = ESBQ-D6KZ
model = RBD52G-5HacD2HnD
serial number = F66B0F49497F
/interface bridge
add admin-mac=DC:2C:6E:62:01:4C auto-mac=no comment=defconf name=bridge
add name=protonvpn_blackhole protocol-mode=none
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=Hrvatska2g wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=Hrvatska5g wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik
/ip ipsec mode-config
add connection-mark=under_protonvpn name=“ProtonVPN mode config” responder=no
/ip ipsec policy group
add name=ProtonVPN
/ip ipsec profile
add dh-group=modp4096,modp2048,modp1024 dpd-interval=disable-dpd enc-algorithm=aes-256 hash-algorithm=sha256 name=“ProtonVPN profile”
/ip ipsec peer
add address=us.protonvpn.com exchange-mode=ike2 name=“ProtonVPN server” profile=“ProtonVPN profile”
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=0s name=“ProtonVPN proposal” pfs-group=none
/ip pool
add name=dhcp ranges=192.168.89.10-192.168.89.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.89.1/24 comment=defconf interface=bridge network=192.168.89.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.89.0/24 comment=defconf dns-server=10.1.0.1 gateway=192.168.89.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.89.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.89.0/24 list=under_protonvpn
/ip firewall filter
add action=accept chain=input comment=“defconf: accept established,related,untracked” connection-state=established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=drop chain=input comment=“defconf: drop all not coming from LAN” in-interface-list=!LAN
add action=accept chain=forward comment=“defconf: accept in ipsec policy” ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy” ipsec-policy=out,ipsec
add action=accept chain=forward comment=“defconf: accept established,related, untracked” connection-state=established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
add action=drop chain=forward comment=“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-connection chain=prerouting new-connection-mark=under_protonvpn passthrough=yes src-address-list=under_protonvpn
add action=mark-routing chain=prerouting new-routing-mark=protonvpn_blackhole passthrough=yes src-address-list=under_protonvpn
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade” ipsec-policy=out,none out-interface-list=WAN
/ip ipsec identity
add auth-method=eap certificate=“ProtonVPN CA” eap-methods=eap-mschapv2 generate-policy=port-strict mode-config=“ProtonVPN mode config” peer=“ProtonVPN server” policy-template-group=ProtonVPN username=DtYVxn4rMF6ZG2il
/ip ipsec policy
add dst-address=0.0.0.0/0 group=ProtonVPN proposal=“ProtonVPN proposal” src-address=0.0.0.0/0 template=yes
/ip route
add distance=1 gateway=protonvpn_blackhole routing-mark=protonvpn_blackhole
add disabled=yes distance=1 gateway=192.168.88.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
/ip ssh
set strong-crypto=yes
/system clock
set time-zone-name=America/Denver
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN