The goal: set up a VPN tunnel and pass traffic to certain sites through it.
I've managed to do just that via ProtonVPN IPsec tunnel just a week ago. But, as of today, our government started to block connections to the popular VPN providers (HOO-RAH!). As a result, my IPsec tunnel doesn't work anymore.
WireGuard still seems to work, though. I've managed to establish connection to the server via the Windows client. So now I'm trying to set the thing up on my router.
I've kinda figured a few things out, but I'm still very new to WireGuard and RoS 7 routing (and routing in general) so I'm struggling to make sense of what I have to do in order for things to start working. On top of that, some of the issues might be due to my ISP's potential molestations of VPN connections.
Here are the pieces of the puzzle I've managed to put together:
Code: Select all
/ip firewall
address-list add address=example.com list=PASS_THROUGH_VPN
mangle add action=mark-routing chain=prerouting dst-address-list=PASS_THROUGH_VPN new-routing-mark=through-vpn passthrough=yes
# WireGuard-related settings were taken from the ProtonVPN connection config
/interface wireguard
add listen-port=13231 mtu=1420 name=proton-vpn private-key=omitted
peers add allowed-address=0.0.0.0/0 endpoint-address=omitted endpoint-port=51820 interface=proton-vpn persistent-keepalive=25s public-key=omitted
/routing
table add disabled=no fib name=through-vpn
rule add action=lookup-only-in-table routing-mark=through-vpn table=through-vpn disabled=no
/ip
address add address=10.2.0.2/24 interface=proton-vpn network=10.2.0.0 # The address is taken from the connection config
route add dst-address=10.2.0.0/24 gateway=proton-vpn routing-table=through-vpn
route add dst-address=0.0.0.0/0 gateway=proton-vpn routing-table=through-vpn
# I suppose I need something like this, but I'm not yet sure what address and port to use. The rule is currently disabled
/ip firewall filter add action=accept chain=input comment="accept: wireguard peer" connection-state=new disabled=yes log=yes protocol=udp src-address=??? src-port=???
To me, it seems like I should be almost there. Almost, but not quite, apparently. I can ping 10.2.0.1 from the router (which is a remote ProtonVPN DNS server located in the same subnet the interface is), but the sites from the address-list won't open on the connected to the router devices. Where do I go from here? Not really sure how to start troubleshooting this. Any help would be greatly appreciated.
Thanks!
Router: hAP ac2
Firmware: RouterOS 7.2.3