Community discussions

MikroTik App
 
User avatar
erkexzcx
Member Candidate
Member Candidate
Topic Author
Posts: 223
Joined: Mon Oct 07, 2019 11:42 pm

NordVPN (IPSEC/IKEv2) + killswitch (For ROS6)

Fri Nov 20, 2020 2:51 am

Overview
  • I've wasted hours making RouterOS to work perfectly with NordVPN and I wrote this guide, so you don't have to waste your time.
  • You must have RouterOS 6. It must be minimum version of 6.45. Some steps in ROS7 will be different.
  • Nearly identical setup is possible with Surfshark. See here.
  • To get around geo restrictions (e.g. for bbc player, Netflix content) as well as DNS leaking, you must use NordVPN DNS servers. Disclaimer: I did not test if it works.
  • Below steps uses the "considered to be perfectly safe" ciphers & their levels, but NordVPN does support higher levels of encryption. Check what hardware acceleration is supported by your Mikrotik router and you might want to use such encryption instead for below steps. P.S. "SHA384 hash algorithm support for phase 1" is supported since 6.48 (might be CLI only).
  • Instead of reducing MSS size using below given commands, one can also do this using IPSEC functionality. See here for instructions.

Preparation
1. Get recommended NordVPN server from here. In below steps I used "lv55.nordvpn.com".
2. Get your Service Credentials from here and use them for this setup.
3. Import NordVPN CA to your router:
/tool fetch url="https://downloads.nordcdn.com/certificates/root.der"
/certificate import file-name=root.der name="NordVPN CA" passphrase=""

Use-case #1: Specific traffic (by source) routed through VPN server

Example: You want only 2 LAN devices (192.168.88.10 and 192.168.88.11) to reach internet through VPN server, but the rest of LAN devices to reach internet normally (without VPN server).

# Mark traffic that you want to route through VPN server
/ip firewall address-list add address=192.168.88.10 list=under_nordvpn
/ip firewall address-list add address=192.168.88.11 list=under_nordvpn
/ip firewall mangle add action=mark-connection chain=prerouting src-address-list=under_nordvpn new-connection-mark=under_nordvpn passthrough=yes

# IPsec/IKEv2 configuration
/ip ipsec mode-config add connection-mark=under_nordvpn name="NordVPN mode config" responder=no
/ip ipsec policy group add name=NordVPN
/ip ipsec profile add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha512 name="NordVPN profile"
/ip ipsec peer add address=lv55.nordvpn.com exchange-mode=ike2 name="NordVPN server" profile="NordVPN profile"
/ip ipsec proposal add auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=0s name="NordVPN proposal" pfs-group=none
/ip ipsec identity add auth-method=eap certificate="NordVPN CA" eap-methods=eap-mschapv2 generate-policy=port-strict mode-config="NordVPN mode config" password=XXXXXXXXXX peer="NordVPN server" policy-template-group=NordVPN username=XXXXXXXXXX
/ip ipsec policy add dst-address=0.0.0.0/0 group=NordVPN proposal="NordVPN proposal" src-address=0.0.0.0/0 template=yes

# In "/ip ipsec policy" you should be able to see a new dynamic rule added next to your NordVPN policy. It MUST exist, otherwise configuration is not working.

# (OPTIONAL) Implement a killswitch
/interface bridge add name=nordvpn_blackhole protocol-mode=none
/ip route add gateway=nordvpn_blackhole routing-mark=nordvpn_blackhole
/ip firewall mangle add chain=prerouting src-address-list=under_nordvpn action=mark-routing new-routing-mark=nordvpn_blackhole passthrough=yes

# Exclude such VPN traffic from fasttrack
/ip firewall filter add action=accept chain=forward connection-mark=under_nordvpn place-before=[find where action=fasttrack-connection]

# Reduce MSS (should be about 1200 to 1400, but 1360 worked for me)
/ip firewall mangle add action=change-mss chain=forward new-mss=1360 passthrough=yes protocol=tcp connection-mark=under_nordvpn tcp-flags=syn tcp-mss=!0-1360

Use-case #2: Specific traffic (by destination) routed through VPN server

Example: You want to reach website wtfismyip.com via VPN server, but the rest of the traffic should go as it is (without VPN).

Note: You can't effectively route all the traffic of Youtube, Netflix or any other big websites through VPN. They have many different domains and IP addresses which constantly change. Instead, route all the traffic of your device through VPN.

Note 2: You might be able to route all traffic of the company, but you might end up routing 30-40% of the websites under NordVPN if company uses popular hosting, e.g. Amazon AWS or Linode. For example, Mikrotik.com resolves to "159.148.147.196". Quick google revealed the Mikrotik has it's own ASN which contains 512 ips, or in other words, If you wish to access Mikrotik services/websites under NordVPN, you should add 159.148.147.0/24 and 159.148.172.0/24 to your address list using this (2nd) method.

# Mark traffic that you want to route through VPN server
/ip firewall address-list add address=wtfismyip.com list=under_nordvpn
/ip firewall mangle add action=mark-connection chain=prerouting dst-address-list=under_nordvpn new-connection-mark=under_nordvpn passthrough=yes

# IPsec/IKEv2 configuration
/ip ipsec mode-config add connection-mark=under_nordvpn name="NordVPN mode config" responder=no
/ip ipsec policy group add name=NordVPN
/ip ipsec profile add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha512 name="NordVPN profile"
/ip ipsec peer add address=lv55.nordvpn.com exchange-mode=ike2 name="NordVPN server" profile="NordVPN profile"
/ip ipsec proposal add auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=0s name="NordVPN proposal" pfs-group=none
/ip ipsec identity add auth-method=eap certificate="NordVPN CA" eap-methods=eap-mschapv2 generate-policy=port-strict mode-config="NordVPN mode config" password=XXXXXXXXXX peer="NordVPN server" policy-template-group=NordVPN username=XXXXXXXXXX
/ip ipsec policy add dst-address=0.0.0.0/0 group=NordVPN proposal="NordVPN proposal" src-address=0.0.0.0/0 template=yes

# In "/ip ipsec policy" you should be able to see a new dynamic rule added next to your NordVPN policy. It MUST exist, otherwise configuration is not working.

# (OPTIONAL) Implement a killswitch
/interface bridge add name=nordvpn_blackhole protocol-mode=none
/ip route add gateway=nordvpn_blackhole routing-mark=nordvpn_blackhole
/ip firewall mangle add chain=prerouting dst-address-list=under_nordvpn action=mark-routing new-routing-mark=nordvpn_blackhole passthrough=yes

# Exclude such VPN traffic from fasttrack
/ip firewall filter add action=accept chain=forward connection-mark=under_nordvpn place-before=[find where action=fasttrack-connection]

# Reduce MSS (should be about 1200 to 1400, but 1360 worked for me)
/ip firewall mangle add action=change-mss chain=forward new-mss=1360 passthrough=yes protocol=tcp connection-mark=under_nordvpn tcp-flags=syn tcp-mss=!0-1360
Last edited by erkexzcx on Sat Jun 05, 2021 3:38 pm, edited 28 times in total.
Linux <3
 
Sob
Forum Guru
Forum Guru
Posts: 6514
Joined: Mon Apr 20, 2009 9:11 pm

Re: [Guide] How to setup NordVPN (IPSEC/IKEv2) + killswitch

Fri Nov 20, 2020 6:44 am

That killswitch is not great (*). Quite dangerous in fact. It will kill bidirectional communication to internet (under normal circumstances = when nobody is trying to get you), but it doesn't prevent leaking packets.

For example, if client uses VPN to ask some super secret DNS queries, they will go out to ISP when VPN is down. This killswitch doesn't prevent that. It doesn't matter how far will they get, there won't be any response coming back. But the point is, someone will have chance to see them. I chose DNS, because query is just one UDP packet and it can contain sensitive data.

And the lack of responses, well, it's not exactly true. There could be someone in ISP's network (Men in Black, ...) waiting for exactly this mistake. They can send fake responses to you. In fact, they can give you full internet access. They'll know that your LAN subnet is behind your router, so they will know where to route responses. And doing outgoing srcnat for you, so that the internet will work, is no problem either. And you won't know that you're not doing your super secret stuff through VPN (unless there's some IP-based blocking on target servers, or something else you'd notice).

Bad enough? It's even worse, they don't have to wait, they can sabotage (block) your connection to VPN server any time they want and get your secret traffic this way.

I'd use something else, for example (only briefly tested, improvements are welcome):
/interface bridge
add name=vpn-blackhole protocol-mode=none
/ip route
add gateway=vpn-blackhole routing-mark=to_vpn
/ip firewall mangle
add chain=prerouting src-address-list=under_vpn action=mark-routing new-routing-mark=to_vpn passthrough=yes
Empty bridge is used as default gateway with alternative routing table "to_vpn". Everything from address list "under_vpn" (from your mode config) gets routing mark "to_vpn", so it will use this routing table. When VPN is down, packets will try to go to empty bridge and won't get anywhere. With VPN up, it will work, because of how IPSec works, it steals packets just before they are sent out, encrypts them and creates different packets. And those are output packets from router and there's new routing decision for them.

--
(*) Original version excluded outgoing traffic from NAT using accept rule in srcnat chain. Running tunnel adds dynamic srcnat rule at the top, so it has priority. With tunnel down, the traffic would go out with original source address (private address from LAN subnet), so communication with internet would not work, because servers can't send responses to private addresses, and ISP should drop such traffic anyway.
Last edited by Sob on Fri Nov 20, 2020 2:06 pm, edited 1 time in total.
Excessive quoting is useless and annoying. If you use it, please consider if you could do without it.
 
User avatar
erkexzcx
Member Candidate
Member Candidate
Topic Author
Posts: 223
Joined: Mon Oct 07, 2019 11:42 pm

Re: [Guide] How to setup NordVPN (IPSEC/IKEv2) + killswitch

Fri Nov 20, 2020 9:42 am

That killswitch is not great. Quite dangerous in fact.
Thank you for your feedback. I completely agree with you, and after testing your provided commands seems that it's working perfectly. +1 for brief explanation.

I've updated commands in initial post. If someone has any better suggestions - let me know and I will update accordingly.
Linux <3
 
msatter
Forum Guru
Forum Guru
Posts: 2139
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: [Guide] How to setup NordVPN (IPSEC/IKEv2) + killswitch

Fri Nov 20, 2020 2:47 pm

Should I see traffic when I torch the bridge acting as blackhole for the VPN when it is going up or down?

The only traffic I saw was ARP. When I re-enable my own killswitch lines (dst 100.69.69.69) then those lines in NAT do catch traffic.

Looking in /IP routing the PPPoE-out has a distance of zero and the blackhole an distance of one. I can't set the blackhole to zero.
Loving my freedom and so, no Twitter, no Facebook/Instagram/WhatsApp, no Apple and no Google/Alphabet, no Amazon/Cloudfront/AWS.

Running:
RouterOS 6.49Beta / Winbox 3.27 64bits
 
User avatar
erkexzcx
Member Candidate
Member Candidate
Topic Author
Posts: 223
Joined: Mon Oct 07, 2019 11:42 pm

Re: [Guide] How to setup NordVPN (IPSEC/IKEv2) + killswitch

Fri Nov 20, 2020 4:45 pm

Should I see traffic when I torch the bridge acting as blackhole for the VPN when it is going up or down? The only traffic I saw was ARP. When I re-enable my own killswitch lines (dst 100.69.69.69) then those lines in NAT do catch traffic.
I see the same...

Looking in /IP routing the PPPoE-out has a distance of zero and the blackhole an distance of one. I can't set the blackhole to zero.
it does not matter since you specify which routing mark to use. You can even set distance to 10 and it would still work.

EDIT: I wrote some crap in this commented. Deleted it. :)
Linux <3
 
Sob
Forum Guru
Forum Guru
Posts: 6514
Joined: Mon Apr 20, 2009 9:11 pm

Re: [Guide] How to setup NordVPN (IPSEC/IKEv2) + killswitch

Fri Nov 20, 2020 5:59 pm

The bridge is like any other non-point-to-point interface. If you use it as gateway, router needs to get MAC addresses for target IP addresses, to be able to send data to them, so it sends ARP requests. And in this case can't get any response.
Excessive quoting is useless and annoying. If you use it, please consider if you could do without it.
 
ztx
just joined
Posts: 12
Joined: Sun Nov 05, 2017 4:46 am

Re: NordVPN (IPSEC/IKEv2) + killswitch (For ROS6)

Thu Dec 24, 2020 6:56 am

With use case #2, how to killswitch websites like youtube.com that with multiple IP address?
 
User avatar
erkexzcx
Member Candidate
Member Candidate
Topic Author
Posts: 223
Joined: Mon Oct 07, 2019 11:42 pm

Re: NordVPN (IPSEC/IKEv2) + killswitch (For ROS6)

Thu Dec 24, 2020 12:55 pm

With use case #2, how to killswitch websites like youtube.com that with multiple IP address?
You can't, because:
Note: You can't effectively route all the traffic of Youtube, Netflix or any other big websites through VPN. They have many different domains and IP addresses which constantly change. Instead, route all the traffic of your device through VPN.
I've updated those steps and given above quoted note. You need to route all the traffic of your device through VPN in order to achieve this. See 2nd method again for updated steps.
Linux <3
 
ztx
just joined
Posts: 12
Joined: Sun Nov 05, 2017 4:46 am

Re: NordVPN (IPSEC/IKEv2) + killswitch (For ROS6)

Thu Dec 24, 2020 1:24 pm

With use case #2, how to killswitch websites like youtube.com that with multiple IP address?
You can't, because:
Note: You can't effectively route all the traffic of Youtube, Netflix or any other big websites through VPN. They have many different domains and IP addresses which constantly change. Instead, route all the traffic of your device through VPN.
I've updated those steps and given above quoted note. You need to route all the traffic of your device through VPN in order to achieve this. See 2nd method again for updated steps.
Thanks!
 
starleaf
just joined
Posts: 3
Joined: Thu Feb 06, 2020 8:00 am

Re: NordVPN (IPSEC/IKEv2) + killswitch (For ROS6)

Thu Dec 24, 2020 9:03 pm

Hi, have a bit of a problem to get it working with multiple VLANs. So, I tried some tweaks but I'm a bit confused, so I like some inputs. For if I understand the packet flow it should not work but it does. Or I think it does, for I get the result I want. But as you see below here, I have put in some extra thing. For in the original one you will not be able to reach other VLANs.
/ip firewall mangle
add action=mark-connection chain=postrouting new-connection-mark=under_vpn out-interface-list=!ALL_LAN passthrough=yes src-address-list=HOST-NeedVPN
add action=change-mss chain=forward connection-mark=under_vpn new-mss=1360 passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=!0-1360
add action=mark-routing chain=prerouting connection-mark=under_vpn new-routing-mark=to_vpn passthrough=yes src-address-list=HOST-NeedVPN 


But the thing that make me confuse is that I can mark in postrouting and use it in prerouting, does it only work for its Ikev2/IPsec? Or maybe it does not work but I think it dose for I get the result I except when the tunnel is down. 😊 (I'm pretty new to Mikrotik, but I rely don’t like it when it just works but I don’t know how)
 
Sob
Forum Guru
Forum Guru
Posts: 6514
Joined: Mon Apr 20, 2009 9:11 pm

Re: NordVPN (IPSEC/IKEv2) + killswitch (For ROS6)

Thu Dec 24, 2020 11:56 pm

It's the killswitch, it affects all packets from hosts listed in "under_vpn" list, including those to other local subnets.

Your modification kind of breaks the killswitch, because it now works only for packets with connection-mark=under_vpn, but you set that when first packet goes out, so only subsequent ones will be affected, i.e. the first one will leak out when VPN is down.

That also answers your question, how mark set in postrouting can work in prerouting. It can, but not for same packet. Connection marks are like that, router automatically identifies packets that belong to same connection and assigns connection mark to them (that differs from packet and routing marks).

What you want is for killswich to always work, but exclude local subnets. One way is to add dst-address-list=!<list of all local subnets> to it. Another is using routing rules:
/ip route rule
add action=lookup-only-in-table dst-address=<local subnet 1> table=main
add action=lookup-only-in-table dst-address=<local subnet 2> table=main
...
I prefer the latter, because it can also help with other things. For example, if you'd be doing hairpin NAT to your internal server, then this one would work, while the former wouldn't (without additional changes).
Excessive quoting is useless and annoying. If you use it, please consider if you could do without it.
 
starleaf
just joined
Posts: 3
Joined: Thu Feb 06, 2020 8:00 am

Re: NordVPN (IPSEC/IKEv2) + killswitch (For ROS6)

Fri Dec 25, 2020 10:41 am

It's the killswitch, it affects all packets from hosts listed in "under_vpn" list, including those to other local subnets.

Your modification kind of breaks the killswitch, because it now works only for packets with connection-mark=under_vpn, but you set that when first packet goes out, so only subsequent ones will be affected, i.e. the first one will leak out when VPN is down.

That also answers your question, how mark set in postrouting can work in prerouting. It can, but not for same packet. Connection marks are like that, router automatically identifies packets that belong to same connection and assigns connection mark to them (that differs from packet and routing marks).

What you want is for killswich to always work, but exclude local subnets. One way is to add dst-address-list=!<list of all local subnets> to it. Another is using routing rules:
/ip route rule
add action=lookup-only-in-table dst-address=<local subnet 1> table=main
add action=lookup-only-in-table dst-address=<local subnet 2> table=main
...
I prefer the latter, because it can also help with other things. For example, if you'd be doing hairpin NAT to your internal server, then this one would work, while the former wouldn't (without additional changes).
Tanks lot for the clarifying and solution.
It worked grate, I used the router rules with summarization.
 
msatter
Forum Guru
Forum Guru
Posts: 2139
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: NordVPN (IPSEC/IKEv2) + killswitch (For ROS6)

Sat Dec 26, 2020 11:40 am

I see in the use cases the following line which is obsolete if you do that directly in IPSEC Policy.

It is this line in mangle:
# Reduce MSS (should be about 1200 to 1400, but 1360 worked for me)
/ip firewall mangle add action=change-mss chain=forward new-mss=1360 passthrough=yes protocol=tcp src-address-list=under_vpn tcp-flags=syn tcp-mss=!0-1360
My posting about this and Sindy was the one who solved it: viewtopic.php?f=2&t=154449&p=763404&hil ... 88#p763404
/ip ipsec policy
move *ffffff destination=0
add action=none dst-address=192.168.88.0/24 src-address=0.0.0.0/0 place-before=1
The first line is I think not needed anymore because it will be always at the top in policy. I have used here an internal network: 192.168.88.0/24 and you have to adapt it to the internal network you are using to connect to the router providing IKEv2.

Also NordVPN and other allow to use SHA384 in profiles which gives a higher level of encrypting in phase 1 of the connection.
Loving my freedom and so, no Twitter, no Facebook/Instagram/WhatsApp, no Apple and no Google/Alphabet, no Amazon/Cloudfront/AWS.

Running:
RouterOS 6.49Beta / Winbox 3.27 64bits
 
User avatar
erkexzcx
Member Candidate
Member Candidate
Topic Author
Posts: 223
Joined: Mon Oct 07, 2019 11:42 pm

Re: NordVPN (IPSEC/IKEv2) + killswitch (For ROS6)

Sat Dec 26, 2020 6:13 pm

@msatter - thanks for your input.

I don't actually see it as a improvement to my given guide. I mean it does work, but using simple a mangle rule is a more dynamic way of dealing with VPN traffic.

e.g. in address-list I gave domain which is being resolved by Mikrotik router. If it's updated, then it's also being routed through VPN. This wouldn't be the case with ipsec policies. I would need to update it manually then.

Am I missing something here?

Also NordVPN and other allow to use SHA384 in profiles which gives a higher level of encrypting in phase 1 of the connection.
I've heard about it, but it's not "officially" supported as per here. I believe SHA256 is enough as of now, but it's up to the user to increase it.
Linux <3
 
msatter
Forum Guru
Forum Guru
Posts: 2139
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: NordVPN (IPSEC/IKEv2) + killswitch (For ROS6)

Sat Dec 26, 2020 7:55 pm

It is for sync that is needed and RouterOS does not know where to sent those returning packets to. Those packets are now sent to where they are expected and being processed to lower the MTU till no, please lower the MTU are send anymore.

IKEv2/IPsec significantly increases the security and privacy of users by employing strong cryptographic algorithms and keys. NordVPN uses NGE (Next Generation Encryption) in IKEv2/IPsec. The ciphers used to generate Phase1 keys are AES-256-GCM for encryption, coupled with SHA2-384 to ensure integrity, and combined with PFS (Perfect Forward Secrecy) using 3072-bit Diffie-Hellman keys. IPsec then secures the tunnel between the client and server, using the strong AES-256. The protocol provides the user with peace-of-mind security, stability, and speed. That’s why it is highly recommended by NordVPN and is used by default in the NordVPN apps for iOS and macOS.

Source: https://support.nordvpn.com/FAQ/1047408 ... choose.htm

RouterOS does not support AES-256-GCM so that is not possible.
Update: the router I have can do also CGM but most others do not and no mentioning of SHA384.

Releasenotes latest stable 6.48: *) ipsec - added SHA384 hash algorithm support for phase 1

Update2: NordVPN also supports DH19 - ecp256
/ip ipsec profile add name="NordVPN" hash-algorithm=sha384 enc-algorithm=aes-256 dh-group=ecp256,modp3072
Loving my freedom and so, no Twitter, no Facebook/Instagram/WhatsApp, no Apple and no Google/Alphabet, no Amazon/Cloudfront/AWS.

Running:
RouterOS 6.49Beta / Winbox 3.27 64bits
 
User avatar
erkexzcx
Member Candidate
Member Candidate
Topic Author
Posts: 223
Joined: Mon Oct 07, 2019 11:42 pm

Re: NordVPN (IPSEC/IKEv2) + killswitch (For ROS6)

Sun Dec 27, 2020 5:15 pm

Thanks for all the input! I've updated instructions accordingly.
Linux <3
 
mclarencar
just joined
Posts: 3
Joined: Tue Dec 08, 2020 5:53 pm

Re: NordVPN (IPSEC/IKEv2) + killswitch (For ROS6)

Mon Jan 04, 2021 1:41 am

I'm glad I find this guide. Just wanna say thanks!
Last edited by mclarencar on Thu Mar 18, 2021 7:00 pm, edited 2 times in total.
 
yo3gjc
just joined
Posts: 12
Joined: Sat Mar 05, 2011 4:30 pm
Location: Mississauga ON

Re: NordVPN (IPSEC/IKEv2) + killswitch (For ROS6)

Thu Jan 07, 2021 7:51 pm

Works like a charm with Windows but still have issues with Android devices with TCP MSS 1360. Any way to guess the sweet size?
Tnx and HNY!

UPDATE
upgraded to v 6.48 (rel Dec, 22, 2020)and retested with Android. Now is working, before upload on Android was almost zero
 
DOMIN
just joined
Posts: 3
Joined: Sun Mar 22, 2020 9:55 pm

Re: NordVPN (IPSEC/IKEv2) + killswitch (For ROS6)

Wed Jan 13, 2021 8:43 pm

Please tell me how to correctly forward the port for example for torrent in this configuration?
 
User avatar
erkexzcx
Member Candidate
Member Candidate
Topic Author
Posts: 223
Joined: Mon Oct 07, 2019 11:42 pm

Re: NordVPN (IPSEC/IKEv2) + killswitch (For ROS6)

Sat Jan 16, 2021 12:47 am

Please tell me how to correctly forward the port for example for torrent in this configuration?
1. How is it related to this thread?
2. Why would you need port forward for...torrents?
Linux <3
 
DOMIN
just joined
Posts: 3
Joined: Sun Mar 22, 2020 9:55 pm

Re: NordVPN (IPSEC/IKEv2) + killswitch (For ROS6)

Sat Jan 16, 2021 11:43 am


1. How is it related to this thread?
2. Why would you need port forward for...torrents?
1. IPSEC/IKEv2, NORDvpn no support port forwarding, but other service give this option.
2. for torrent or for sharing something.
I apologize, if offtopic, but this topic seems close and I didn't want to create a separate topic for such a small question
 
msatter
Forum Guru
Forum Guru
Posts: 2139
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: NordVPN (IPSEC/IKEv2) + killswitch (For ROS6)

Sat Jan 16, 2021 12:30 pm

You mark connections in Mangle with the connection mark op the VPN connection.You have so full control of which traffic is going throuh the VPN based on type, port, dest/src address or domain through a addres-list.
Loving my freedom and so, no Twitter, no Facebook/Instagram/WhatsApp, no Apple and no Google/Alphabet, no Amazon/Cloudfront/AWS.

Running:
RouterOS 6.49Beta / Winbox 3.27 64bits
 
ztx
just joined
Posts: 12
Joined: Sun Nov 05, 2017 4:46 am

Re: NordVPN (IPSEC/IKEv2) + killswitch (For ROS6)

Wed Jan 27, 2021 7:37 am

/ip firewall mangle add action=mark-connection chain=prerouting dst-address-list=under_vpn new-connection-mark=under_vpn passthrough=yes
Since connection is marked, what about use mark routing in the killswitch base of the connection-mark
/ip firewall mangle add chain=prerouting connection-mark=under_vpn action=mark-routing new-routing-mark=to_vpn passthrough=yes
 
msatter
Forum Guru
Forum Guru
Posts: 2139
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: NordVPN (IPSEC/IKEv2) + killswitch (For ROS6)

Wed Jan 27, 2021 1:55 pm

Because routing is not used it is indeed free to be used as the trigger for the killswitch. I am using several VPN providers and connections so mark IKEv2 traffic with a single routing mark and the distrubution is done be connection marking.

This gives a lot of flexability in the end.
Loving my freedom and so, no Twitter, no Facebook/Instagram/WhatsApp, no Apple and no Google/Alphabet, no Amazon/Cloudfront/AWS.

Running:
RouterOS 6.49Beta / Winbox 3.27 64bits
 
sparx
just joined
Posts: 1
Joined: Wed Jan 27, 2021 10:17 pm

Re: NordVPN (IPSEC/IKEv2) + killswitch (For ROS6)

Wed Jan 27, 2021 11:45 pm

Hi, i have the hex S router and i followed the instructions in the first post to the letter, only changing the nordvpn server and password, and not implementing the kill switch.
all the configuration was done after the router was reset to factory defaults, FW 6.48.
when i try to use a pc through the vpn connection its everything is fine,
but when trying to access through android devices its like only very few sites actually work.
youtube.com is accessible but videos dont play through the browser, amazon.com is not opening at all, cant connect to ring cameras, etc.
ive tried lowering the mss value to 1200, but it had not effect.
will really appreciate a point in the right direction on this.
thank you !
 
ztx
just joined
Posts: 12
Joined: Sun Nov 05, 2017 4:46 am

Re: NordVPN (IPSEC/IKEv2) + killswitch (For ROS6)

Thu Jan 28, 2021 4:21 am

/ip firewall mangle add action=mark-connection chain=prerouting dst-address-list=!no_vpn dst-address-type=!local new-connection-mark=under_vpn passthrough=yes
/ip firewall mangle add chain=prerouting connection-mark=under_vpn action=mark-routing new-routing-mark=to_vpn passthrough=yes
The above config doesn't work, there are tx and rs packages on vpn_blackhole. add dst-address-list=!no_vpn, it worked. where is the problem?
 
ztx
just joined
Posts: 12
Joined: Sun Nov 05, 2017 4:46 am

Re: NordVPN (IPSEC/IKEv2) + killswitch (For ROS6)

Mon Feb 01, 2021 2:36 am

Hi, i have the hex S router and i followed the instructions in the first post to the letter, only changing the nordvpn server and password, and not implementing the kill switch.
all the configuration was done after the router was reset to factory defaults, FW 6.48.
when i try to use a pc through the vpn connection its everything is fine,
but when trying to access through android devices its like only very few sites actually work.
youtube.com is accessible but videos dont play through the browser, amazon.com is not opening at all, cant connect to ring cameras, etc.
ive tried lowering the mss value to 1200, but it had not effect.
will really appreciate a point in the right direction on this.
thank you !
I'm using android phone, VPN setup on router, without chang mss, some app like twitter, gmail and google account in setting can't work, but they can access in web browser, set mss to 1360 all worked.
For youtube, See post #8 by erkexzcx.
With use case #2, how to killswitch websites like youtube.com that with multiple IP address?
You can't, because:
Note: You can't effectively route all the traffic of Youtube, Netflix or any other big websites through VPN. They have many different domains and IP addresses which constantly change. Instead, route all the traffic of your device through VPN.
I've updated those steps and given above quoted note. You need to route all the traffic of your device through VPN in order to achieve this. See 2nd method again for updated steps.
I modified the mark connection, youtube worked.
/ip firewall mangle add action=mark-connection chain=prerouting dst-address-list=!no_vpn dst-address-type=!local new-connection-mark=under_vpn passthrough=yes
 
User avatar
MatthewWillis
just joined
Posts: 1
Joined: Fri Feb 26, 2021 2:07 am
Location: Mineapolis MN

Re: NordVPN (IPSEC/IKEv2) + killswitch (For ROS6)

Fri Feb 26, 2021 2:49 am

Thanks to the author for this comprehensive guide! The solutions described in the post do an excellent job. I recently purchased a router from Mikrotik and I like to use it, but since I like to use Nord VPN in my work, I also had to face some problems. Fortunately, Use-case # 2 from the guide helped to solve the problem. Thanks again!
Last edited by MatthewWillis on Fri Feb 26, 2021 2:58 am, edited 1 time in total.
If you are new to YouTube blogging, you will need a lot of views and subscribers to move your channel to the top and get featured. https://soclikes.com/ perfectly helps to cope with these tasks.
 
AWDGuy
just joined
Posts: 6
Joined: Thu Oct 17, 2019 9:00 am

Re: NordVPN (IPSEC/IKEv2) + killswitch (For ROS6)

Sun Mar 21, 2021 5:41 pm

Great thread. Thank you.

I am trying to do the opposite of Use-case #2... with SurfShark which appears to have a similar ip sec setup
Use-case #4: Specific traffic (by destination address and/or destination port preferably) routed AROUND (bypass)VPN server
Intent is for all traffic to go through the tunnel except my work SSL VPN connections to go straight to ISP. Will likely add other bypass destination ports/protocols. For now just trying to make it work for all HTTP/HTTPS for easy testing.
Tried what I read for some of the Netflix bypasses, but can't make it work. Everything still goes through the vpn tunnel, but they appear to be suggesting routing-marks, not connection-marks...
Currently setup like Use-Case #1 plus marked route to ISP and mangle for any dest port 80,443...
/ip route add distance=1 gateway=96.38.160.1 routing-mark=BypassVPN 
/ip firewall mangle add action=mark-routing chain=prerouting dst-port=80,443 new-routing-mark=BypassVPN passthrough=no protocol=tcp src-address=10.236.1.0/24
 
User avatar
erkexzcx
Member Candidate
Member Candidate
Topic Author
Posts: 223
Joined: Mon Oct 07, 2019 11:42 pm

Re: NordVPN (IPSEC/IKEv2) + killswitch (For ROS6)

Sun Mar 21, 2021 6:09 pm

Does something like this do the trick?
/ip firewall mangle add action=mark-connection chain=prerouting dst-port=!80,443 new-connection-mark=under_nordvpn passthrough=yes protocol=tcp
Linux <3
 
AWDGuy
just joined
Posts: 6
Joined: Thu Oct 17, 2019 9:00 am

Re: NordVPN (IPSEC/IKEv2) + killswitch (For ROS6)

Sun Mar 21, 2021 10:22 pm

Does something like this do the trick?
/ip firewall mangle add action=mark-connection chain=prerouting dst-port=!80,443 new-connection-mark=under_nordvpn passthrough=yes protocol=tcp
Thank you. Yes, I think, as you wrote it, that would work for global ports like that, or one specific destination, but what about multiple exceptions?
SSL VPN to work IP
80,443 to any site I want location services to work (Banking, Home Depot, Yelp)
FTPS to my web host
Not sure how to fit that in a single Mangle
My intent was to mark traffic I don't want in the tunnel instead of that I do. Each way has its own challenges though as I am seeing.
 
User avatar
erkexzcx
Member Candidate
Member Candidate
Topic Author
Posts: 223
Joined: Mon Oct 07, 2019 11:42 pm

Re: NordVPN (IPSEC/IKEv2) + killswitch (For ROS6)

Sun Mar 21, 2021 10:29 pm

but what about multiple exceptions?
Honestly I don't know.

If I were you, I would just do something like this:
/ip firewall mangle add action=mark-connection chain=prerouting dst-port=80,443 new-connection-mark=novpn passthrough=yes protocol=tcp
/ip firewall mangle add action=mark-connection chain=prerouting dst-address=123.123.123.123 new-connection-mark=novpn passthrough=yes
/ip firewall mangle add action=mark-connection chain=prerouting connection-mark=!novpn new-connection-mark=under_nordvpn passthrough=yes
Linux <3
 
AWDGuy
just joined
Posts: 6
Joined: Thu Oct 17, 2019 9:00 am

Re: NordVPN (IPSEC/IKEv2) + killswitch (For ROS6)

Mon Mar 22, 2021 12:09 am

If I were you, I would just do something like this:
Thank you. Burned too much time on this for now... Will revisit later. Something about my config makes it all or nothing regardless.
 
atifivacy
newbie
Posts: 25
Joined: Wed Feb 17, 2021 7:23 pm

Re: NordVPN (IPSEC/IKEv2) + killswitch (For ROS6)

Mon Mar 22, 2021 11:54 am

The bridge functions in the same way as any other non-point-to-point interface. If you use it as a gateway, the router sends ARP requests to get MAC addresses for target IP addresses so it can send data to them. And in this case, there has been no response.
 
lenart
Frequent Visitor
Frequent Visitor
Posts: 62
Joined: Sat Jun 28, 2014 10:56 am

Re: NordVPN (IPSEC/IKEv2) + killswitch (For ROS6)

Sat Mar 27, 2021 8:38 pm

I've been trying to implement this particular setup (specifically number 3) but I don't seem to be having any luck whatsoever, every time I add an IP address to my list, that particular device cannot connect to the internet anymore. I'm out of options when it comes to debugging steps so I would like to ask your help.

So far, I have been able to determine that:
  1. The connection to NordVPN is setup, as I can see an active peer with traffic, I can see installed SAs for that peer and a dynamic policy is generated for the NordVPN peer
  • The policy generates no-track rules and a src-nat rule is generated for the connection as well
  • Running a ping and trace-route to 8.8.8.8 from the Mikrotik device with the NordVPN IP address as src-address shows that the connection exits on the other side of the VPN and the ping times are significantly higher then when running the same ping through my ISP
Any attempt to connect to the internet through NordVPN from a device inside my network by adding its IP address to the VPN list however does not work. It is like the return traffic gets to the Mikrotik device correctly but is not sent to the client.

Here are my IPSec settings for NordVPN
/ip ipsec profile
add dh-group=ecp256,modp3072 enc-algorithm=aes-256 hash-algorithm=sha384 \
    name="NordVPN profile"
/ip ipsec peer
add address=us8452.nordvpn.com exchange-mode=ike2 name="NordVPN peer" \
    profile="NordVPN profile"
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc,aes-128-cbc lifetime=0s \
    name="NordVPN proposal" pfs-group=none
/ip ipsec policy
add dst-address=0.0.0.0/0 group=NordVPN proposal="NordVPN proposal" \
    src-address=0.0.0.0/0 template=yes

/ip ipsec mode-config
add connection-mark=NordVPN name=NordVPN responder=no
    
/ip ipsec identity
add auth-method=eap certificate=NordVPN eap-methods=eap-mschapv2 \
    generate-policy=port-strict mode-config=NordVPN notrack-chain=prerouting \
    password=[password] peer="NordVPN peer" \
    policy-template-group=NordVPN username=[username]
Here are my firewall rules
/ip firewall filter
# Input chain rules
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN

# Forward chain rules
add action=accept chain=forward comment="Don't fasttrack NordVPN traffic" connection-mark=NordVPN dst-address-list=localnet
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-mark=!ipsec connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid 
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN

/ip firewall mangle
add action=mark-connection chain=forward comment="Mark outgoing IPSec connections" ipsec-policy=out,ipsec new-connection-mark=ipsec passthrough=yes
add action=mark-connection chain=forward comment="Mark incoming IPSec connections" ipsec-policy=in,ipsec new-connection-mark=ipsec passthrough=yes
add action=mark-connection chain=prerouting comment="Mark NordVPN IPSec traffic" connection-mark=!ipsec dst-address-list=!localnet,ipsec-remote new-connection-mark=NordVPN passthrough=yes src-address-list=NordVPN
add action=change-mss chain=forward connection-mark=NordVPN new-mss=64 passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=!0-64

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none 

/ip firewall raw
add action=notrack chain=prerouting comment="notrack ipsec to local" disabled=yes dst-address-list=localnet src-address-list=ipsec-remote
add action=notrack chain=prerouting comment="notrack lcoal to ipsec" disabled=yes dst-address-list=ipsec-remote src-address-list=localnet

My question, do I have a glaring error in one of my rules? Or do I have a glaring error in the order of my rules? If not that, what debugging steps can I perform to figure out what went wrong?

Thank you in advance.
 
User avatar
erkexzcx
Member Candidate
Member Candidate
Topic Author
Posts: 223
Joined: Mon Oct 07, 2019 11:42 pm

Re: NordVPN (IPSEC/IKEv2) + killswitch (For ROS6)

Sat Mar 27, 2021 10:03 pm

Hi,

Try to move below rules to the top and try again. Kill NordVPN IPSEC connection, clear conntrack list and try again.
add action=mark-connection chain=prerouting comment="Mark NordVPN IPSec traffic" connection-mark=!ipsec dst-address-list=!localnet,ipsec-remote new-connection-mark=NordVPN passthrough=yes src-address-list=NordVPN
add action=change-mss chain=forward connection-mark=NordVPN new-mss=64 passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=!0-64
also those rules seem a bit odd to me. Why MSS 0-64? Or like "connection-mark=!ipsec". I am not sure since your configuration has quite a lot of customization and it's hard to say from your rules.

Also try to get rid of killswitch implementation for testing. For testing I like wtfismyip.com website as it shows your public IP which will change when you start using NordVPN. :)
Linux <3
 
lenart
Frequent Visitor
Frequent Visitor
Posts: 62
Joined: Sat Jun 28, 2014 10:56 am

Re: NordVPN (IPSEC/IKEv2) + killswitch (For ROS6)

Sat Mar 27, 2021 11:20 pm

Hi,

Try to move below rules to the top and try again. Kill NordVPN IPSEC connection, clear conntrack list and try again.
add action=mark-connection chain=prerouting comment="Mark NordVPN IPSec traffic" connection-mark=!ipsec dst-address-list=!localnet,ipsec-remote new-connection-mark=NordVPN passthrough=yes src-address-list=NordVPN
add action=change-mss chain=forward connection-mark=NordVPN new-mss=64 passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=!0-64
also those rules seem a bit odd to me. Why MSS 0-64? Or like "connection-mark=!ipsec". I am not sure since your configuration has quite a lot of customization and it's hard to say from your rules.

Also try to get rid of killswitch implementation for testing. For testing I like wtfismyip.com website as it shows your public IP which will change when you start using NordVPN. :)
Thanks, I've just tried that but it didn't work as expected. The MTU clamping is set to 64 cos that was the packet size that did not show up as corrupted in the Mikrotik ping tool. It is for testing purposes and should work well enough for ping messages.

I got rid of the 'connection-mark=ipsec' rules just to make sure that it didn't make a difference but that did not help either.

I have the sense that this is a firewall issue so your suggestion strengthens my suspicion. I think it would be best to redesign the firewall rules offline, clear the current ones and load the new set. Any tips on what diagnostics I can perform?
 
lenart
Frequent Visitor
Frequent Visitor
Posts: 62
Joined: Sat Jun 28, 2014 10:56 am

Re: NordVPN (IPSEC/IKEv2) + killswitch (For ROS6)

Mon Mar 29, 2021 3:06 am

Found the solution for my setup, turns out I had the [notrack-chain] option set to [prerouting] and that didn't work at all. I changed it to [output] and suddenly everything started working like a charm.
peer=NordVPN peer auth-method=eap eap-methods=eap-mschapv2 mode-config=NordVPN 
      notrack-chain="output" certificate=NordVPN username=[username] 
      password=[password] generate-policy=port-strict policy-template-group=NordVPN
 
mark941
just joined
Posts: 1
Joined: Mon Mar 29, 2021 6:18 am
Contact:

Re: NordVPN (IPSEC/IKEv2) + killswitch (For ROS6)

Mon Mar 29, 2021 6:20 am

@lenart, thanks, it worked for me!
 
lenart
Frequent Visitor
Frequent Visitor
Posts: 62
Joined: Sat Jun 28, 2014 10:56 am

Re: NordVPN (IPSEC/IKEv2) + killswitch (For ROS6)

Tue Mar 30, 2021 11:53 am

@lenart, thanks, it worked for me!
Great, I've revised my configuration after monitoring the firewall rules though, turns out that in this particular setup you don't need any no-track rules generated at all, so removing the no-track completely is the best advice. It's empty be default when creating a new identity so that is why nothing shows up in any of the config rules at the top of this thread.
 
msatter
Forum Guru
Forum Guru
Posts: 2139
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: NordVPN (IPSEC/IKEv2) + killswitch (For ROS6)

Tue Mar 30, 2021 12:18 pm

I implemented it manually so I could do it all in one line for all expected IKEv2 connections. I use an address list, on which all external addresses are listed.
/ip firewall raw
add action=notrack chain=prerouting protocol=ipsec-esp src-address-list=IKEVtraffic
add action=notrack chain=output protocol=ipsec-esp dst-address-list=IKEVtraffic
Traffic entering the connections will use costly processing time and by NoTracking it the IPSEC traffic manager (policies?) of ROuterOS will still grab it but it won't be in connections. It gives you about 30% of saving in processor time used for IPSEC-ESP traffic. As you can see I have one line for incoming traffic (prerouting) and one for outgoing traffic (output).

ps. you don't have to use an address list if you don't have any other ipsec-esp traffic! Just No-Track all ipsec-esp traffic then.
Loving my freedom and so, no Twitter, no Facebook/Instagram/WhatsApp, no Apple and no Google/Alphabet, no Amazon/Cloudfront/AWS.

Running:
RouterOS 6.49Beta / Winbox 3.27 64bits
 
peruzzi
just joined
Posts: 1
Joined: Sun Mar 28, 2021 8:34 pm

Re: NordVPN (IPSEC/IKEv2) + killswitch (For ROS6)

Wed Mar 31, 2021 5:54 pm

Here are my IPSec settings
thank you!
 
evangelion69
just joined
Posts: 1
Joined: Tue Feb 18, 2020 1:04 pm

Re: NordVPN (IPSEC/IKEv2) + killswitch (For ROS6)

Fri May 14, 2021 12:06 am

Tip: username and password for NordVPN connection on router, is different than you using for log in their web page. Must use "Service credentials (manual setup)" from "https://my.nordaccount.com/pl/dashboard/nordvpn/"
 
User avatar
erkexzcx
Member Candidate
Member Candidate
Topic Author
Posts: 223
Joined: Mon Oct 07, 2019 11:42 pm

Re: NordVPN (IPSEC/IKEv2) + killswitch (For ROS6)

Mon May 31, 2021 8:34 pm

I've updated few steps and done general cleanup.

/ip firewall raw
add action=notrack chain=prerouting protocol=ipsec-esp src-address-list=IKEVtraffic
add action=notrack chain=output protocol=ipsec-esp dst-address-list=IKEVtraffic
I cannot get this to work, even with simple "add action=notrack chain=output protocol=ipsec-esp" bytes counter is just not increasing. What I am doing wrong? Regular rule above fasttrack works wonderfully tho...
Linux <3
 
msatter
Forum Guru
Forum Guru
Posts: 2139
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: NordVPN (IPSEC/IKEv2) + killswitch (For ROS6)

Tue Jun 01, 2021 12:33 am

The NordVPN server addresses need to be in that addresslist.

If you remove the need for the external addresses, the lines will notrack any IKEv2 traffic.
Loving my freedom and so, no Twitter, no Facebook/Instagram/WhatsApp, no Apple and no Google/Alphabet, no Amazon/Cloudfront/AWS.

Running:
RouterOS 6.49Beta / Winbox 3.27 64bits
 
ax0x01
just joined
Posts: 1
Joined: Wed Jun 02, 2021 12:35 am

Re: NordVPN (IPSEC/IKEv2) + killswitch (For ROS6)

Wed Jun 02, 2021 12:49 am

Hey everyone,

I have a similar setup:
- Where a list of ip address go through VPN only
- The rest go through WAN
but for some reason I made less steps to get same results, but it works (and no letters from provider so far)

I was wondering, what did I miss, and how dangerious is my setup
# add to list
/ip firewall address-list add address=192.168.88.8 list=vpn_p2p_users

# create profile
/ip ipsec policy group add name=NordVPN
/ip ipsec profile add name=NordVPN
/ip ipsec peer add address=us8657.nordvpn.com exchange-mode=ike2 name=us8657.nordvpn.com profile=NordVPN
/ip ipsec proposal add name=NordVPN pfs-group=none
/ip ipsec identity add auth-method=eap certificate="" eap-methods=eap-mschapv2 generate-policy=port-override mode-config=NordVPN username=your_service_login password=*** peer=us8657.nordvpn.com policy-template-group=NordVPN
/ip ipsec policy add dst-address=0.0.0.0/0 group=NordVPN proposal=NordVPN src-address=0.0.0.0/0 template=yes

/ip ipsec mode-config add name=NordVPN responder=no src-address-list=vpn_p2p_users

# killswitch
/ip firewall nat add action=return chain=srcnat src-address-list=vpn_p2p_users

 
User avatar
erkexzcx
Member Candidate
Member Candidate
Topic Author
Posts: 223
Joined: Mon Oct 07, 2019 11:42 pm

Re: NordVPN (IPSEC/IKEv2) + killswitch (For ROS6)

Sat Jun 05, 2021 3:39 pm

Added this note to the main post:
Note 2: You might be able to route all traffic of the company, but you might end up routing 30-40% of the websites under NordVPN if company uses popular hosting, e.g. Amazon AWS or Linode. For example, Mikrotik.com resolves to "159.148.147.196". Quick google revealed the Mikrotik has it's own ASN which contains 512 ips, or in other words, If you wish to access Mikrotik services/websites under NordVPN, you should add 159.148.147.0/24 and 159.148.172.0/24 to your address list using this (2nd) method.
Linux <3
 
aleksey34546
just joined
Posts: 4
Joined: Tue Apr 23, 2013 9:38 pm

Re: NordVPN (IPSEC/IKEv2) + killswitch (For ROS6)

Thu Jun 24, 2021 2:04 pm

I've updated few steps and done general cleanup.

/ip firewall raw
add action=notrack chain=prerouting protocol=ipsec-esp src-address-list=IKEVtraffic
add action=notrack chain=output protocol=ipsec-esp dst-address-list=IKEVtraffic
I cannot get this to work, even with simple "add action=notrack chain=output protocol=ipsec-esp" bytes counter is just not increasing. What I am doing wrong? Regular rule above fasttrack works wonderfully tho...
it works if you make longer distance on default route. sat
/ip dhcp-client
add default-route-distance=10 disabled=no interface=bridgeWAN
 
aleksey34546
just joined
Posts: 4
Joined: Tue Apr 23, 2013 9:38 pm

Re: NordVPN (IPSEC/IKEv2) + killswitch (For ROS6)

Thu Jun 24, 2021 2:06 pm

Hey everyone,

I have a similar setup:
- Where a list of ip address go through VPN only
- The rest go through WAN
but for some reason I made less steps to get same results, but it works (and no letters from provider so far)

I was wondering, what did I miss, and how dangerious is my setup
# add to list
/ip firewall address-list add address=192.168.88.8 list=vpn_p2p_users

# create profile
/ip ipsec policy group add name=NordVPN
/ip ipsec profile add name=NordVPN
/ip ipsec peer add address=us8657.nordvpn.com exchange-mode=ike2 name=us8657.nordvpn.com profile=NordVPN
/ip ipsec proposal add name=NordVPN pfs-group=none
/ip ipsec identity add auth-method=eap certificate="" eap-methods=eap-mschapv2 generate-policy=port-override mode-config=NordVPN username=your_service_login password=*** peer=us8657.nordvpn.com policy-template-group=NordVPN
/ip ipsec policy add dst-address=0.0.0.0/0 group=NordVPN proposal=NordVPN src-address=0.0.0.0/0 template=yes

/ip ipsec mode-config add name=NordVPN responder=no src-address-list=vpn_p2p_users

# killswitch
/ip firewall nat add action=return chain=srcnat src-address-list=vpn_p2p_users

looks pretty nice, can anyone more profound check the way especially the kill switch?
 
msatter
Forum Guru
Forum Guru
Posts: 2139
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: NordVPN (IPSEC/IKEv2) + killswitch (For ROS6)

Thu Jun 24, 2021 2:46 pm

The "kill-switch" uses a return which ends further processing by the lines that are underneath it in the NAT.

That traffic ends there if it can't be routed in a other way. I prefer to tar-pit or route it to a non existing target (100.69.69.69).
Loving my freedom and so, no Twitter, no Facebook/Instagram/WhatsApp, no Apple and no Google/Alphabet, no Amazon/Cloudfront/AWS.

Running:
RouterOS 6.49Beta / Winbox 3.27 64bits
 
IJsblok
just joined
Posts: 1
Joined: Mon Jun 28, 2021 10:28 pm

Re: NordVPN (IPSEC/IKEv2) + killswitch (For ROS6)

Tue Jun 29, 2021 5:15 pm

Thanks for this great guide!
I set it up and it all works.
I chose the first option where ALL traffic is redirected through the VPN tunnel. But since my router is actually jus a part of a small LAN , I cannot reach the other local subnets anymore from the subnet where I configured the VPN connection (10.0.1.0/24).
I Already setup RIP for this. The Mikrotik router uses two bridges, one "untagged" an one with VLAN 50 which are trunked on one interface. The VPN connection is configured on the bridges with VLAN 50 in it.
I can reach all other subnets form the untagged bridge. Also, the VPN connection works fine over the VLAN 50 bridge. In the routing tables I can see all subnets routed. But since of course I configured to have all traffic go through the VPN tunnel, concluding these meant for the local subnets, the connection is now effectively gone.

My questions is: how can I pass ALL traffic through the tunnel, EXCEPT all traffic meant for 192.168.x.x?

Who is online

Users browsing this forum: No registered users and 4 guests