Community discussions

 
dadoremix
Member Candidate
Member Candidate
Topic Author
Posts: 118
Joined: Sat May 14, 2011 11:31 am

NordVpn and mikrotik?

Sun Dec 30, 2018 1:55 am

Hello

Nordvpn and mikrotik ?

go or not go ?
I find on nordvpn site
https://support.nordvpn.com/Connectivit ... outers.htm

what you say ?
 
User avatar
eworm
Member
Member
Posts: 403
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: NordVpn and mikrotik?

Sun Dec 30, 2018 2:49 am

Well, IKEv2/IPSEC should do the trick. I do not have a NordVpn account, so can not verify.
Manage RouterOS scripts and extend your devices' functionality: RouterOS Scripts
 
msatter
Forum Guru
Forum Guru
Posts: 1300
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: NordVpn and mikrotik?

Sun Dec 30, 2018 1:09 pm

No go, as stated on that page.
Two RB760iGS (hEX S) in series. One does PPPoE and both do IKEv2.
Running:
RouterOS 6.46Beta59 / Winbox 3.20 / MikroTik APP 1.3.7
Having an Android device, use https://github.com/M66B/NetGuard/releases (no root required)
 
User avatar
eworm
Member
Member
Posts: 403
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: NordVpn and mikrotik?

Sun Dec 30, 2018 3:19 pm

Then what's the issue with NordVPN and IKEv2/IPSEC?
Manage RouterOS scripts and extend your devices' functionality: RouterOS Scripts
 
cdemers
Member Candidate
Member Candidate
Posts: 184
Joined: Sun Feb 26, 2006 3:32 pm
Location: Canada
Contact:

Re: NordVpn and mikrotik?

Sun Dec 30, 2018 5:14 pm

Just checking that page says that they dropped support for ipsec/l2tp and going through the supported routers configuration samples they have, it's all open vpn now.


Sent from my SM-A520W using Tapatalk

 
User avatar
eworm
Member
Member
Posts: 403
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: NordVpn and mikrotik?

Sun Dec 30, 2018 6:45 pm

IKEv2/IPSEC is supported by NordVPN:
https://nordvpn.com/de/tutorials/windows-10/ikev2/

This is a tutorial for Windows 10, but it does not matter for the supported protocol and RouterOS does support IKEv2/IPSEC. So still: What's the issue? Just ignore what they say is not supported, probably they did not check for IKEv2/IPSEC in RouterOS.
Manage RouterOS scripts and extend your devices' functionality: RouterOS Scripts
 
msatter
Forum Guru
Forum Guru
Posts: 1300
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: NordVpn and mikrotik?

Sun Dec 30, 2018 7:52 pm

Hmmmm, interesting. I thought IKEv2 client could not do this. Going test this on a later moment.
Two RB760iGS (hEX S) in series. One does PPPoE and both do IKEv2.
Running:
RouterOS 6.46Beta59 / Winbox 3.20 / MikroTik APP 1.3.7
Having an Android device, use https://github.com/M66B/NetGuard/releases (no root required)
 
dadoremix
Member Candidate
Member Candidate
Topic Author
Posts: 118
Joined: Sat May 14, 2011 11:31 am

Re: NordVpn and mikrotik?

Sun Dec 30, 2018 8:09 pm

and how to install Certificate in mikrotik ?
 
msatter
Forum Guru
Forum Guru
Posts: 1300
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: NordVpn and mikrotik?

Sun Dec 30, 2018 9:09 pm

I just checked and it is not going to happen till ROS 7.

viewtopic.php?p=650295
Two RB760iGS (hEX S) in series. One does PPPoE and both do IKEv2.
Running:
RouterOS 6.46Beta59 / Winbox 3.20 / MikroTik APP 1.3.7
Having an Android device, use https://github.com/M66B/NetGuard/releases (no root required)
 
User avatar
eworm
Member
Member
Posts: 403
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: NordVpn and mikrotik?

Mon Dec 31, 2018 12:32 am

I just checked and it is not going to happen till ROS 7.

viewtopic.php?p=650295
Thanks for the link, msatter! In short: currently EAP authentication as initiator is not possible for IKEv2. So the website is right, no-go with Mikrotik.
Manage RouterOS scripts and extend your devices' functionality: RouterOS Scripts
 
fflo
just joined
Posts: 10
Joined: Wed Jan 02, 2019 7:59 am

Re: NordVpn and mikrotik?

Wed Jan 02, 2019 3:29 pm

@Mikrotik: Can you please add EAP authentication as initiator for RouterOS v6 to fix this issue?
At least IKEv2 with certificates and EAP auth, commonly used by many VPN providers, should be supported on current RouterOS.
 
psydrohne
just joined
Posts: 3
Joined: Sun Jan 06, 2019 5:25 pm

Re: NordVpn and mikrotik?

Sun Jan 06, 2019 5:40 pm

+1 same here! We need EAP for IKEv2...
 
ementat
just joined
Posts: 6
Joined: Fri May 21, 2010 10:09 pm

Re: NordVpn and mikrotik?

Tue Jul 02, 2019 3:52 pm

So, eap-mschapv2 is here and supported for IKEv2. We have nice manual for setting up NordVPN connection https://wiki.mikrotik.com/wiki/IKEv2_EA ... the_tunnel. But can anyone help with how to route through IPSec tunnel only traffic to some predetermined www sites (list is created in Firewall -> Address Lists)? I believe I need static NAT rule where dst-address-list will be set to my list of www sites? How to solve the problem of possible changes in IP from NordVPN side (scripts)? Maybe someone can share working example?
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5942
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: NordVpn and mikrotik?

Tue Jul 02, 2019 3:57 pm

Probably can be updated with a script if assigned IP has changed.
 
anav
Forum Guru
Forum Guru
Posts: 3122
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: NordVpn and mikrotik?

Tue Jul 02, 2019 4:27 pm

ementat.......... Is that new info based on the latest firmware release? I remember seeing something about VPN improvements!
Can one extrapolate that any VPN provider that uses a similar setup can also be used with RouterOS now?
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
ementat
just joined
Posts: 6
Joined: Fri May 21, 2010 10:09 pm

Re: NordVpn and mikrotik?

Tue Jul 02, 2019 4:39 pm

anav
MAJOR CHANGES IN v6.45.1:
----------------------
[b]!) ike2 - added support for EAP authentication methods (eap-tls, eap-ttls, eap-peap, eap-mschapv2) as initiator;[/b]
 
sindy
Forum Guru
Forum Guru
Posts: 3978
Joined: Mon Dec 04, 2017 9:19 pm

Re: NordVpn and mikrotik?

Tue Jul 02, 2019 6:03 pm

So, eap-mschapv2 is here and supported for IKEv2. We have nice manual for setting up NordVPN connection https://wiki.mikrotik.com/wiki/IKEv2_EA ... the_tunnel. But can anyone help with how to route through IPSec tunnel only traffic to some predetermined www sites (list is created in Firewall -> Address Lists)? I believe I need static NAT rule where dst-address-list will be set to my list of www sites? How to solve the problem of possible changes in IP from NordVPN side (scripts)? Maybe someone can share working example?
IPsec mode-config relieves you from the need to track the changes of the address you get from the responder by means of a dynamically generated (and dynamically updated) src-nat rule - you specify a name of an address-list which will be used in this rule as src-address-list. So traffic whose source IP matches that address list gets src-nated to the IP currently assigned to you by the responder, and thus caught by the IPsec policy.

As this rule is placed to the very first position in the srcnat chain, there is no way to create exceptions from it. So one way to src-nat only packets towards listed destinations is to periodically schedule a script which would update the to-addresses item in a manually created action=src-nat rule as @mrz suggests, another way is described here but in my opinion the script way is much simpler.

Of course, an ability to specify a dst-address-list as another parameter of the mode-config item, so that the dynamically generated src-nat rule would only match on packets towards destinations matching that list, would be even nicer, but that's a feature request ;)

Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
ementat
just joined
Posts: 6
Joined: Fri May 21, 2010 10:09 pm

Re: NordVpn and mikrotik?

Tue Jul 02, 2019 9:56 pm

As this rule is placed to the very first position in the srcnat chain, there is no way to create exceptions from it. So one way to src-nat only packets towards listed destinations is to periodically schedule a script which would update the to-addresses item in a manually created action=src-nat rule as @mrz suggests, another way is described here but in my opinion the script way is much simpler.
Any examples of such a script? Also I believe I need to remove dynamic NAT rule, correct?
 
sindy
Forum Guru
Forum Guru
Posts: 3978
Joined: Mon Dec 04, 2017 9:19 pm

Re: NordVpn and mikrotik?

Tue Jul 02, 2019 10:47 pm

Any examples of such a script? Also I believe I need to remove dynamic NAT rule, correct?
You need to prevent the dynamic NAT rule from being created, which simply means not to set the address-list item in the request-only (responder=no) row in /ip ipsec mode-config you refer to from the /ip ipsec identity row you use for NordVPN.

As for the script, it would be something like
if ([:len [/system script environment find name=lastIP]] = 0) do={global lastIP 8.8.8.8};
local currentIP [/ip address get [find dynamic !(address in your.wan.subnet.ip/mask) interface~"if-name"] address];
if ($lastIP != $currentIP) do={
    ip firewall nat set [find chain=srcnat action=src-nat dst-address-list~"nordvpn-targets"] to-addresses=$currentIP;
    system script environment set lastIP value=$currentIP;
}
The rule to fetch the current IP assigned by IKEv2 has to be carefully adapted to your environment - it gets attached to some existing interface and I don't know the criteria used to choose that interface, so the match conditions of the find include the interface name and an exclusion of a subnet from which you eventually get your normal WAN address from the ISP's DHCP so that only the dynamically assigned IP you really need would match.

You need to run the script periodically using a scheduler. Every 5 seconds might be enough. Maybe Mikrotik will add a script item to the identity or mode-config one day in future so that the script would be spawned at every change, much like dhcp-client, dhcp-server and ppp profile work today.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
ztx
just joined
Posts: 5
Joined: Sun Nov 05, 2017 4:46 am

Re: NordVpn and mikrotik?

Wed Jul 03, 2019 9:18 am

when connected, the src-address in ipsec policy is the current ip address asinged by ikev2, is there a way to use this ip in script?
 
sindy
Forum Guru
Forum Guru
Posts: 3978
Joined: Mon Dec 04, 2017 9:19 pm

Re: NordVpn and mikrotik?

Wed Jul 03, 2019 10:54 am

when connected, the src-address in ipsec policy is the current ip address asinged by ikev2, is there a way to use this ip in script?
Of course there is, but you may end up with the same issue I've mentioned above. You may have more than one IPsec policy in place (or even more than one dynamic address assigned by an IKEv2 peer using mode-config), so the match criteria used to select the proper address have to be tailored to your environment in any case, regardless whether you fetch it from the dynamically assigned IP addresses or from the dynamically created IPsec policies (or both).
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
msatter
Forum Guru
Forum Guru
Posts: 1300
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: NordVpn and mikrotik?

Wed Jul 03, 2019 11:05 am

I have it working but need two routers in serie (cascade).
If I was you I eould wait till Mirotik implement the promised way to be able to do this in one one router.
Two RB760iGS (hEX S) in series. One does PPPoE and both do IKEv2.
Running:
RouterOS 6.46Beta59 / Winbox 3.20 / MikroTik APP 1.3.7
Having an Android device, use https://github.com/M66B/NetGuard/releases (no root required)
 
ztx
just joined
Posts: 5
Joined: Sun Nov 05, 2017 4:46 am

Re: NordVpn and mikrotik?

Wed Jul 03, 2019 12:09 pm

Thanks sindy! Your script worked.
I tried find address from ipsec policy by peer get the ip too.
local currentIP [/ip ipsec policy get [find peer~"pure"] src-address];
So I can routing package by set the routing-mark of the source nat,

Who is online

Users browsing this forum: No registered users and 84 guests