Community discussions

MikroTik App
 
complex1
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 52
Joined: Wed Jan 04, 2017 9:55 pm
Location: NL-NH

NordVPN issue

Sat Nov 16, 2019 1:28 pm

Hi,

I have a very annoying issue when I use NordVPN.
A few days ago I bought a subscription from NordVPN and setup my RB4011 to use it as described in the wiki:
https://wiki.mikrotik.com/wiki/IKEv2_EA ... d_RouterOS (Option 2)

[admin@MikroTik]
# nov/16/2019 11:54:31 by RouterOS 6.45.7
# software id = KT6A-4P99
#
# model = RB4011iGS+5HacQ2HnD
/ip firewall address-list
add address=172.17.84.31 list=NordVPN

/ip ipsec mode-config
add connection-mark=NordVPN name=NordVPN responder=no
/ip ipsec policy group
add name=NordVPN
/ip ipsec profile
add name=NordVPN
/ip ipsec peer
add address=nl576.nordvpn.com exchange-mode=ike2 name=NordVPN profile=NordVPN
/ip ipsec proposal
add name=NordVPN pfs-group=none
/ip ipsec identity
add auth-method=eap certificate="" eap-methods=eap-mschapv2 generate-policy=port-strict mode-config=NordVPN password=password peer=NordVPN policy-template-group=NordVPN username=username
/ip ipsec policy
add comment=NordVPN dst-address=0.0.0.0/0 group=NordVPN proposal=NordVPN src-address=0.0.0.0/0 template=yes
For now only one computer is assigned to the VPN tunnel.
I have an All-in-1 subscription with the Dutch provider Ziggo.

All work well, except…

When I load a page from this provider, the hyperlinks do not work. The mouse arrow won’t change into a hand.
Also I can not send/receive e-mail messages. Somehow is hang somewhere.

When I de-assign the computer and go directly to the same provider page the hyperlinks work. The mouse arrow change directly into a hand when I hover the hyperlink buttons... and I can successfully send/receive e-mails.

I also have installed the iOS NordVPN app on my iPhone and have no issues at all.

Tests with different Mangle Rules have no positive effect at all.
The rules I have tried and not working rules are disabled and left them just for reference.
/ip firewall mangle
add action=mark-connection chain=prerouting comment=!53 new-connection-mark=NordVPN passthrough=yes port=!53 protocol=udp src-address-list=NordVPN
add action=mark-connection chain=prerouting comment=!53,995,993,587 new-connection-mark=NordVPN passthrough=yes port=!53,995,993,587 protocol=tcp src-address-list=NordVPN

add action=change-mss chain=forward comment="- clamp MSS to PMTU" disabled=yes new-mss=clamp-to-pmtu out-interface=ether1 passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=1453-65535
add action=change-mss chain=forward disabled=yes in-interface=ether1 new-mss=clamp-to-pmtu passthrough=no protocol=tcp tcp-flags=syn tcp-mss=1453-65535

add action=mark-packet chain=postrouting comment="- mark VoIP DSCP 46 - RTP packets" dscp=46 new-packet-mark=voip-rtp passthrough=no
add action=mark-packet chain=postrouting comment="- mark VoIP DSCP 26 - SIP packets" dscp=26 new-packet-mark=voip-sip passthrough=no

add action=change-mss chain=forward disabled=yes new-mss=1436 passthrough=yes protocol=tcp src-address=172.17.84.0/24 tcp-flags=syn tcp-mss=1437-65535
add action=change-mss chain=forward disabled=yes dst-address=172.17.84.0/24 new-mss=1436 passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=1437-65535
add action=change-mss chain=forward connection-mark=!no-mark disabled=yes new-mss=1280 passthrough=no protocol=tcp src-address-list=NordVPN tcp-flags=syn
add action=change-mss chain=forward connection-mark=!no-mark disabled=yes dst-port=!993,8291 log-prefix=MSS new-mss=1382 passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=!0-1382
add action=change-mss chain=forward disabled=yes ipsec-policy=in,ipsec new-mss=1382 passthrough=yes protocol=tcp tcp-flags=syn

Please help.

Thank you.
Kind regards,
Frank.
 
msatter
Forum Guru
Forum Guru
Posts: 2045
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: NordVPN issue

Sat Nov 16, 2019 4:49 pm

Het kan zij.....oeps. Many sites don't like that you are using a VPN and are blocking you or sabotage you seeing their page.

I am using an address-list which contains domains that should not use the VPN and that works great.

On the second code screen you have pass-through enabled. Why?
Last edited by msatter on Sat Nov 16, 2019 5:22 pm, edited 1 time in total.
Loving my freedom and so, no Twitter, no Facebook/Instagram/WhatsApp, no Apple and no Google/Alphabet, no Amazon/Cloudfront/AWS.

Running:
RouterOS 6.49Beta / Winbox 3.27 64bits
 
msatter
Forum Guru
Forum Guru
Posts: 2045
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: NordVPN issue

Sat Nov 16, 2019 5:10 pm

/ip firewall mangle
add action=change-mss chain=forward comment="MSS 1374 for IKEv2 Rx, could be lower in your case (default 1460, safe value 1280)" ipsec-policy=in,ipsec new-mss=1374 passthrough=yes protocol=tcp tcp-flags=sync

add action=mark-connection chain=prerouting comment=!53 new-connection-mark=NordVPN passthrough=no port=!53 protocol=udp src-address-list=NordVPN dst-address-list=!geen-vpn 
add action=mark-connection chain=prerouting comment=!53,995,993,587 new-connection-mark=NordVPN passthrough=no port=!53,995,993,587 protocol=tcp src-address-list=NordVPN dst-address-list=!geen-vpn 

add action=mark-packet chain=postrouting comment="- mark VoIP DSCP 46 - RTP packets" dscp=46 new-packet-mark=voip-rtp passthrough=no
add action=mark-packet chain=postrouting comment="- mark VoIP DSCP 26 - SIP packets" dscp=26 new-packet-mark=voip-sip passthrough=no
The first line only handles IPSEC traffic coming in and change the MSS for that specific traffic. Other MSS/PMTUD lines can all be disabled. You don't have to worry about ports and addresses because your two lines below have to first have to trigger IPSEC before the first line changes the returning traffic MTU. RouterOS is not catching the traffic returning correctly and adapt the MTU so it has to be done manually.

I took me a long time to find this and Mikrotik put me on the track to this by mentioning the 1460 MTU after looking at the capture files I sent them. All the other MSS/PMTUD is handled by RouterOS. You had it already but at the bottom what could explain the pass-though=yes.

At the end of both connection-mark lines you find dst-address-list=!geen-vpn which is the address-list of sites not working through VPN and the list is composed by you manually.

You can test if you have the correct MTU by sufing to www.antary.de and see if the page is loaded without any delays or use Wireshark.

Update:
I had first to adapt my DNS resolver to be able to visit www.ziggo.nl and found that it does a CNAME to footprint.net. I can only find that footprint.net is from Level3 so it is for now on the CNAME blocklist with me. The page loads fine (through NordVPN) and I can click anything so it must be the MTU and try the safe value of 1280 if that works. If yes then work you way up in steps.
Loving my freedom and so, no Twitter, no Facebook/Instagram/WhatsApp, no Apple and no Google/Alphabet, no Amazon/Cloudfront/AWS.

Running:
RouterOS 6.49Beta / Winbox 3.27 64bits
 
complex1
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 52
Joined: Wed Jan 04, 2017 9:55 pm
Location: NL-NH

Re: NordVPN issue

Sat Nov 16, 2019 10:59 pm

@msatter

Thank you very much for your reply, the explanation and examples. I apricated this.

I don’t know what is changed, but just before I merge your Mangle Rules examples with my’s, I re-check if the Ziggo pages will load without delay and other issues and what do you think… no issues at all.
For all security and to wipeout any if’s and but’s I rebooted the router.
Despite things work now I will use your recommendations.

For now I will do more tests and will let you know the results.
Kind regards,
Frank.
 
msatter
Forum Guru
Forum Guru
Posts: 2045
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: NordVPN issue

Sun Nov 17, 2019 11:34 pm

A new day a better solution.

Till now we only tackled TCP packets by setting a fixed MTU size for those packets. Sindy found the better solution than that by adding a line to /ip ipsec policy.

When using solution you can do away with the MSS line in mangle and the client will receive finally the packet stating to lower the MTU.

This line moved above the dynamic lines in /ip ipsec policy, and now my sniffer line gives Destination unreachable (Fragmentation needed). Never been so pleased to read te word unreachable before.

This is the line that add to /ip ipsec policy. Replace 192.168.88.0/24 by your own local IP range if you are using a different range:
add action=none dst-address=192.168.88.0/24 src-address=0.0.0.0/0

See the whole topic: viewtopic.php?f=2&t=153414
Loving my freedom and so, no Twitter, no Facebook/Instagram/WhatsApp, no Apple and no Google/Alphabet, no Amazon/Cloudfront/AWS.

Running:
RouterOS 6.49Beta / Winbox 3.27 64bits
 
complex1
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 52
Joined: Wed Jan 04, 2017 9:55 pm
Location: NL-NH

Re: NordVPN issue

Tue Nov 19, 2019 5:57 pm

Thank you and Sindy of course very much for the better solution.

I have removed the mangle rule:
add action=change-mss chain=forward comment="MSS 1374 for IKEv2 Rx, could be lower in your case (default 1460, safe value 1280)" ipsec-policy=in,ipsec new-mss=1374 passthrough=yes protocol=tcp tcp-flags=syn
and add below in /ip ipsec policy
add action=none dst-address=172.17.84.0/24 src-address=0.0.0.0/0

I have to reboot the router because old settings stay active somehow. Now everything looks to work as it should work.

This is the configuration I use now:
/ip ipsec mode-config
add connection-mark=NordVPN name=NordVPN responder=no
/ip ipsec policy group
add name=NordVPN
/ip ipsec profile
add name=NordVPN
/ip ipsec peer
add address=nl597.nordvpn.com exchange-mode=ike2 name=NordVPN profile=NordVPN
/ip ipsec proposal
add name=NordVPN pfs-group=none
/ip ipsec identity
add auth-method=eap certificate="" eap-methods=eap-mschapv2 generate-policy=port-strict mode-config=NordVPN password=password peer=NordVPN policy-template-group=NordVPN username=username
/ip ipsec policy
add action=none dst-address=172.17.84.0/24 src-address=0.0.0.0/0
add comment=NordVPN dst-address=0.0.0.0/0 group=NordVPN proposal=NordVPN src-address=0.0.0.0/0 template=yes

/ip firewall mangle
add action=mark-connection chain=prerouting comment=!53 new-connection-mark=NordVPN passthrough=no port=!53 protocol=udp src-address-list=home dst-address-list=!geen-vpn
add action=mark-connection chain=prerouting comment=!53,995,993,587 new-connection-mark=NordVPN passthrough=no port=!53,995,993,587 protocol=tcp src-address-list=home dst-address-list=!geen-vpn

BTW: I don’t think this is a Mikrotik issue, but can you login into your Disney+ account… if you have one?
Now I can reach Disney+ but can’t login. I have tried 8 different NL servers.
After login I get this message: “Service niet beschikbaar. Disney+ is niet beschikbaar op jouw locatie”
Can you login? Which NL server do you use?

Thanks again for all the help.
Kind regards,
Frank.
 
msatter
Forum Guru
Forum Guru
Posts: 2045
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: NordVPN issue

Tue Nov 19, 2019 7:01 pm

I am using satellite so need for that stuff. Mostly you need to setup a client on your device, not the router, to use those services. And of course you have support by NordVPN on this.

i searched by stepping on some ducks and the gave me this link:

https://thedroidguy.com/2019/11/watch-u ... ts-1112419
Loving my freedom and so, no Twitter, no Facebook/Instagram/WhatsApp, no Apple and no Google/Alphabet, no Amazon/Cloudfront/AWS.

Running:
RouterOS 6.49Beta / Winbox 3.27 64bits
 
pawelkopec88
just joined
Posts: 10
Joined: Wed Mar 14, 2018 11:06 pm

Re: NordVPN issue

Sat Feb 06, 2021 1:20 am

Hi,

this article resolve my problem

https://support.nordvpn.com/Connectivit ... ssages.htm

Apple Mail, iMessage, Facetime any Apple service works fine.
 
erkexzcx
Member Candidate
Member Candidate
Posts: 175
Joined: Mon Oct 07, 2019 11:42 pm

Re: NordVPN issue

Wed Feb 10, 2021 8:50 am

viewtopic.php?f=23&t=169273 I think Mikrotik should pin this thread so more people can see.

Who is online

Users browsing this forum: Baidu [Spider], lywkj and 55 guests