Community discussions

MikroTik App
 
nixmd
just joined
Topic Author
Posts: 23
Joined: Mon Dec 21, 2020 7:56 pm

Wireguard VPN for specific domains

Thu Jan 27, 2022 7:26 pm

Hi,
My ISP has blocked access to some websites and services and I have to use a wireguard VPN if I want to open them. Until now I've been establishing the VPN connection on my computer but I want to configure my router to route requests to these specific blocked addresses through wireguard VPN connection. I have done some configurations but sometimes it doesn't work and other times it's very slow and unusable. I don't know what I did wrong. Please help me with this configuration.

I use TLS Host under mangle to detect target addresses to add them into a list of addresses and then another mangle rule to mark any connection to these addresses as a routing mark.
# jan/27/2022 20:45:56 by RouterOS 7.1.1
/ip firewall address-list
.
.
.
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=established,related hw-offload=yes
add action=accept chain=forward connection-state=established,related
/ip firewall mangle
add action=add-dst-to-address-list address-list=blklst address-list-timeout=none-dynamic chain=prerouting protocol=tcp tls-host=i.ytimg.com
add action=add-dst-to-address-list address-list=blklst address-list-timeout=none-dynamic chain=prerouting protocol=tcp tls-host=www.youtube.com
add action=add-dst-to-address-list address-list=blklst address-list-timeout=none-dynamic chain=prerouting protocol=tcp tls-host=yt3.ggpht.com
add action=add-dst-to-address-list address-list=blklst address-list-timeout=none-dynamic chain=prerouting content=googlevideo protocol=tcp
add action=mark-routing chain=prerouting connection-state=new dst-address-list=blklst new-routing-mark=rm.vpn-wg passthrough=no protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat src-address=192.168.1.0/24
add action=masquerade chain=srcnat realm=16384
/ip address
add address=192.168.1.1/24 interface=bridge1 network=192.168.1.0
add address=10.66.66.220/24 interface=wg network=10.66.66.0
/interface wireguard
add listen-port=62120 mtu=1420 name=wg
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address= endpoint-port= interface=wg public-key=
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=10.66.66.220 routing-table=rm.vpn-wg suppress-hw-offload=no
 
Sob
Forum Guru
Forum Guru
Posts: 9121
Joined: Mon Apr 20, 2009 9:11 pm

Re: Wireguard VPN for specific domains

Thu Jan 27, 2022 8:05 pm

Fasttrack and mangle rules don't go together. Simple solution is to disable fasttrack, but you may not want that, because it can be useful thing. Other solution is to not use fasttrack for connections over VPN. For that you need to first mark connections, instead of marking routing directly. Then you mark routing based on connection mark. And it will allow you to add condition to fasttrack rule, to only apply for connections that don't have connection mark for VPN.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19991
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard VPN for specific domains

Thu Jan 27, 2022 8:41 pm

To be clear you want your PC behind the router which is behind the LIMITING ISP to reach some other location via Wireguard?
If so what are you connecting too? A third party VPN provider or your own MT Remote Router somewhere else ??
 
Sob
Forum Guru
Forum Guru
Posts: 9121
Joined: Mon Apr 20, 2009 9:11 pm

Re: Wireguard VPN for specific domains

Thu Jan 27, 2022 8:52 pm

Why does it matter? It's simply WG tunnel to some other location with uncensored internet.
 
nixmd
just joined
Topic Author
Posts: 23
Joined: Mon Dec 21, 2020 7:56 pm

Re: Wireguard VPN for specific domains

Thu Jan 27, 2022 9:03 pm

To be clear you want your PC behind the router which is behind the LIMITING ISP to reach some other location via Wireguard?
If so what are you connecting too? A third party VPN provider or your own MT Remote Router somewhere else ??
YESSS!
Fasttrack and mangle rules don't go together. Simple solution is to disable fasttrack, but you may not want that, because it can be useful thing. Other solution is to not use fasttrack for connections over VPN. For that you need to first mark connections, instead of marking routing directly. Then you mark routing based on connection mark. And it will allow you to add condition to fasttrack rule, to only apply for connections that don't have connection mark for VPN.
I am a total n00b. Will you please help me with actual command to modify/add rules to my router? :D
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19991
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard VPN for specific domains

Fri Jan 28, 2022 12:23 am

YEs to what,
- third party vpn y/n
- another MT device behind a diff ISP.

I am not as skilled Sob of understanding a problem unless I know intent and the current scenario in enough detail. Maybe one day!!
 
nixmd
just joined
Topic Author
Posts: 23
Joined: Mon Dec 21, 2020 7:56 pm

Re: Wireguard VPN for specific domains

Fri Jan 28, 2022 10:55 am

The peer is a linux server running wireguard.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19991
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard VPN for specific domains

Fri Jan 28, 2022 1:41 pm

Okay........
So you want to establish a tunnel wit the originating end being the linux server somewhere on the internet.
The tunnel will connect to your router locally.
Then you want to be able from your PC behind the local router to enter the tunnel and go out the linux server internet to access web sites that your local ISP blocks.

+++++++++++++++++++++++++++++++++++++++++++\
Stated on the first post would have been golden!
+++++++++++++++++++++++++++++++++++++++++++

You have some EASY options which all have to do with IP routes, which is the challenging part of this.
a. move ALL internet traffic from the subnet on the local router that your PC is on, through the tunnel for internet traffic
b. move your PC to a different subnet and then route only your PC through the tunnel for all internet traffic.

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
A bit more work option
c. Make up enough dst-route rules to cover the IP address you want. Each address will probably require its own IP route.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Oh the Horror option
d. Mangle traffic from your PC and send that out the tunnel

Burns my gut that MIKROTIK will not include src-address-list OR dst-address-list in IP ROUTE RULES !!!!!!
 
gabacho4
Member
Member
Posts: 346
Joined: Mon Dec 28, 2020 12:30 pm
Location: Earth

Re: Wireguard VPN for specific domains

Fri Jan 28, 2022 1:50 pm

+1 for src-address-list OR dst-address-list in IP ROUTE RULES

@anav - has MikroTik officially said they won't do it or is it a feature request they just haven't gotten to? It would be massively helpful!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19991
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard VPN for specific domains

Fri Jan 28, 2022 2:03 pm

I would do it russki style, ply Normis with booze and prostitutes and then use the photos to ensure all the changes I wanted were implemented. ;-)

Seriously, there is probably a good reason why they don't and I dont know enough about networking or RoS or both, to know better.
(Note: I am not quite vain enough to think, this is somehow a brilliant idea that they or nobody else has thought of and requested and assume if so, that it was subsequently rejected.)
 
Sob
Forum Guru
Forum Guru
Posts: 9121
Joined: Mon Apr 20, 2009 9:11 pm

Re: Wireguard VPN for specific domains  [SOLVED]

Tue Feb 01, 2022 6:04 am

If you didn't find it yet, replace this:
/ip firewall mangle
add action=mark-routing chain=prerouting connection-state=new dst-address-list=blklst new-routing-mark=rm.vpn-wg passthrough=no protocol=tcp
With this:
/ip firewall mangle
add action=mark-connection chain=prerouting connection-state=new dst-address-list=blklst new-connection-mark=cm.vpn-wg passthrough=yes
add action=mark-routing chain=prerouting in-interface=bridge1 connection-mark=cm.vpn-wg new-routing-mark=rm.vpn-wg passthrough=no
And then add connection-mark=!cm.vpn-wg to fastrack rule.
 
nixmd
just joined
Topic Author
Posts: 23
Joined: Mon Dec 21, 2020 7:56 pm

Re: Wireguard VPN for specific domains

Tue Feb 01, 2022 7:53 pm

Thank you all.

Who is online

Users browsing this forum: Bing [Bot], ohn0n0n0 and 18 guests