Wireguard VPN for specific domains

RouterOS Beginner Basics
1

Hi,
My ISP has blocked access to some websites and services and I have to use a wireguard VPN if I want to open them. Until now I’ve been establishing the VPN connection on my computer but I want to configure my router to route requests to these specific blocked addresses through wireguard VPN connection. I have done some configurations but sometimes it doesn’t work and other times it’s very slow and unusable. I don’t know what I did wrong. Please help me with this configuration.

I use TLS Host under mangle to detect target addresses to add them into a list of addresses and then another mangle rule to mark any connection to these addresses as a routing mark.

# jan/27/2022 20:45:56 by RouterOS 7.1.1
/ip firewall address-list
.
.
.
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=established,related hw-offload=yes
add action=accept chain=forward connection-state=established,related
/ip firewall mangle
add action=add-dst-to-address-list address-list=blklst address-list-timeout=none-dynamic chain=prerouting protocol=tcp tls-host=i.ytimg.com
add action=add-dst-to-address-list address-list=blklst address-list-timeout=none-dynamic chain=prerouting protocol=tcp tls-host=www.youtube.com
add action=add-dst-to-address-list address-list=blklst address-list-timeout=none-dynamic chain=prerouting protocol=tcp tls-host=yt3.ggpht.com
add action=add-dst-to-address-list address-list=blklst address-list-timeout=none-dynamic chain=prerouting content=googlevideo protocol=tcp
add action=mark-routing chain=prerouting connection-state=new dst-address-list=blklst new-routing-mark=rm.vpn-wg passthrough=no protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat src-address=192.168.1.0/24
add action=masquerade chain=srcnat realm=16384
/ip address
add address=192.168.1.1/24 interface=bridge1 network=192.168.1.0
add address=10.66.66.220/24 interface=wg network=10.66.66.0
/interface wireguard
add listen-port=62120 mtu=1420 name=wg
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address= endpoint-port= interface=wg public-key=
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=10.66.66.220 routing-table=rm.vpn-wg suppress-hw-offload=no
2

Fasttrack and mangle rules don’t go together. Simple solution is to disable fasttrack, but you may not want that, because it can be useful thing. Other solution is to not use fasttrack for connections over VPN. For that you need to first mark connections, instead of marking routing directly. Then you mark routing based on connection mark. And it will allow you to add condition to fasttrack rule, to only apply for connections that don’t have connection mark for VPN.

3

To be clear you want your PC behind the router which is behind the LIMITING ISP to reach some other location via Wireguard?
If so what are you connecting too? A third party VPN provider or your own MT Remote Router somewhere else ??

4

Why does it matter? It’s simply WG tunnel to some other location with uncensored internet.

5

YESSS!

I am a total n00b. Will you please help me with actual command to modify/add rules to my router? :smiley:

6

YEs to what,

  • third party vpn y/n
  • another MT device behind a diff ISP.

I am not as skilled Sob of understanding a problem unless I know intent and the current scenario in enough detail. Maybe one day!!

7

The peer is a linux server running wireguard.

8

Okay…
So you want to establish a tunnel wit the originating end being the linux server somewhere on the internet.
The tunnel will connect to your router locally.
Then you want to be able from your PC behind the local router to enter the tunnel and go out the linux server internet to access web sites that your local ISP blocks.

+++++++++++++++++++++++++++++++++++++++++++
Stated on the first post would have been golden!
+++++++++++++++++++++++++++++++++++++++++++

You have some EASY options which all have to do with IP routes, which is the challenging part of this.
a. move ALL internet traffic from the subnet on the local router that your PC is on, through the tunnel for internet traffic
b. move your PC to a different subnet and then route only your PC through the tunnel for all internet traffic.

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
A bit more work option
c. Make up enough dst-route rules to cover the IP address you want. Each address will probably require its own IP route.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Oh the Horror option
d. Mangle traffic from your PC and send that out the tunnel

Burns my gut that MIKROTIK will not include src-address-list OR dst-address-list in IP ROUTE RULES !!!

9

+1 for src-address-list OR dst-address-list in IP ROUTE RULES

@anav - has MikroTik officially said they won’t do it or is it a feature request they just haven’t gotten to? It would be massively helpful!

10

I would do it russki style, ply Normis with booze and prostitutes and then use the photos to ensure all the changes I wanted were implemented. :wink:

Seriously, there is probably a good reason why they don’t and I dont know enough about networking or RoS or both, to know better.
(Note: I am not quite vain enough to think, this is somehow a brilliant idea that they or nobody else has thought of and requested and assume if so, that it was subsequently rejected.)

11

If you didn’t find it yet, replace this:

/ip firewall mangle
add action=mark-routing chain=prerouting connection-state=new dst-address-list=blklst new-routing-mark=rm.vpn-wg passthrough=no protocol=tcp

With this:

/ip firewall mangle
add action=mark-connection chain=prerouting connection-state=new dst-address-list=blklst new-connection-mark=cm.vpn-wg passthrough=yes
add action=mark-routing chain=prerouting in-interface=bridge1 connection-mark=cm.vpn-wg new-routing-mark=rm.vpn-wg passthrough=no

And then add connection-mark=!cm.vpn-wg to fastrack rule.

12

Thank you all.