I'm having trouble routing system DNS through IPSec VPN tunnel.
Any DNS requests made by router itself are routed through default gateway and not VPN tunnel, and, on the other hand, any DNS requests made from local network (except the router) end up in VPN tunnel.
Below is my config. Peer DNS is disabled in ppp and ipsec config.
Code: Select all
/interface pppoe-client add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 user=<USER>
/ip dns set allow-remote-requests=yes servers=208.67.220.220,208.67.222.222
/ip ipsec mode-config add connection-mark=VPN name=VPN responder=no src-address-list=local use-responder-dns=no
/ip ipsec policy group add name=VPN
/ip ipsec profile add dh-group=modp4096,modp2048,modp1024 dpd-interval=disable-dpd enc-algorithm=aes-256 hash-algorithm=sha256 name=ProtonVPN
/ip ipsec peer add address=si.protonvpn.com exchange-mode=ike2 name=ProtonVPN profile=ProtonVPN send-initial-contact=no
/ip ipsec proposal add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=ProtonVPN pfs-group=none
/ip ipsec identity add auth-method=eap certificate=*7 eap-methods=eap-mschapv2 generate-policy=port-strict mode-config=VPN peer=ProtonVPN policy-template-group=VPN username=<USER>
/ip ipsec policy set 0 disabled=yes
/ip ipsec policy add action=none comment="Fixes MTU problems on IPSec tunnel" dst-address=192.168.0.0/24 src-address=0.0.0.0/0
/ip ipsec policy add comment=ProtonVPN group=VPN proposal=ProtonVPN template=yes
/ip firewall address-list add address=192.168.0.0/24 list=local
/ip firewall address-list add address=208.67.220.220 list=OpenDNS
/ip firewall address-list add address=208.67.222.222 list=OpenDNS
/ip firewall mangle add action=mark-connection chain=prerouting comment="VPN Routing" dst-address-list=OpenDNS new-connection-mark=VPN passthrough=yes
Code: Select all
chain=srcnat action=src-nat to-addresses=10.1.2.57 src-address-list=local dst-address-list=!local connection-mark=VPN
Code: Select all
/ip firewall mangle add action=passthrough chain=postrouting dst-address-list=OpenDNS log=yes log-prefix=DNS
Code: Select all
DNS postrouting: in:(unknown 0) out:pppoe-out1, proto UDP, MY_EXTERNAL_IP:54491->208.67.220.220:53, len 57