Community discussions

MikroTik App
 
OrdosHydra
just joined
Topic Author
Posts: 2
Joined: Tue Feb 16, 2021 7:52 pm

DNS over IPSec tunnel

Tue Feb 16, 2021 8:53 pm

Hello everybody!

I'm having trouble routing system DNS through IPSec VPN tunnel.
Any DNS requests made by router itself are routed through default gateway and not VPN tunnel, and, on the other hand, any DNS requests made from local network (except the router) end up in VPN tunnel.

Below is my config. Peer DNS is disabled in ppp and ipsec config.
/interface pppoe-client add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 user=<USER>
/ip dns set allow-remote-requests=yes servers=208.67.220.220,208.67.222.222

/ip ipsec mode-config add connection-mark=VPN name=VPN responder=no src-address-list=local use-responder-dns=no
/ip ipsec policy group add name=VPN
/ip ipsec profile add dh-group=modp4096,modp2048,modp1024 dpd-interval=disable-dpd enc-algorithm=aes-256 hash-algorithm=sha256 name=ProtonVPN 
/ip ipsec peer add address=si.protonvpn.com exchange-mode=ike2 name=ProtonVPN profile=ProtonVPN send-initial-contact=no
/ip ipsec proposal add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=ProtonVPN pfs-group=none
/ip ipsec identity add auth-method=eap certificate=*7 eap-methods=eap-mschapv2 generate-policy=port-strict mode-config=VPN peer=ProtonVPN policy-template-group=VPN username=<USER>
/ip ipsec policy set 0 disabled=yes
/ip ipsec policy add action=none comment="Fixes MTU problems on IPSec tunnel" dst-address=192.168.0.0/24 src-address=0.0.0.0/0
/ip ipsec policy add comment=ProtonVPN group=VPN proposal=ProtonVPN template=yes
/ip firewall address-list add address=192.168.0.0/24 list=local
/ip firewall address-list add address=208.67.220.220 list=OpenDNS
/ip firewall address-list add address=208.67.222.222 list=OpenDNS
/ip firewall mangle add action=mark-connection chain=prerouting comment="VPN Routing" dst-address-list=OpenDNS new-connection-mark=VPN passthrough=yes 
Dynamically generated src-nat rule for VPN tunnel:
chain=srcnat action=src-nat to-addresses=10.1.2.57 src-address-list=local dst-address-list=!local connection-mark=VPN
I've also added the following rule into postrouting
/ip firewall mangle add action=passthrough chain=postrouting dst-address-list=OpenDNS log=yes log-prefix=DNS
And when I do /ping FQDN in router terminal I'm getting the following line. (By the way, the packet count on prerouting DNS connmark rule doesn't go up in this case).
DNS postrouting: in:(unknown 0) out:pppoe-out1, proto UDP, MY_EXTERNAL_IP:54491->208.67.220.220:53, len 57
I'm guessing that the problem lies within MY_EXTERNAL_IP present in logs, but I'm unsure how to approach it. Any ideas?
 
User avatar
16again
Frequent Visitor
Frequent Visitor
Posts: 82
Joined: Fri Dec 29, 2017 12:23 pm

Re: DNS over IPSec tunnel

Fri Feb 19, 2021 2:21 pm

You need a similar rule for local generated packets
/ip firewall mangle add action=mark-connection chain=output comment="VPN Routing" dst-address-list=OpenDNS new-connection-mark=VPN 
 
OrdosHydra
just joined
Topic Author
Posts: 2
Joined: Tue Feb 16, 2021 7:52 pm

Re: DNS over IPSec tunnel

Fri Feb 19, 2021 10:14 pm

Tried it. Rule definitely catches some packets, but packet counter on IPSec tunnel doesn't go up.
 
User avatar
sjoram
Member Candidate
Member Candidate
Posts: 166
Joined: Sun Feb 10, 2013 8:47 pm
Location: Essex, UK

Re: DNS over IPSec tunnel

Sat Feb 20, 2021 1:21 am

Edit:
Below advice would work for a IPsec tunnel between 2 x ROS devices, but reading your post again with the config you appear to be connecting to a "cloud VPN provider". I doubt this solution will work in that scenario unfortunately, but thought worth leaving this approach here in any case:

I don't use DNS locally other than a few static entries, but I was having similar issues trying to get DHCP Relay working over IPsec.

I've resolved my issue by running OSPF via GRE tunnel over IPsec to enable routing between the two networks. A rather convoluted solution just to get some DNS going, but it should work in the absence of alternative suggestions. The below is a few hints to get you started - you may need to do some further reading to get it fully configured.

R1:
Create a new bridge (does not need to be assigned to any ports)
Assign an IP address to this bridge (I'm using 192.168.255.1/30)
R2:
Repeat as above - assign an IP address from a different subnet (192.168.255.5/30)

Add the subnets as above to the IPsec policy on the respective routers

Create a GRE tunnel interface between the two bridge IPs.
Assign an IP address to the GRE tunnel on each router - these must be in the same subnet as each other (e.g. R1: 192.168.10.1/30 R2: 192.168.10.2/30)

Create an OSPF configuration (see Wiki) to exchange connected routes or as appropriate. You may need to add some route filters - the exact configuration will depend upon your setup. It took me some trial and error, but particularly important is ensuring that the connected routes for the bridge IP subnets are not advertised out or accepted in.
Ensure only the bridge subnets are added to the IPsec policy, all other routing will be advertised by OSPF via the GRE tunnel over IPsec

You should then be able to exchange traffic between the two routers across the GRE tunnel.

Example in my case:

R1:
VLAN 10: 10.5.0.254/16
Bridge for OSPF: 192.168.255.1/30
GRE tunnel: 192.168.10.1/30
IPsec policy - Src: 192.168.255.0/30 Dst: 192.168.255.4/30
R2:
VLAN 10: 10.0.0.254/16
Bridge for OSPF: 192.168.255.5/30
GRE tunnel: 192.168.10.2/30
IPsec policy - Src: 192.168.255.4/30 Dst: 192.168.255.0/30

R1 advertises 10.5.0.0/16 via 192.168.10.1 via OSPF to R2
R2 advertises 10.0.0.0/16 via 192.168.10.2 via OSPF to R1
Home user, working in IT. Home network is my lab.
ISP: Uno Communications
Hardware:
2x RB750Gr3
Draytek Vigor 120v2 ADSL2+ Annex M
Draytek Vigor 130 FTTC (VDSL)

Who is online

Users browsing this forum: Baidu [Spider], Kindis, mustnass, nescafe2002, TomjNorthIdaho and 140 guests