After the connection to the VPN server has been established you will be given an IP-address and a new route to a new host. It will look like this (please note entry
DAC / 77.xxx.xxx.xxx with distance 0):
route-list.png
Depending on your VPN you could even get more routes than a single one to a lone host, though.
All you need to do is setup routes for that new peer. For example, I've configured my RouterBoard drive traffic to 0.0.0.0/0 (all possible IPs) through my VPN. That's done in line 2 — please ignore the »routing mark« for now.
ros code
/ip route
add gateway=77.xxx.xxx.xxx distance=1 check-gateway=ping routing-mark=MyFirstVPN
I assume you've come so far — and all your traffic will still be not directed through the VPN. That's because the first longest prefix to match a destination address will determine which route its packets will chose. Except if you have assigned
routing marks, that is. Routes for them are being looked up first.
You can assign routing marks to packets like this:
ros code
/ip firewall nat
add action=masquerade chain=srcnat out-interface=MyFirstVPN
/ip firewall mangle
# entry 1
add action=mark-routing chain=prerouting dst-address=!192.168.0.0/22 \
new-routing-mark=MyFirstVPN src-address=192.168.0.111
# entry 2
add action=mark-routing chain=prerouting comment="DSCP=1 is YourApp.exe" dscp=1 \
dst-address=!192.168.0.0/22 new-routing-mark=MyFirstVPN
»Entry 1« results in that all packets from host 192.168.0.111 will go through the VPN. Except if they're meant for your local network, 192.168.0.0/22.
»Entry 2« requires that your application (or operating systems) assigns DSCP=1 to packets send by a set of programs. No matter which host sends them, as soon as DSCP is 1 everything goes through the VPN. That could be Firefox which you want to automatically go through your VPN for, say, Hulu or Netflix.
Whenever your VPN connection goes down the gateway (77.xxx.xxx.xxx in my example) becomes unreachable and the default route through the regular gateway is taken. If you do not want that then remember to create a new rule for that:
ros code
/ip firewall filter
# for entry 1 (permits NTP and PPTP, though)
add action=drop chain=forward dst-address=!192.168.0.0/22 dst-port=!53,1723 out-interface=\
ether1-gateway protocol=tcp src-address=192.168.0.111
add action=drop chain=forward dst-address=!192.168.0.0/22 dst-port=!53 out-interface=\
ether1-gateway protocol=udp src-address=192.168.0.111
# for entry 2
add action=drop chain=forward comment="YourApp.exe via VPN only" dscp=1 out-interface=ether1-gateway
––––
Using Windows you can assign DSCP values to applications using the »group policy editor«. Hit Win+R, enter »gpedit.msc«. Computer Configuration → Windows Settings → Policy-based…
You need to add this to your registry to have Windows actually send DSCP values:
plain code
# Windows to send DSCP.reg
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\QoS]
"Do not use NLA"="1"
To get you started, an excerpt from the rules I've collected:
plain code
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\QoS\PuTTY (AF4)]
"Version"="1.0"
"Application Name"="putty.exe"
"Protocol"="TCP"
"Local Port"="*"
"Local IP"="*"
"Local IP Prefix Length"="*"
"Remote Port"="*"
"Remote IP"="*"
"Remote IP Prefix Length"="*"
"DSCP Value"="56"
"Throttle Rate"="-1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\QoS\Firefox for Hulu]
"Version"="1.0"
"Application Name"="firefox.exe"
"Protocol"="TCP"
"Local Port"="*"
"Local IP"="*"
"Local IP Prefix Length"="*"
"Remote Port"="*"
"Remote IP"="*"
"Remote IP Prefix Length"="*"
"DSCP Value"="2"
"Throttle Rate"="-1"
You do not have the required permissions to view the files attached to this post.