Community discussions

MikroTik App
 
User avatar
Xtreme512
Member Candidate
Member Candidate
Topic Author
Posts: 119
Joined: Sun Jun 08, 2014 2:43 pm
Location: Nicosia, CY
Contact:

Creating proxy for VPN (Wireguard updated script)

Tue Feb 02, 2021 9:23 pm

So I created an IKEv2/IPSec tunnel for VPN and it worked. I can specify local IPs to put them on VPN with
/ip ipsec mode-config add name=VPN responder=no src-address-list=vpnclients
.
I want to go further and make a proxy IP:Port to enter Chrome/Firefox, that it will put me on that VPN above. So it will be browser-wide VPN and I won't have to add/remove additional clients into my vpnclients list unless I want system-wide VPN.

How can I accomplish that? Is it possible?
Last edited by Xtreme512 on Tue Aug 23, 2022 9:10 pm, edited 1 time in total.
 
User avatar
Xtreme512
Member Candidate
Member Candidate
Topic Author
Posts: 119
Joined: Sun Jun 08, 2014 2:43 pm
Location: Nicosia, CY
Contact:

Re: Creating proxy for VPN access

Fri Feb 05, 2021 3:56 am

I tried natting, marking routing forward to socks5 proxy I created but didn't work.... Still couldn't figure out how to forward it to my vpn.
 
CrashOverkill
just joined
Posts: 1
Joined: Wed Mar 31, 2021 9:35 pm

Re: Creating proxy for VPN access  [SOLVED]

Thu Apr 01, 2021 12:42 am

Hi,

I wanted to accomplish pretty much the same thing. I ended up using the built-in Web Proxy with a dedicated VLAN, then marking the outgoing traffic with a routing mark and routing that traffic through the IPSec interface. I created the VLAN only to add an ip address to it which in turn I then use as the src-address for the proxy traffic.

/interface l2tp-client
add connect-to=[vpn server] disabled=no ipsec-secret=[shared secret] name=my_vpn password=[password] use-ipsec=yes user=[username]
/interface vlan
add interface=bridge name=vlan100 vlan-id=100
/ip address
add address=192.168.100.1/24 interface=vlan100 network=192.168.100.0
/ip proxy
set anonymous=yes enabled=yes src-address=192.168.100.1
/ip firewall mangle
add action=mark-routing chain=output new-routing-mark=through_vpn passthrough=yes src-address=192.168.100.1
/ip route
add distance=1 gateway=my_vpn routing-mark=through_vpn

Now you can point your browser to the proxy at [router ip address]:8080 and the traffic will be routed through the vpn. If you want to catch all web traffic without configuring the proxy in your browser you could make the proxy transparent: https://wiki.mikrotik.com/wiki/Manual:I ... on_example

I hope that helps.
 
User avatar
Xtreme512
Member Candidate
Member Candidate
Topic Author
Posts: 119
Joined: Sun Jun 08, 2014 2:43 pm
Location: Nicosia, CY
Contact:

Re: Creating proxy for VPN access

Sun Apr 04, 2021 8:12 pm

Hi,

I wanted to accomplish pretty much the same thing. I ended up using the built-in Web Proxy with a dedicated VLAN, then marking the outgoing traffic with a routing mark and routing that traffic through the IPSec interface. I created the VLAN only to add an ip address to it which in turn I then use as the src-address for the proxy traffic.

/interface l2tp-client
add connect-to=[vpn server] disabled=no ipsec-secret=[shared secret] name=my_vpn password=[password] use-ipsec=yes user=[username]
/interface vlan
add interface=bridge name=vlan100 vlan-id=100
/ip address
add address=192.168.100.1/24 interface=vlan100 network=192.168.100.0
/ip proxy
set anonymous=yes enabled=yes src-address=192.168.100.1
/ip firewall mangle
add action=mark-routing chain=output new-routing-mark=through_vpn passthrough=yes src-address=192.168.100.1
/ip route
add distance=1 gateway=my_vpn routing-mark=through_vpn

Now you can point your browser to the proxy at [router ip address]:8080 and the traffic will be routed through the vpn. If you want to catch all web traffic without configuring the proxy in your browser you could make the proxy transparent: https://wiki.mikrotik.com/wiki/Manual:I ... on_example

I hope that helps.
Thanks for the reply, and it worked thank you! Though I did not use L2TP because ProtonVPN doesn't support it. I'm using IKEv2 and the only thing I changed from your script is:

1) I didn't enter this
/interface l2tp-client add connect-to=[vpn server] disabled=no ipsec-secret=[shared secret] name=my_vpn password=[password] use-ipsec=yes user=[username]
2) For routing, gateway should be the IP of ProtonVPN's automatic dst-address in the route list already available, so it was in my case 10.1.0.0 and gateway should be 10.1.0.1
/ip route add gateway=10.1.0.1 routing-mark=through_vpn

Thanks again! I didnt know it was doable via web-proxy, been trying to figure out with socks v5.
 
User avatar
Xtreme512
Member Candidate
Member Candidate
Topic Author
Posts: 119
Joined: Sun Jun 08, 2014 2:43 pm
Location: Nicosia, CY
Contact:

Re: Creating proxy for VPN access

Mon Apr 05, 2021 8:02 pm

Its working only for google as I search for "my ip" and i see its VPNs but site loadings are painfully slow and it gets time out mostly.
the vlan counter gets no hit in transfer counter too. somethings not right, i wonder how would you configure this with ikev2 as in my case?

edit: it could be the vpn server, i tried different free proton servers and some of them worked. no timeouts etc. so i guess i can finish this topic.
 
User avatar
Xtreme512
Member Candidate
Member Candidate
Topic Author
Posts: 119
Joined: Sun Jun 08, 2014 2:43 pm
Location: Nicosia, CY
Contact:

Re: Creating proxy for VPN access

Mon Aug 22, 2022 4:45 pm

Now we have v7, openvpn udp support plus wireguard... I will do this proxy in wireguard. I'll keep this posted.

edit: well wireguard didnt work.. traffic is there but no internet.. not resolving the dns maybe idk. i will try openvpn udp later.
 
User avatar
Xtreme512
Member Candidate
Member Candidate
Topic Author
Posts: 119
Joined: Sun Jun 08, 2014 2:43 pm
Location: Nicosia, CY
Contact:

Re: Creating proxy for VPN access

Tue Aug 23, 2022 9:08 pm

I managed to run Wireguard finally... Im using ProtonVPN, you can just sign up for free and get the configs from their page based on your country selection etc.
#your clients to go out through vpn
/ip firewall address-list add address=192.168.0.0/24 list=under_protonvpn
/ip firewall mangle add action=mark-connection chain=prerouting src-address-list=under_protonvpn new-connection-mark=under_protonvpn passthrough=yes

/interface/wireguard/add name=protonwg01 private-key="paste_here" comment="ProtonVPN interface"
/interface/wireguard/peers/add endpoint-address=paste_here endpoint-port=51820 public-key="paste_here" allowed-address=0.0.0.0/1,128.0.0.0/1 interface=protonwg01

/ip/address/add address=10.2.0.2/30 interface=protonwg01
#set 10.2.0.1 dns in your clients dhcp server...

/routing/table/add name=protonvpn_wg fib
/ip/firewall/mangle/add chain=prerouting src-address-list=under_protonvpn action=mark-routing new-routing-mark=protonvpn_wg passthrough=yes
/ip/route/add routing-table=protonvpn_wg dst-address=0.0.0.0/0 gateway=protonwg01 comment="ProtonVPN Wireguard default route"
/ip firewall mangle add action=change-mss chain=forward new-mss=1360 passthrough=yes protocol=tcp connection-mark=under_protonvpn tcp-flags=syn tcp-mss=!0-1375
/ip firewall nat add chain=srcnat action=masquerade out-interface=protonwg01
and furthermore, to make it act like proxy for browsers on your routers IP:8080
/interface vlan add interface=bridge1 name=vlan100 vlan-id=100
/ip address add address=192.168.100.1/24 interface=vlan100 network=192.168.100.0
/ip proxy set anonymous=yes enabled=yes src-address=192.168.100.1
/ip firewall mangle add action=mark-routing chain=output new-routing-mark=through_vpn passthrough=yes src-address=192.168.100.1
/ip route add distance=1 gateway=protonwg01 routing-mark=through_vpn

You can watch/prioritize this by creating specific mangle rules as you wish for your QoS tree.
 
Rarnaie
just joined
Posts: 1
Joined: Wed Dec 21, 2022 12:49 pm

Re: Creating proxy for VPN (Wireguard updated script)

Wed Dec 21, 2022 12:50 pm

There isn't a drawback. In some circumstances, I've discovered that using a private proxy and VPN together is faster than using a VPN alone.

Who is online

Users browsing this forum: Amazon [Bot], GoogleOther [Bot] and 51 guests