Community discussions

MikroTik App
 
WojtusW5
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 80
Joined: Mon Oct 02, 2017 1:25 pm

NordVPN

Thu Apr 18, 2019 4:54 pm

Hi, the topic has been discussed many times.
After the recent changes in IPSEC, MT is able to connect with NordVPN (IKEv2 with EAP).
And the second question, was anyone having fun trying to connect OpenVPN to NordVPN ?

Thank You in advance
I invite you to visit my blog
https://mikrotikon.pl/
 
611
newbie
Posts: 28
Joined: Wed Oct 17, 2018 10:12 am

Re: NordVPN

Thu Apr 18, 2019 10:34 pm

Nope to both (moreover, non-accelerated AES on OVPN will be slow).
Since NordVPN has deprecated L2TP/IPsec in late 2018 (for some obscure reasons), ROS is no longer able to connect to NordVPN.

I've replaced my CHR with OPNsense because of that, and currently using OVPN from it.
Runs well, including AES-NI support (but I had to request certain changes to virtual hw as my VPS provider hasn't forwarded CPU flags correctly by default).

Still NordVPN is not very handy as they tend to change servers quite often, and doesn't have accessible registry of currently available servers.
 
WojtusW5
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 80
Joined: Mon Oct 02, 2017 1:25 pm

Re: NordVPN

Thu Apr 18, 2019 11:32 pm

Nope to both (moreover, non-accelerated AES on OVPN will be slow).
Since NordVPN has deprecated L2TP/IPsec in late 2018 (for some obscure reasons), ROS is no longer able to connect to NordVPN.

I've replaced my CHR with OPNsense because of that, and currently using OVPN from it.
Runs well, including AES-NI support (but I had to request certain changes to virtual hw as my VPS provider hasn't forwarded CPU flags correctly by default).

Still NordVPN is not very handy as they tend to change servers quite often, and doesn't have accessible registry of currently available servers.
Ok, that is, from your speech, I understand that if it's just OpenVPN ?
And IKEv2 is gone.
I invite you to visit my blog
https://mikrotikon.pl/
 
User avatar
eworm
Forum Veteran
Forum Veteran
Posts: 836
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: NordVPN

Thu May 23, 2019 4:09 pm

IKEv2 from NordVPN should work with latest testing releases, where support for EAP authentication methods was added.

See this post for details: viewtopic.php?f=2&t=126221#p731754

I can not test as I do not have a NordVPN account.
Manage RouterOS scripts and extend your devices' functionality: RouterOS Scripts
For contact join the RouterOS-Scripts Telegram group!
 
611
newbie
Posts: 28
Joined: Wed Oct 17, 2018 10:12 am

Re: NordVPN

Thu May 30, 2019 12:32 am

IKEv2 from NordVPN should work with latest testing releases, where support for EAP authentication methods was added.
See this post for details: viewtopic.php?f=2&t=126221#p731754
Confirmed working with 6.45beta54.
You may create identity with GUI (you'll need to select any cert as client certificate in order to save the entry) and then change EAP method to MSCHAPv2 in command line:
set <identity number> certificate="" eap-methods=eap-mschapv2.

Proposal could be up to auth-algorithms=sha512 enc-algorithms=aes-256-cbc pfs-group=ecp521. Only AES-CBC is supported by NordVPN.
 
611
newbie
Posts: 28
Joined: Wed Oct 17, 2018 10:12 am

Re: NordVPN

Sat Jun 22, 2019 8:48 pm

Confirmed working with 6.45beta54.
Phase2 rekeying doesn't work, but increasing SA lifetime to 365 days in the proposal could be used as a workaround.
 
User avatar
Mizm
just joined
Posts: 4
Joined: Sun Jul 14, 2019 5:45 pm

Re: NordVPN

Sun Jul 14, 2019 5:51 pm

can confirm rekeying is broken in 6.45.1stable, the only solution to don't drop connection is to set PFS Group to: none, in IPsec proposal
wAP ac+R11e-LTE6, RB3011, cAP
 
User avatar
eworm
Forum Veteran
Forum Veteran
Posts: 836
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: NordVPN

Wed Jul 17, 2019 2:16 pm

can confirm rekeying is broken in 6.45.1stable, the only solution to don't drop connection is to set PFS Group to: none, in IPsec proposal
Did anybody report the PFS rekeying issue to Mikrotik? Any news on this topic?
Manage RouterOS scripts and extend your devices' functionality: RouterOS Scripts
For contact join the RouterOS-Scripts Telegram group!
 
User avatar
eworm
Forum Veteran
Forum Veteran
Posts: 836
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: NordVPN

Wed Jul 17, 2019 2:37 pm

Just enabled ipsec logs to see what's going to. A lot of debug messages, including:
13:33:33 ipsec got error: NO_PROPOSAL_CHOSEN
Possibly it does not find its proposal when rekeying...
Manage RouterOS scripts and extend your devices' functionality: RouterOS Scripts
For contact join the RouterOS-Scripts Telegram group!
 
User avatar
emils
MikroTik Support
MikroTik Support
Posts: 766
Joined: Thu Dec 11, 2014 8:53 am

Re: NordVPN

Wed Jul 17, 2019 3:06 pm

It is normal to leave pfs-group to 'none' for IKEv2. It actually uses the group from phase 1 (profile) for child SA creation if set to 'none' when rekeying too. In IKEv2 the first child SA is created during the IKE SA creation, meaning it uses the same PFS group too. And not all implementations support different PFS groups between the first child SA and the subsequent (rekeyed) child SA's. Even the IKEv2 RFC is not very clear about how it should work.
 
User avatar
eworm
Forum Veteran
Forum Veteran
Posts: 836
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: NordVPN

Wed Jul 17, 2019 3:26 pm

With "group from phase 1" you refer to dh-group? Got it...

However this could cause a lot of confusion... Selecting "none" looks like disabling the feature. Does it make sense to have values "inherit" or "dh-group" here? Probably confuses even more... :lol:

Still wondering why rekeying does not fail for my other ikev2 connections. And if dh-group and pfs-group are the same - is that different from pfs-group=none?
Manage RouterOS scripts and extend your devices' functionality: RouterOS Scripts
For contact join the RouterOS-Scripts Telegram group!
 
User avatar
eworm
Forum Veteran
Forum Veteran
Posts: 836
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: NordVPN

Wed Jul 17, 2019 6:21 pm

emils, I do not agreen.
I've set pfs-group=none for my personal site-to-site IKEv2 connections on an initiator. These connections start to have rekeying issues now.

Or do I have to set pfs-group=none on the responder as well? Explicit and implicit pfs setting is not the same?
Manage RouterOS scripts and extend your devices' functionality: RouterOS Scripts
For contact join the RouterOS-Scripts Telegram group!
 
User avatar
emils
MikroTik Support
MikroTik Support
Posts: 766
Joined: Thu Dec 11, 2014 8:53 am

Re: NordVPN

Thu Jul 18, 2019 9:09 am

Between two RouterOS devices PFS group must match on both ends. You can not set 'none' on one side and a different PFS group on the other (regardless if it matches the group configured under Profile menu).

If you want to learn how this works internally, I would suggest reading the IKEv2 RFC (rfc7296) and some documents about forward secrecy. Basically, PFS generates a session key. If PFS group is set to 'none' the same key (generated when phase 1 was created) is used in all rekeying Child SAs. When you set another PFS group, a new session key will be generated upon rekeying and obviously it will not match with the key on other side causing the rekeying to fail.
 
ZeratuLx
just joined
Posts: 1
Joined: Wed Jul 03, 2019 8:47 am

Re: NordVPN

Thu Jul 18, 2019 9:10 am

I have another problem. Connecting to the Internet via PPPoE (with a gray IP), configured via IKEv2 with NordVPN according to the wiki, I drove the local IP address I need into the adresslist, pings go through nordvpn, and the sites do not open. I tried to configure on hap ac (RB962UiGS-5HacT2HnT), I know about the lack of an encryption unit in it. Everything works through the USB modem (but I checked it on hap ac square).
 
User avatar
emils
MikroTik Support
MikroTik Support
Posts: 766
Joined: Thu Dec 11, 2014 8:53 am

Re: NordVPN

Thu Jul 18, 2019 9:19 am

First - check if packets are not being FastTracked. You can easily verify this by looking at the Connections table under IP Firewall. If there is "F" flag for the specific connection, you have to either disable FastTrack completely or exclude this traffic from being FastTracked.

If FastTrack is not a problem, you may have to manually reduce the TCP MSS. You can do this with Mangle Firewall's change-mss option (check documentation).
 
User avatar
eworm
Forum Veteran
Forum Veteran
Posts: 836
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: NordVPN

Thu Jul 18, 2019 6:00 pm

Thanks for the explanation emils!
So after all it's not possible to configure IKEv2 without PFS. That's good news. :mrgreen:
Manage RouterOS scripts and extend your devices' functionality: RouterOS Scripts
For contact join the RouterOS-Scripts Telegram group!
 
karlmuller
just joined
Posts: 1
Joined: Wed Oct 16, 2019 2:35 pm

Re: NordVPN

Wed Oct 16, 2019 2:38 pm

In terms of protocols, NordVPN supports PPTP, L2TP/IPSec, IKEv2, and OpenVPN. By default, the Windows client uses OpenVPN, while Mac and iOS counterparts use the secure IKEv2.
quite informative answer. Thanks though! I am new but I found your answer pretty great!
 
shrekkd
just joined
Posts: 5
Joined: Wed Nov 06, 2019 12:33 pm

Re: NordVPN

Wed Nov 06, 2019 12:45 pm

NordVPN was hacked recently. I have seen a lot of user accounts leaked on pastebins and forums. I would suggest users to stay away from that provider for a while
 
msatter
Forum Guru
Forum Guru
Posts: 2317
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: NordVPN

Wed Nov 06, 2019 3:34 pm

NordVPN was hacked recently. I have seen a lot of user accounts leaked on pastebins and forums. I would suggest users to stay away from that provider for a while
Information about this hack from the side of NordVPN:

https://nordvpn.com/blog/official-respo ... er-breach/
Loving my freedom and so, no Twitter, no Facebook/Instagram/WhatsApp, no Apple and no Google/Alphabet, no Amazon/Cloudfront/AWS. However, 'happy' with giving money to Italy.

Running:
RouterOS 7RC4 and 6.49RC / Winbox 3.31 64bits

Who is online

Users browsing this forum: Ahrefs [Bot], Baidu [Spider], jaxed8 and 52 guests