Hello, i am more than newbie. But i have problem and i hope someone can help me to solve. I am foreign and living in China, but actually all commercial VPN are not working at all, and it's impossible get news about the coronavirus in a foreign language. I bought a Mikrotik RB941-2nD and i can shipping outside from China and ask a friend to connect as slave on his router.
How to configure this router as VPN to bypass the chinese firewall and let us use a free connection?
I know on youtube also have many video with instructions but we are also not allowed to open youtube from china.
I hope someone can fully help me starting from 0, as i know a newbie compared to me is an expert....
Thank you in advance to everyone can give me help.

Here is my problem with this, you are asking someone to help you break the laws of the country, and that on a public forum?

I don't see it this way, they are asking how to use VPN on a specific MikroTik device because they can't see the documentation.

They may be breaking a law but you aren't helping them do so.

If someone asked me how I would rob a bank and I told them how I would go about it, then they actually do it I in no way helped them.

@nrgclever

Can you see this link?

https://support.purevpn.com/mikrotik-configuration

*edit*
I guess this could be looked at differently if I knew they were going to rob a bank, like we know he is going to attempt to bypass restrictions. So I now understand what you are saying and don't fully disagree.

Breaking someone's internet = bad
Fixing broken things = good

It's the starting from absolute zero I don't like, because configuring VPNs is not exactly beginner friendly. PPTP is probably simplest, but on the wire it's too obviously VPN. Same problem is with IPSec. SSTP or OpenVPN may, at least at first sight, look like HTTPS, but they need certificates, so again not best for beginners.

I'd say the simplest way is to use SSH tunnel with local SOCKS proxy. On router it means just enabling SSH and forwarding (it may even be like this by default, I'm not sure):
Next step is to allow port in firewall:
This rule needs to be moved high enough, before the one that blocks access, if there is such. If the router is going to be connected behind friend's router, it just needs a port forwarded from there to this router's port 22 (tcp, any number, probably best to forward several different ones and see which one will work). And that's it on this side.

Client then needs some SSH client like PuTTY (putty.exe from here). Connect to address and port of remote router, but before that go to Connection->SSH->Tunnels and configure it to create local SOCKS server. Enter Source port, e.g. 1080, select Dynamic and click Add. It will appear as "D1080" in the list above. Connect to server and if it works, it will create local SOCKS5 server listening on 127.0.0.1:1080. Configure your browser to use it and it should work.

Can you see this link?

https://support.purevpn.com/mikrotik-configuration

First, thanks for help....
but i can't open that link... also blocked here.

however i also can understand "Sob" viewpoint.... i am more than newbie and is not easy give help starting from zero.
but, create a VPN is a thing.... if i will use for broken this country laws is another thing, and of course i know my responsability

Bypassing China firewall is getting really hard, you can't use any standard VPN protocol. If traffic looks like SSH, it will be blocked. PPTP? Blocked. OpenVPN? Blocked. You can try running SSTP on HTTPS port to make it look like standard HTTPS, but even that may get blocked by some packet inspection they do.

Hmm, I counted on SSH, because it's not primarily VPN, it has many legitimate uses and it's normal that it's one long connection. Some VPNs can be clearly identified as such, so I'd expect them to be blocked. SSTP or TCP OpenVPN on port 443 have a chance to pose as HTTPS, but even that could quickly get suspicious, because typical HTTPS connection does not stay open for long and doesn't transfer data in bursts over time.

I guess the best chance to succeed would be with some homemade solution. Something like setting up webserver on https://www.cutekittenspics.com, filling it with tons of random cat pictures as believable content, and then configuring the same webserver to also act as proxy if requested. If used for HTTP(S) requests in browser, traffic would appear completely legitimate. But I don't know about any ready-made solution, so it doesn't make things easier.

Anyway, to keep it related to RouterOS, your starting points are:

https://wiki.mikrotik.com/wiki/Manual:Interface/SSTP
https://wiki.mikrotik.com/wiki/Manual:Interface/OVPN

Look at the examples, it's not too difficult, server config is few lines, only slight complication is certificates. Check it you can make it out, or if it's completely over your head.

https://wiki.mikrotik.com/wiki/Manual:Interface/SSTP
https://wiki.mikrotik.com/wiki/Manual:Interface/OVPN

Thanks, tomorrow i will try to follow instruction on these links.

A question:
But if i will use two mikrotik router to connect each other through a tunnel, could be possible to use a not-standard protocol? i read somewhere that Mikrotik also has some proprietary protocol.

There's nothing special. They have non-standard implementation of OpenVPN with half of the features missing, which is not exactly advantage. But the major one (udp transport) is not a problem in your case, because you want tcp to pretend it could be https. Then there's EoIP, a non-standard extension of GRE. But that's simple unencrypted tunnel, so I wouldn't expect it to help you. It can optionally use IPSec, but that's clearly identifiable as VPN.

I know a lot of people in China use shadowsocks:

https://github.com/shadowsocks

https://qz.com/1072701/meet-shadowsocks ... -firewall/

but that's clearly identifiable as VPN.

I think this is not a problem, because in the past we also used softether VPN server and client, just not convenient have a computer always on but not monitored by someone.
use a router is more convenient.
A VPN not public and with low traffic, nobody care about...
of course need for https, as google, youtube, etc.
other services as mail or FTP no need use...
maybe i say a foolish thing but TCP or UDP for me is the same... if can work.

Someone told me that on mikrotik L2TP also can be used and work very well

It's difficult to guess what will and will not work without having the experience with what exactly they filter. You can configure all VPN types, some of them even on several random ports at once (the service itself can listen only on one port at the time, but you can redirect any number of other ports to it using dstnat) and see what will work.