Page 1 of 1

Route all traffic through NordVPN?

Posted: Tue Nov 20, 2018 7:29 pm
by dark
Hello,

I am new to MikroTik and bought a Mikrotik hAP Lite Intern (RB941-2nD) and would like to configure the following:
The router is behind a firewall I have no access to. To use VPN I have to use Port 443 and TCP.
It is connected to the network with a LAN cable and should be an access point that routes all traffic through a NordVPN Server.

I tried a few tutorials, but nothing worked. The NordVPN support says that the router doesn't support OpenVPN, but it obviously does.
Any chance to do the above?

Thank you for every answer :)

(Here is the .ovpn file I have: https://downloads.nordcdn.com/configs/f ... m.tcp.ovpn)

Re: Route all traffic through NordVPN?

Posted: Wed Nov 21, 2018 7:30 pm
by m4t7e0
Hi, yes is possible,
first step is setup your openVPN VPN you know hot to do it?
Plese Read https://support.nordvpn.com/#/Connectiv ... -Setup.htm
than you can simple make a prerouting "NordVPN route" mangle rules with for all the traffic that you want to route on NordVPN and than add a static route 0.0.0.0/0 gateway "nordvpn inteface" route mangle "NordVPN route"

Re: Route all traffic through NordVPN?

Posted: Tue Nov 27, 2018 10:29 am
by sharik987
How did you set up Mikrotik with NordVPN?

Re: Route all traffic through NordVPN?

Posted: Tue Nov 27, 2018 1:48 pm
by msatter
Mikrotik does not yet support the features needed to make use those kind of OpenVPN services.
L2TP/IPSEC is fully supported.

Re: Route all traffic through NordVPN?

Posted: Tue Nov 27, 2018 3:03 pm
by filipelias
Hi, yes is possible,
first step is setup your openVPN VPN you know hot to do it?
Plese Read https://support.nordvpn.com/#/Connectiv ... -Setup.htm
than you can simple make a prerouting "NordVPN route" mangle rules with for all the traffic that you want to route on NordVPN and than add a static route 0.0.0.0/0 gateway "nordvpn inteface" route mangle "NordVPN route"
Mikrotik does not yet support the features needed to make use those kind of OpenVPN services.
L2TP/IPSEC is fully supported.
So, Is it possible or not?

Send from my Moto Z Play using Tapatalk.


Re: Route all traffic through NordVPN?

Posted: Wed Nov 28, 2018 10:09 am
by sharik987
L2TP/IPSEC is fully supported.
Why does not it work?

/interface l2tp-client
add connect-to=us2854.nordvpn.com ipsec-secret=nordvpn name=L2TP-nordvpn password=xxxxxxx profile=default user=xxxxxx@gmail.com
/ip ipsec peer
add address=us2854.nordvpn.com disabled=yes exchange-mode=main-l2tp generate-policy=port-strict secret=nordvpn (ipisec manual mode)
add address=87.101.95.163/32 exchange-mode=main-l2tp generate-policy=port-strict secret=nordvpn (ipisec dinamic mode)
/ip ipsec policy
add dst-address=87.101.95.163/32 dst-port=1701 proposal=NordVPN protocol=udp src-address=10.153.XXX.XX/32 src-port=1701
/ip firewall filter
add action=accept chain=input comment="aloow ipsec-ah" protocol=ipsec-ah
add action=accept chain=input comment="allow ipsec-esp" protocol=ipsec-esp
add action=accept chain=input comment="allow l2tp" dst-port=1701,500,4500 protocol=udp
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=md5 enc-algorithms=aes-256-cbc,aes-128-cbc,3des
add auth-algorithms=md5 enc-algorithms=3des lifetime=1h name=NordVPN

Re: Route all traffic through NordVPN?

Posted: Wed Nov 28, 2018 1:01 pm
by darkprocess
NordVPN dropped support of l2tp.

Re: Route all traffic through NordVPN?

Posted: Wed Nov 28, 2018 1:45 pm
by msatter
NordVPN dropped support of l2tp.
Is going to drop support for it on the 1st of December.

https://nordvpn.com/blog/l2tp-pptp-protocol-update/

Come on Mikrotik. We can't use OpenVPN or IKEv2 with NordVPN so which protocol are we going to use? SSTP is only possible with a few providers.

Re: Route all traffic through NordVPN?

Posted: Sun Dec 02, 2018 1:48 pm
by marianob85
@Mikrotik support.
When we can expect OVPN or IKEv2 support for NordVPN ?

Re: Route all traffic through NordVPN?

Posted: Thu Dec 06, 2018 6:42 pm
by m4t7e0
Hello,
I am new to MikroTik and bought a Mikrotik hAP Lite Intern (RB941-2nD) and would like to configure the following:
The router is behind a firewall I have no access to. To use VPN I have to use Port 443 and TCP.
Hi dear, i'm so sorry i forgot about USING TCP 443 Port, the only avaiable VPN i think the good one is using SSL like SSTP, but seem they doesen't support this protocol.

Re: Route all traffic through NordVPN?

Posted: Fri Dec 07, 2018 2:09 pm
by castlemaster
I've just been chatting with NordVPN about this matter too and they say it's mikrotik's OpenVPN Client implementation that's broken, so when can we expect a fix? They suggest flashing OpenWRT or DD-WRT but I don't want to touch those.

Re: Route all traffic through NordVPN?

Posted: Fri Dec 07, 2018 9:37 pm
by lucasimo88
I've just been chatting with NordVPN about this matter too and they say it's mikrotik's OpenVPN Client implementation that's broken, so when can we expect a fix? They suggest flashing OpenWRT or DD-WRT but I don't want to touch those.
We need complete support for IPSEC/IKEv2 with EAP Authentication...

Re: Route all traffic through NordVPN?

Posted: Tue Dec 11, 2018 8:39 am
by TheSirStumfy
Last i heard about this was "probably in rOs V7"... :(

Re: Route all traffic through NordVPN?

Posted: Sun Jan 06, 2019 5:49 pm
by psydrohne
[/quote]
Come on Mikrotik. We can't use OpenVPN or IKEv2 with NordVPN so which protocol are we going to use? SSTP is only possible with a few providers.
[/quote]

Please make OpenVPN or IKEv2 support for NordVPN soon! My Microtik hEX is actually useless, because NordVPN drops L2TP support...

Re: Route all traffic through NordVPN?

Posted: Mon Jan 28, 2019 2:39 pm
by Xymox
Ive been asking and posting about this for years. I do not understand why Mikrotik refuses to address this. Its very easy to add this. They added "kid control" which was far more difficult and involved.

Could there be some reason they have intentionally not implemented OpenVPN fully ? Does it create a level of security for users that some countries don't like ?

Over years I have seen this come up over and over and it never gets solved.

Re: Route all traffic through NordVPN?

Posted: Mon Jan 28, 2019 8:34 pm
by gotsprings
OVPN has not worked on port 1194 for about 10 years now.

Also as for using those VPN services to "side step" geolocation... providers update their blacklists from time to time too.

Re: Route all traffic through NordVPN?

Posted: Mon Mar 11, 2019 11:09 am
by bgma
Any news on OpenVPN client?
I find it rude that Mikrotik doesn't even bother to comment ...

Re: Route all traffic through NordVPN?

Posted: Tue Mar 19, 2019 10:21 am
by jimint
Ive been asking and posting about this for years. I do not understand why Mikrotik refuses to address this. Its very easy to add this. They added "kid control" which was far more difficult and involved.

Could there be some reason they have intentionally not implemented OpenVPN fully ? Does it create a level of security for users that some countries don't like ?

Over years I have seen this come up over and over and it never gets solved.
+1000

Re: Route all traffic through NordVPN?

Posted: Thu Jul 04, 2019 10:27 pm
by pronto

Re: Route all traffic through NordVPN?

Posted: Tue Jul 09, 2019 9:52 am
by Polard55
Seems to be working now, see here: https://wiki.mikrotik.com/wiki/IKEv2_EA ... d_RouterOS
That's great news that finally Mikrotik is supporting IKEv2 properly, Btw I have been using L2tp Protocol on Mikrotik, as my vpn client [REDACTED] still support it, I have configured it easily by following this guide: https://www.[REDACTED].com/download/router-vpn but still I want to switch it on IKev2 as its much better and secure protocol and finally I can do it. Thanks for sharing this.

Re: Route all traffic through NordVPN?

Posted: Sat Dec 14, 2019 11:28 am
by daydiff
Seems to be working now, see here: https://wiki.mikrotik.com/wiki/IKEv2_EA ... d_RouterOS

Is it broken again? I'm getting an error on the latest RouterOS 6.46

21:30:42 ipsec ike2 starting for: 23.226.132.237 
21:30:43 ipsec adding notify: NAT_DETECTION_DESTINATION_IP 
21:30:43 ipsec adding notify: NAT_DETECTION_SOURCE_IP 
21:30:43 ipsec adding payload: NONCE 
21:30:43 ipsec adding payload: KE 
21:30:43 ipsec adding payload: SA 
21:30:43 ipsec <- ike2 request, exchange: SA_INIT:0 23.226.132.237[4500] 6d7e507d7e8ae0b2:0000000000000000 
21:30:43 ipsec -> ike2 reply, exchange: SA_INIT:0 23.226.132.237[4500] 6d7e507d7e8ae0b2:0000000000000000 
21:30:43 ipsec payload seen: NOTIFY 
21:30:43 ipsec first payload is NOTIFY 
21:30:43 ipsec processing payloads: NOTIFY 
21:30:43 ipsec   notify: COOKIE 
21:30:43 ipsec adding notify: COOKIE 
21:30:43 ipsec adding notify: NAT_DETECTION_DESTINATION_IP 
21:30:43 ipsec adding notify: NAT_DETECTION_SOURCE_IP 
21:30:43 ipsec adding payload: NONCE 
21:30:43 ipsec adding payload: KE 
21:30:43 ipsec adding payload: SA 
21:30:43 ipsec -> ike2 reply, exchange: SA_INIT:0 23.226.132.237[4500] 6d7e507d7e8ae0b2:8c639a553a050e77 
21:30:43 ipsec ike2 initialize recv 
21:30:43 ipsec payload seen: SA 
21:30:43 ipsec payload seen: KE 
21:30:43 ipsec payload seen: NONCE 
21:30:43 ipsec payload seen: NOTIFY 
21:30:43 ipsec payload seen: NOTIFY 
21:30:43 ipsec payload seen: NOTIFY 
21:30:43 ipsec processing payload: NONCE 
21:30:43 ipsec processing payload: SA 
21:30:43 ipsec IKE Protocol: IKE 
21:30:43 ipsec  proposal #1 
21:30:43 ipsec   enc: aes128-cbc 
21:30:43 ipsec   prf: hmac-sha1 
21:30:43 ipsec   auth: sha1 
21:30:43 ipsec   dh: modp2048 
21:30:43 ipsec matched proposal: 
21:30:43 ipsec  proposal #1 
21:30:43 ipsec   enc: aes128-cbc 
21:30:43 ipsec   prf: hmac-sha1 
21:30:43 ipsec   auth: sha1 
21:30:43 ipsec   dh: modp2048 
21:30:43 ipsec processing payload: KE 
21:30:43 ipsec,info new ike2 SA (I): 192.168.178.24[4500]-23.226.132.237[4500] spi:6d7e507d7e8ae0b2:8c639a553a050e77 
21:30:43 ipsec processing payloads: NOTIFY 
21:30:43 ipsec   notify: NAT_DETECTION_SOURCE_IP 
21:30:43 ipsec   notify: NAT_DETECTION_DESTINATION_IP 
21:30:43 ipsec   notify: MULTIPLE_AUTH_SUPPORTED 
21:30:43 ipsec (NAT-T) LOCAL 
21:30:43 ipsec KA list add: 192.168.178.24[4500]->23.226.132.237[4500] 
21:30:43 ipsec init child 
21:30:43 ipsec init child continue 
21:30:43 ipsec offering proto: 3 
21:30:43 ipsec  proposal #1 
21:30:43 ipsec   enc: aes256-cbc 
21:30:43 ipsec   enc: aes192-cbc 
21:30:43 ipsec   enc: aes128-cbc 
21:30:43 ipsec   auth: sha1 
21:30:43 ipsec can't get local certificate from configuration 
21:30:43 ipsec ID_I (ADDR4): 192.168.178.24 
21:30:43 ipsec adding payload: ID_I 
21:30:43 ipsec adding notify: INITIAL_CONTACT 
21:30:43 ipsec adding payload: SA 
21:30:43 ipsec initiator selector: 0.0.0.0/0 
21:30:43 ipsec adding payload: TS_I 
21:30:43 ipsec responder selector: 0.0.0.0/0 
21:30:43 ipsec adding payload: TS_R 
21:30:43 ipsec prepearing internal IPv4 address 
21:30:43 ipsec prepearing internal IPv4 netmask 
21:30:43 ipsec prepearing internal IPv6 subnet 
21:30:43 ipsec prepearing internal IPv4 DNS 
21:30:43 ipsec adding payload: CONFIG 
21:30:43 ipsec <- ike2 request, exchange: AUTH:1 23.226.132.237[4500] 6d7e507d7e8ae0b2:8c639a553a050e77 
21:30:43 ipsec -> ike2 reply, exchange: AUTH:1 23.226.132.237[4500] 6d7e507d7e8ae0b2:8c639a553a050e77 
21:30:43 ipsec payload seen: ENC 
21:30:43 ipsec processing payload: ENC 
21:30:43 ipsec payload seen: ID_R 
21:30:43 ipsec payload seen: CERT 
21:30:43 ipsec payload seen: CERT 
21:30:43 ipsec payload seen: AUTH 
21:30:43 ipsec payload seen: EAP 
21:30:43 ipsec processing payloads: NOTIFY (none found) 
21:30:43 ipsec ike auth: initiator finish 
21:30:43 ipsec processing payload: ID_R 
21:30:43 ipsec ID_R (FQDN): us3398.nordvpn.com 
21:30:43 ipsec processing payload: AUTH 
21:30:43 ipsec processing payloads: CERT 
21:30:43 ipsec got CERT: us3398.nordvpn.com 
21:30:43 ipsec got CERT: CN=NordVPN CA4,C=PA,ST=,L=,O=NordVPN,OU=,SN= 
21:30:43 ipsec requested auth method: RSA 
21:30:44 ipsec,info,account peer authorized: 192.168.178.24[4500]-23.226.132.237[4500] spi:6d7e507d7e8ae0b2:8c639a553a050e77 
21:30:44 ipsec processing payload: EAP 
21:30:44 ipsec adding payload: EAP 
21:30:44 ipsec <- ike2 request, exchange: AUTH:2 23.226.132.237[4500] 6d7e507d7e8ae0b2:8c639a553a050e77 
21:30:44 ipsec -> ike2 reply, exchange: AUTH:2 23.226.132.237[4500] 6d7e507d7e8ae0b2:8c639a553a050e77 
21:30:44 ipsec payload seen: ENC 
21:30:44 ipsec processing payload: ENC 
21:30:44 ipsec payload seen: EAP 
21:30:44 ipsec processing payloads: NOTIFY (none found) 
21:30:44 ipsec processing payload: EAP 
21:30:44 ipsec adding payload: EAP 
21:30:44 ipsec <- ike2 request, exchange: AUTH:3 23.226.132.237[4500] 6d7e507d7e8ae0b2:8c639a553a050e77 
21:30:44 ipsec -> ike2 reply, exchange: AUTH:3 23.226.132.237[4500] 6d7e507d7e8ae0b2:8c639a553a050e77 
21:30:44 ipsec payload seen: ENC 
21:30:44 ipsec processing payload: ENC 
21:30:44 ipsec payload seen: EAP 
21:30:44 ipsec processing payloads: NOTIFY (none found) 
21:30:44 ipsec processing payload: EAP 
21:30:44 ipsec adding payload: EAP 
21:30:44 ipsec <- ike2 request, exchange: AUTH:4 23.226.132.237[4500] 6d7e507d7e8ae0b2:8c639a553a050e77 
21:30:46 ipsec -> ike2 reply, exchange: AUTH:4 23.226.132.237[4500] 6d7e507d7e8ae0b2:8c639a553a050e77 
21:30:46 ipsec payload seen: ENC 
21:30:46 ipsec processing payload: ENC 
21:30:46 ipsec payload seen: EAP 
21:30:46 ipsec processing payloads: NOTIFY (none found) 
21:30:46 ipsec processing payload: EAP 
21:30:46 ipsec,error EAP failed:  
21:30:46 ipsec,info killing ike2 SA: 192.168.178.24[4500]-23.226.132.237[4500] spi:6d7e507d7e8ae0b2:8c639a553a050e77 
21:30:46 ipsec KA remove: 192.168.178.24[4500]->23.226.132.237[4500]