So, I’ve set up SurfVPN as in the manual on their web page. Ping works, web sites aren’t loading.

Change the MSS, as suggested in the forum - didn’t help.

Any ideas?

Here is my config

mar/15/2024 22:16:54 by RouterOS 6.49.7

software id = SKL2-E689

model = RB760iGS

serial number = XXXXXXXXX

/interface bridge
add admin-mac=48:A9:8A:1C:25:21 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=sfp1 ] loop-protect=off mac-address=48:A9:8A:1C:25:28 rx-flow-control=auto tx-flow-control=auto
/interface pppoe-client
add add-default-route=yes interface=sfp1 keepalive-timeout=disabled name=pppoe-out1 password=3IIaiuk1 use-peer-dns=yes user=sup14@054
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec mode-config
add name=SharkIsrael responder=no src-address-list=local
/ip ipsec policy group
add name=SharkIsrael
/ip ipsec profile
add name=SharkIsrael
/ip ipsec peer
add address=il-tlv.prod.surfshark.com exchange-mode=ike2 name=SharkIsrael profile=SharkIsrael
/ip ipsec proposal
add name=SharkIsrael pfs-group=none
/ip pool
add name=dhcp ranges=192.168.1.5-192.168.1.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/system logging action
add name=interface target=memory
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf disabled=yes interface=sfp1
add bridge=bridge interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=sfp1 list=WAN
/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge network=192.168.1.0
/ip dhcp-client
add comment=defconf disabled=no interface=sfp1
/ip dhcp-server lease
add address=192.168.1.47 client-id=1:10:a4:be:d5:b1:61 mac-address=10:A4:BE:D5:B1:61 server=defconf
add address=192.168.1.22 client-id=1:dc:a6:32:b1:5a:ee mac-address=DC:A6:32:B1:5A:EE server=defconf
add address=192.168.1.55 client-id=1:24:5e:be:62:4e:fc mac-address=24:5E:BE:62:4E:FC server=defconf
add address=192.168.1.25 client-id=1:b0:d5:9d:b7:61:14 mac-address=B0:D5:9D:B7:61:14 server=defconf
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.1.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.1.150 list=local
/ip firewall filter
add action=accept chain=input comment=“defconf: accept established,related,untracked” connection-state=established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=drop chain=input comment=“defconf: drop all not coming from LAN” in-interface-list=!LAN
add action=accept chain=forward comment=“defconf: accept in ipsec policy” ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy” ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related
add action=accept chain=forward comment=“defconf: accept established,related, untracked” connection-state=established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
add action=drop chain=forward comment=“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat connection-state=new
in-interface-list=WAN
/ip firewall mangle
add action=change-mss chain=forward dst-address-list=AddressList new-mss=1350 passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=!0-1350
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade” ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=51413 in-interface-list=WAN protocol=tcp to-addresses=192.168.1.22 to-ports=51413
/ip ipsec identity
add auth-method=eap certificate=surfshark_ikev2.crt_0 eap-methods=eap-mschapv2 generate-policy=port-strict mode-config=SharkIsrael
password=xNP6hxceRrgC3mJd4hpbXK8c peer=SharkIsrael policy-template-group=SharkIsrael username=5nnWMLddVVcj82G5nHvA8L49
/ip ipsec policy
add dst-address=0.0.0.0/0 group=SharkIsrael proposal=SharkIsrael src-address=0.0.0.0/0 template=yes
/system clock
set time-zone-name=Asia/Jerusalem
/system identity
set name=RouterOS
/system logging
add action=interface topics=interface
/system package update
set channel=upgrade
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set filter-interface=sfp1

Wireguard works!

Is there a working manual explaining how to set it up with Surfshark?

Update: with “add action=change-mss chain=forward new-mss=1500 passthrough=yes \ protocol=tcp tcp-flags=syn” it is now working…sort of.

Download speeds are more or less OKish, but upload is horrible…

1500 is too large. It should not be bigger than (possible MTU - 40 bytes).

Tried setting it to 1350 - same results