Hello, was someone able to get Surfshark VPN working with Mikrotik? I followed this wiki https://wiki.mikrotik.com/wiki/IKEv2_EA ... d_RouterOS but I've used Surfshark certificate and servers.
The result is that the peer is connected and computers on the network seem to be connected through the VPN because tracert shows the traffic going through the Surfshark VPN server. But the problem is that no website is actually loading and just times out. With some Surfshark servers, sometimes I get a small portion of a website loaded, but it takes ages and eventually just stops.
I've done a fresh config of RB750 and 2011 (FW 6.45.2), both behave the same. So I'm wondering if anyone tried Surfshark and was able to get it to work on a Mikrotik.
Thanks

This points to a problem with MTU.
Did you maybe block all ICMP packets in your firewall?
That makes setups like this break.

Have a look here on this:
viewtopic.php?f=13&t=150377&hilit=1280

Thanks for the tips. Changing MTU did it for me. With MTU at 1250 and MSS set to to clamp to pmtu, it seems to work.

Few days later I stopped using Mikrotik as the VPN router because loading some content was still problematic. So in the end I'd say Mikrotik and Surfshark VPN aren't compatible, which is too bad, since the performance was much better than with other routers I tried (OpenWRT on a TPLink and DD-WRT on Netgear WNDR3700v3).

Hmmmm there is someting going on with using pmtu as that did not worked for me. If you replace pmtu with value 1280 it should be running as expected. Hope that Mikrotik gets the calculation correct soon.

But this really is an issue with that VPN provider and/or your own configuration!
When you would send a TCP packet with too large MSS the other side would send a large packet and it would not pass the VPN, but at that time the VPN service should send a "ICMP - destination unreachable, fragmentation needed but DF set" packet back to the service you are trying to reach, which also contains the acceptable MTU, and then this service should lower the size of the packets they send to you.
This is the way it is supposed to work. But unfortunately lots of places break that, it can happen at the VPN provider (that does not send the ICMP) or at the network of the service you try to use (which blocks all ICMP).

Hi, sorry but how did you manage to configure with surfshark?
I didn't succeed, can you explain step by step how you did it?

Where exactly did you change MTU and set MSS to clamp to PMTU?
I also can't figure this out, any help would be appreciated.

It is still a work around and no clamping needed anymore. The packet returning indication that the package size is, to big is pointed the wrong way by RouterOS.

viewtopic.php?f=2&t=154449&p=763404&hil ... v2#p763404

I got this working on a hEX router over the weekend. I mostly followed the guide from the Surfshark site (https://support.surfshark.com/hc/en-us/ ... with-IKEv2 - based on the NordVPN guide from Mikrotik anyway I think), but I did find a couple of things extra which I needed to do...

As some other people have mentioned, with the default setup the VPN would connect, and sort of work - pings get through mostly fine but web pages would be very slow to load and on speedtest.net I could only get 10Mb down, with the upload test failing completely. Initially I put this down to an PMTU/MSS issue, but the problem persisted even after I put in an MSS clamp firewall rule, and then when that didnt work, Sindy's "action=none" IPsec policy work around.

What I eventually stumbled across in another unrelated forum post was that IPSec doesn't really work with fasttrack on Mikrotik. The suggested fix was to edit the fasttrack firewall rule so that it wouldn't match IPSec packets. As soon as I did this, everything started working as expected. So, in summary, the 2 extra things you will probably need from the guide to get your surfshark connection working are:


Hope that helps a few people

shogunx,

I too had problems getting the Surfshark IKEv2 VPN to work. I had to apply the development firmware v6.48beta40 to fix the "drop every 5-10 seconds" problem due to the surfshark DNS addresses only having 5sec TTL. Making my own static DNS entry worked, but might have broken if that particular server no longer accepted connections.

Future generations can read more here -->
viewtopic.php?p=817956

I don't seem to have any MTU problems, so I put it back to 1500 and removed the mangle/clamp-to-pmtu workarounds shown here. Still working so far...

Thanks for your help, both in this thread and in the other!

shogunx,

I too had problems getting the Surfshark IKEv2 VPN to work. I had to apply the development firmware v6.48beta40 to fix the "drop every 5-10 seconds" problem due to the surfshark DNS addresses only having 5sec TTL. Making my own static DNS entry worked, but might have broken if that particular server no longer accepted connections.

Future generations can read more here -->
viewtopic.php?p=817956

I don't seem to have any MTU problems, so I put it back to 1500 and removed the mangle/clamp-to-pmtu workarounds shown here. Still working so far...

Thanks for your help, both in this thread and in the other!

Try this guide, it's the same as on Surfsharks site but there is a list of their servers with the IP address they recommend using instead of the hostname

https://learn.psitc.com/how-to/surfshar ... n-mikrotik

viewtopic.php?f=23&t=169273

You're welcome.