Community discussions

MikroTik App
 
igorch
just joined
Topic Author
Posts: 11
Joined: Fri May 13, 2022 8:23 am

How to get access to banned sites?

Wed May 18, 2022 10:04 am

Hello everyone.
I want to have access to banned sites in Russia through Mikrotik hap2. I made а list of these sites.
I try to make connection to these sites through VPN.

/interface l2tp-client
add connect-to=public-vpn-134.opengw.net disabled=no name=VPN use-ipsec=yes use-peer-dns=exclusively user=vpn
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip firewall address-list
add address=2ip.ru list=VPN
add address=rutracker.org list=VPN
add address=svoboda.org list=VPN
add address=meduza.io list=VPN
/ip firewall mangle
add action=mark-routing chain=prerouting dst-address-list=VPN new-routing-mark=To_VPN passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface=VPN
/ip route
add distance=1 gateway=VPN routing-mark=To_VPN

VPN connection is up and running
ping to svoboda.org passes
But svoboda.org doesn’t open on the PC.
Could you suggest the right way?
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: How to get access to banned sites?

Wed May 18, 2022 11:44 am

Have you checked if the PC is using the DNS provided by the router and change this use-peer-dns=exclusively to no
 
igorch
just joined
Topic Author
Posts: 11
Joined: Fri May 13, 2022 8:23 am

Re: How to get access to banned sites?

Wed May 18, 2022 2:06 pm

Have you checked if the PC is using the DNS provided by the router and change this use-peer-dns=exclusively to no

I have checked my PC. It uses the router's DNS server - 8.8.8.8
I changed use-peer-dns=exclusively to no
but nothing changed
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: How to get access to banned sites?

Wed May 18, 2022 3:22 pm

Then check if works also for non-censured sites.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: How to get access to banned sites?

Wed May 18, 2022 4:14 pm

I don't know how exactly they do the blocking, but if you want to get around that as reliably as possible, PC shouldn't be using 8.8.8.8 as DNS server, unless you route traffic to 8.8.8.8 via VPN. Same for router, if it has 8.8.8.8 as DNS, that should be accessed using VPN, otherwise ISP can tamper with it.
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: How to get access to banned sites?

Wed May 18, 2022 4:41 pm

Thanks sob and then the easy way is change "use-peer-dns" back to exclusively and remove 8.8.8.8 from the DNS settings by pushing the upper triangle after 8.8.8.8 till there are no static entries anymore. You are then using only the DNS provided by the VPN.

Having local router DNS go through the VPN is a bit more difficult.
/ip/firewall/mangle
add action=mark-routing chain=output dst-address=8.8.8.8 new-routing-mark=To_VPN passthrough=yes
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: How to get access to banned sites?

Wed May 18, 2022 5:13 pm

Well, sort of. The rule you posted is correct and simple. Also PC should use router (probably 192.168.x.x) as its resolver.

Main problem is that if blocking is DNS-based, you can't trust any regular non-encrypted DNS server before you connect to VPN and use theirs. But if you want to connect to VPN using hostname, you need working DNS server. Which I guess works fine for VPN's hostname. But if router has DNS server, it will also attempt to resolve hostnames in address list, and IP addresses it gets can be wrong. They will get fixed later after they expire and new query will use VPN's DNS, but you don't know how long it will take, unless you'd play with router's cache-max-ttl (set it to lower value and after that time you can count on it being correct, if VPN stayed connected). It's not very nice solution, but it's simple.

Better but more complicated would be to start without any DNS resolver and use script with [:resolve server=8.8.8.8 public-vpn-134.opengw.net] to update server address in L2TP client. And then make sure that any DNS request from router will use VPN:
/ip firewall mangle
add chain=output protocol=tcp dst-port=53 action=mark-routing new-routing-mark=To_VPN
add chain=output protocol=udp dst-port=53 action=mark-routing new-routing-mark=To_VPN
/ip route rule
add action=lookup-only-in-table routing-mark=To_VPN table=To_VPN
Other possibility could be to use DoH, it's exactly for situations like this. You can try https://1.1.1.1/dns-query, and if it's not blocked, it should be fine. Don't forget to enable certificate verification and load required certificate (DigiCert Global Root CA
from https://cacerts.digicert.com/DigiCertGl ... CA.crt.pem). I also thought about using it only for resolving VPN server's address, but unfortunately it seems that when router has DoH server, it always prefers it and not even VPN's use-peer-dns=exclusively can override it.
 
igorch
just joined
Topic Author
Posts: 11
Joined: Fri May 13, 2022 8:23 am

Re: How to get access to banned sites?

Fri May 20, 2022 10:49 am

I did these rules:

/ip firewall mangle
add chain=output protocol=tcp dst-port=53 action=mark-routing new-routing-mark=To_VPN
add chain=output protocol=udp dst-port=53 action=mark-routing new-routing-mark=To_VPN
/ip route rule
add action=lookup-only-in-table routing-mark=To_VPN table=To_VPN

Then I entered the command: resolve server=8.8.8.8 public-vpn-134.opengw.net in the terminal and I got an error:
failure: dns server failure

Site svoboda.org doesn't open.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: How to get access to banned sites?

Fri May 20, 2022 2:34 pm

I see my mistake with resolve, I'll come up with better plan, but try the simple solution first, i.e. DoH. Download linked certificate, upload it to router and import it:
/certificate import file-name=DigiCertGlobalRootCA.crt.pem
Then enable DoH:
/ip dns set use-doh-server=https://1.1.1.1/dns-query verify-doh-cert=yes
And see it it helps.
 
igorch
just joined
Topic Author
Posts: 11
Joined: Fri May 13, 2022 8:23 am

Re: How to get access to banned sites?

Fri May 20, 2022 6:28 pm

I did it. I checked DoH on https://1.1.1.1/help. DoH work. Some banned sites open and other banned sites dont open. For example https://meduza.io/ opens and svoboda.org doesnt open.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: How to get access to banned sites?

Fri May 20, 2022 9:49 pm

And did you change your PC's DNS resolver address to this router? It seems that svoboda.org uses many different addreses with very short TTL and they are different depending on who asks. So if it should work, it's important that you have same source for both router (for address list) and PC. And most reliable is if PC has router as resolver, because it get data from its cache.
 
igorch
just joined
Topic Author
Posts: 11
Joined: Fri May 13, 2022 8:23 am

Re: How to get access to banned sites?

Fri May 20, 2022 10:58 pm

I saw that VPN connection speed of my Mikrotik client is very very slow. If I connect to VPN server from my PC VPN connection speed is normal. And all banned sites open. Maybe this is the reason?
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: How to get access to banned sites?

Sat May 21, 2022 12:09 am

Very very slow can happen if you use mangle rules to change routing like you do, and if at the same time you have enabled fasttrack (rule with action=fasttrack-connection).
 
kevinds
Long time Member
Long time Member
Posts: 641
Joined: Wed Jan 14, 2015 8:41 am

Re: How to get access to banned sites?

Mon May 23, 2022 8:58 pm

I saw that VPN connection speed of my Mikrotik client is very very slow. If I connect to VPN server from my PC VPN connection speed is normal. And all banned sites open. Maybe this is the reason?
VPN on Mikrotik can be very, very slow depending on the settings used, something for you to fix..

Who is online

Users browsing this forum: Adephx, GoogleOther [Bot] and 46 guests