Community discussions

MUM Europe 2020
 
nrgclever
just joined
Topic Author
Posts: 4
Joined: Fri Feb 14, 2020 8:22 am

VPN configuration bypass china firewall

Fri Feb 14, 2020 8:38 am

Hello, i am more than newbie. But i have problem and i hope someone can help me to solve. I am foreign and living in China, but actually all commercial VPN are not working at all, and it's impossible get news about the coronavirus in a foreign language. I bought a Mikrotik RB941-2nD and i can shipping outside from China and ask a friend to connect as slave on his router.
How to configure this router as VPN to bypass the chinese firewall and let us use a free connection?
I know on youtube also have many video with instructions but we are also not allowed to open youtube from china.
I hope someone can fully help me starting from 0, as i know a newbie compared to me is an expert....
Thank you in advance to everyone can give me help.
 
User avatar
CZFan
Forum Guru
Forum Guru
Posts: 1610
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Randburg
Contact:

Re: VPN configuration bypass china firewall

Sat Feb 22, 2020 12:48 am

Here is my problem with this, you are asking someone to help you break the laws of the country, and that on a public forum?
MTCNA, MTCTCE, MTCRE & MTCINE
 
User avatar
rooted
Frequent Visitor
Frequent Visitor
Posts: 56
Joined: Tue Feb 04, 2020 5:58 pm

Re: VPN configuration bypass china firewall

Sat Feb 22, 2020 1:00 am

I don't see it this way, they are asking how to use VPN on a specific MikroTik device because they can't see the documentation.

They may be breaking a law but you aren't helping them do so.

If someone asked me how I would rob a bank and I told them how I would go about it, then they actually do it I in no way helped them.

@nrgclever

Can you see this link?

https://support.purevpn.com/mikrotik-configuration

*edit*
I guess this could be looked at differently if I knew they were going to rob a bank, like we know he is going to attempt to bypass restrictions. So I now understand what you are saying and don't fully disagree.
 
Sob
Forum Guru
Forum Guru
Posts: 5145
Joined: Mon Apr 20, 2009 9:11 pm

Re: VPN configuration bypass china firewall

Sat Feb 22, 2020 2:51 am

Breaking someone's internet = bad
Fixing broken things = good

It's the starting from absolute zero I don't like, because configuring VPNs is not exactly beginner friendly. PPTP is probably simplest, but on the wire it's too obviously VPN. Same problem is with IPSec. SSTP or OpenVPN may, at least at first sight, look like HTTPS, but they need certificates, so again not best for beginners.

I'd say the simplest way is to use SSH tunnel with local SOCKS proxy. On router it means just enabling SSH and forwarding (it may even be like this by default, I'm not sure):
/ip service set ssh disabled=no
/ip ssh set forwarding-enabled=both
Next step is to allow port in firewall:
/ip firewall filter
add chain=input protocol=tcp dst-port=22
This rule needs to be moved high enough, before the one that blocks access, if there is such. If the router is going to be connected behind friend's router, it just needs a port forwarded from there to this router's port 22 (tcp, any number, probably best to forward several different ones and see which one will work). And that's it on this side.

Client then needs some SSH client like PuTTY (putty.exe from here). Connect to address and port of remote router, but before that go to Connection->SSH->Tunnels and configure it to create local SOCKS server. Enter Source port, e.g. 1080, select Dynamic and click Add. It will appear as "D1080" in the list above. Connect to server and if it works, it will create local SOCKS5 server listening on 127.0.0.1:1080. Configure your browser to use it and it should work.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply. Not intended as incentive for masochists.
 
nrgclever
just joined
Topic Author
Posts: 4
Joined: Fri Feb 14, 2020 8:22 am

Re: VPN configuration bypass china firewall

Sat Feb 22, 2020 2:58 pm

First, thanks for help....
but i can't open that link... also blocked here.

however i also can understand "Sob" viewpoint.... i am more than newbie and is not easy give help starting from zero.
but, create a VPN is a thing.... if i will use for broken this country laws is another thing, and of course i know my responsability
 
r00t
Member Candidate
Member Candidate
Posts: 284
Joined: Tue Nov 28, 2017 2:14 am

Re: VPN configuration bypass china firewall

Sat Feb 22, 2020 4:08 pm

Bypassing China firewall is getting really hard, you can't use any standard VPN protocol. If traffic looks like SSH, it will be blocked. PPTP? Blocked. OpenVPN? Blocked. You can try running SSTP on HTTPS port to make it look like standard HTTPS, but even that may get blocked by some packet inspection they do.
 
Sob
Forum Guru
Forum Guru
Posts: 5145
Joined: Mon Apr 20, 2009 9:11 pm

Re: VPN configuration bypass china firewall

Sat Feb 22, 2020 6:40 pm

Hmm, I counted on SSH, because it's not primarily VPN, it has many legitimate uses and it's normal that it's one long connection. Some VPNs can be clearly identified as such, so I'd expect them to be blocked. SSTP or TCP OpenVPN on port 443 have a chance to pose as HTTPS, but even that could quickly get suspicious, because typical HTTPS connection does not stay open for long and doesn't transfer data in bursts over time.

I guess the best chance to succeed would be with some homemade solution. Something like setting up webserver on https://www.cutekittenspics.com, filling it with tons of random cat pictures as believable content, and then configuring the same webserver to also act as proxy if requested. If used for HTTP(S) requests in browser, traffic would appear completely legitimate. But I don't know about any ready-made solution, so it doesn't make things easier.

Anyway, to keep it related to RouterOS, your starting points are:

https://wiki.mikrotik.com/wiki/Manual:Interface/SSTP
https://wiki.mikrotik.com/wiki/Manual:Interface/OVPN

Look at the examples, it's not too difficult, server config is few lines, only slight complication is certificates. Check it you can make it out, or if it's completely over your head.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply. Not intended as incentive for masochists.
 
nrgclever
just joined
Topic Author
Posts: 4
Joined: Fri Feb 14, 2020 8:22 am

Re: VPN configuration bypass china firewall

Sat Feb 22, 2020 7:04 pm

Thanks, tomorrow i will try to follow instruction on these links.

A question:
But if i will use two mikrotik router to connect each other through a tunnel, could be possible to use a not-standard protocol? i read somewhere that Mikrotik also has some proprietary protocol.
 
Sob
Forum Guru
Forum Guru
Posts: 5145
Joined: Mon Apr 20, 2009 9:11 pm

Re: VPN configuration bypass china firewall

Sat Feb 22, 2020 7:31 pm

There's nothing special. They have non-standard implementation of OpenVPN with half of the features missing, which is not exactly advantage. But the major one (udp transport) is not a problem in your case, because you want tcp to pretend it could be https. Then there's EoIP, a non-standard extension of GRE. But that's simple unencrypted tunnel, so I wouldn't expect it to help you. It can optionally use IPSec, but that's clearly identifiable as VPN.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply. Not intended as incentive for masochists.
 
User avatar
rooted
Frequent Visitor
Frequent Visitor
Posts: 56
Joined: Tue Feb 04, 2020 5:58 pm

Re: VPN configuration bypass china firewall

Sun Feb 23, 2020 2:06 am

 
nrgclever
just joined
Topic Author
Posts: 4
Joined: Fri Feb 14, 2020 8:22 am

Re: VPN configuration bypass china firewall

Sun Feb 23, 2020 4:52 am

but that's clearly identifiable as VPN.
I think this is not a problem, because in the past we also used softether VPN server and client, just not convenient have a computer always on but not monitored by someone.
use a router is more convenient.
A VPN not public and with low traffic, nobody care about...
of course need for https, as google, youtube, etc.
other services as mail or FTP no need use...
maybe i say a foolish thing but TCP or UDP for me is the same... if can work. :-)

Someone told me that on mikrotik L2TP also can be used and work very well
 
Sob
Forum Guru
Forum Guru
Posts: 5145
Joined: Mon Apr 20, 2009 9:11 pm

Re: VPN configuration bypass china firewall

Sun Feb 23, 2020 9:04 pm

It's difficult to guess what will and will not work without having the experience with what exactly they filter. You can configure all VPN types, some of them even on several random ports at once (the service itself can listen only on one port at the time, but you can redirect any number of other ports to it using dstnat) and see what will work.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply. Not intended as incentive for masochists.

Who is online

Users browsing this forum: Chuckr53 and 36 guests