Page 1 of 1

Route all traffic via VPN

Posted: Mon Jun 17, 2013 5:43 pm
by SomeYoungGuy
Ok, so i have a VPN client (MikroTik) connected to a VPN Server (whatever), and the VPN client with an IP of say 192.168.1.1 is our PC's gateway... right bog standard!

For what ever reason i want to route all my "internet" traffic via the VPN.
Now i cannot add another default route something like: dst:0.0.0.0/0 gw: pptp-out1 since the router its self needs a default gateway to be able to establish the VPN in the first place.

So how do i identify only the "public internet" traffic? like it should exclude 192.168... etc etc I think its called A class network? (I can always specify an 10.0.0.0 range ips if im using any).

I want to put some clever network in like: Dst Address : X.Y.Z.0/A gw: pptp-out1

This would then identify any traffic heading for the internet and route it out via the VPN.

Re: Route all traffic via VPN

Posted: Mon Jun 17, 2013 7:20 pm
by mixig
Step one, if you want push public traffic through VPN create three address list (private ip addresses):
/ip firewall address-list
add address=10.0.0.0/8 disabled=no list="Local subnet"
add address=172.16.0.0/12 disabled=no list="Local subnet"
add address=192.168.0.0/16 disabled=no list="Local subnet"
then mark all interent traffic (and exclude traffic which has private ip as destination (assume that you lan interface is ether1-LAN, and you lan range is 192.168.1.0/24), be careful -> dst-address list has "!" mark which means everthing except private ip addresses (inversion)
/ip firewall mangle
add action=mark-routing chain=prerouting disabled=no dst-address-list="!Local subnet" in-interface=ether1-LAN new-routing-mark=traffif_for_VPN passthrough=yes src-address=192.168.1.0/24
step three create def route for that traffic (traffich which has routing mark traffic_for_VPN in step 2) and changee your gateway (in my case it is pptp-out1):
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=pptp-out1 routing-mark=traffic_for_VPN scope=30 target-scope=10
so all traffic from your LAN will go through VPN, router will have connection through "normal default route"

you can adjust this configuration for your self (range od private ip addresses)... etc.

Re: Route all traffic via VPN

Posted: Sat Mar 28, 2015 2:19 am
by tob
Hello,

is here way, how to route to vpn also the traffic from the router itself? It means that all communication from LAN network and also from router will be routed to vpn?

I have configured properly routing from LAN network to VPN, but I'm not able to set up routing for router itself.

Thank you.

Re: Route all traffic via VPN

Posted: Sat Mar 28, 2015 2:24 am
by tob
Hello,

is here way, how to configure also communication of router itself be routed to vpn? It means whole communication from LAN and from router itself will be routed to VPN.

Currently, I have configurated routing for LAN network to VPN, but I'm not able to configure routing for router itself.

Thanks.

Re: Route all traffic via VPN

Posted: Fri Feb 26, 2016 3:33 pm
by 9wYDY
Step one, if you want push public traffic through VPN create three address list (private ip addresses):
/ip firewall address-list
add address=10.0.0.0/8 disabled=no list="Local subnet"
add address=172.16.0.0/12 disabled=no list="Local subnet"
add address=192.168.0.0/16 disabled=no list="Local subnet"
then mark all interent traffic (and exclude traffic which has private ip as destination (assume that you lan interface is ether1-LAN, and you lan range is 192.168.1.0/24), be careful -> dst-address list has "!" mark which means everthing except private ip addresses (inversion)
/ip firewall mangle
add action=mark-routing chain=prerouting disabled=no dst-address-list="!Local subnet" in-interface=ether1-LAN new-routing-mark=traffif_for_VPN passthrough=yes src-address=192.168.1.0/24
step three create def route for that traffic (traffich which has routing mark traffic_for_VPN in step 2) and changee your gateway (in my case it is pptp-out1):
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=pptp-out1 routing-mark=traffic_for_VPN scope=30 target-scope=10
so all traffic from your LAN will go through VPN, router will have connection through "normal default route"

you can adjust this configuration for your self (range od private ip addresses)... etc.

Is this at the same time way to prevent any traffic to go skipping VPN? I want to be sure that specific traffic is not possible outside VPN. In other words If the VPN is not available etc. the traffic is not possible.

Re: Route all traffic via VPN

Posted: Fri Feb 26, 2016 3:48 pm
by mrz
easiest way is to add specific route only to VPN server and default route over VPN.

Re: Route all traffic via VPN

Posted: Fri Feb 26, 2016 11:54 pm
by astrae
easiest way is to add specific route only to VPN server and default route over VPN.
This is what I have done. Really simple.

My WAN interface is PPPoe. When setting this up I haven't created a default route.

I created a static route to the vpn server using PPPoe gateway.

My VPN connection uses a L2TP client so I created this and it connects to the VPN server using the static route.

Then create a default route 0.0.0.0/0 using the L2TP client as the gateway.

easy, all traffic that isn't LAN traffic goes over the VPN.

Re: Route all traffic via VPN

Posted: Tue Oct 04, 2016 10:57 pm
by asmadeus08
I have the same problem but dont udnerstand anything into Linux. Have already installed vps on openvz vps + installed obfs on client/server. Now i need someone help who can do what's described on second post cause i wanna setup all my router traffic goes through remote vpn. Can anyone help to me? My skype id - parsi19881

Re: Route all traffic via VPN

Posted: Sun Feb 11, 2018 4:36 pm
by mackey22
easiest way is to add specific route only to VPN server and default route over VPN.
Hi,
I am new here so hello everyone!
I have bought new MikroTik router from Lithuania and I configured it as vpn client. Now I am trining to redirect all my wi-fi devices to use openvpn interface as main gateway so the entire traffic would be trough vpn in Poland. The reason is because I am using vpn in Poland and I would like to watch some services not available abroad. Thank you in advance.

Cheers
Cez

Re: Route all traffic via VPN

Posted: Wed Sep 23, 2020 5:32 pm
by davidand
Hi guys,

Is there any way to enhance the configuration below with a protection so that when a VPN connection is down, no packets are forwarded via the default gateway, - in other words, enforcing using the VPN connection?

Thanks.
Step one, if you want push public traffic through VPN create three address list (private ip addresses):
/ip firewall address-list
add address=10.0.0.0/8 disabled=no list="Local subnet"
add address=172.16.0.0/12 disabled=no list="Local subnet"
add address=192.168.0.0/16 disabled=no list="Local subnet"
then mark all interent traffic (and exclude traffic which has private ip as destination (assume that you lan interface is ether1-LAN, and you lan range is 192.168.1.0/24), be careful -> dst-address list has "!" mark which means everthing except private ip addresses (inversion)
/ip firewall mangle
add action=mark-routing chain=prerouting disabled=no dst-address-list="!Local subnet" in-interface=ether1-LAN new-routing-mark=traffif_for_VPN passthrough=yes src-address=192.168.1.0/24
step three create def route for that traffic (traffich which has routing mark traffic_for_VPN in step 2) and changee your gateway (in my case it is pptp-out1):
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=pptp-out1 routing-mark=traffic_for_VPN scope=30 target-scope=10
so all traffic from your LAN will go through VPN, router will have connection through "normal default route"

you can adjust this configuration for your self (range od private ip addresses)... etc.

Re: Route all traffic via VPN

Posted: Wed Sep 23, 2020 5:53 pm
by sindy
Is there any way to enhance the configuration below with a protection so that when a VPN connection is down, no packets are forwarded via the default gateway, - in other words, enforcing using the VPN connection?
Sure. The key is to add a type=blackhole default route with routing-mark=traffic_for_VPN and distance=20. While the VPN's virtual interface is active, the route through it (with a default value of distance which is 1) will be used; whenever that interface goes down and the route using it becomes inactive, the blackhole route becomes active.

Currently, as there is no other route in the routing table traffic_for_VPN, routing uses routing table main as a fallback.

PPTP has not been considered secure since years, so if you are really serious about privacy, don't use it.