Community discussions

MikroTik App
 
charlosg87
just joined
Topic Author
Posts: 2
Joined: Sun May 28, 2023 8:59 am

NordVPN on hEX and DNS leak

Sun May 28, 2023 9:11 am

Hello,
I need your help with the NordVPN.

I have configured as follow the guide from official page. All the traffic pass through the VPN but I can't open the Netflix webpage. I wrote on NordVPN Support and they replied me that there is DNS leak.

My setup is: 192.168.0.1 (ISP router) -> 192.168.0.10 (ether1 Mikrotik) without DHCP Client.
Bellow you can find the whole configuration.

Thank you in advane for any help.

For any other information I 'm available.


# may/28/2023 02:12:05 by RouterOS 7.9
# software id = CZIJ-F045
#
# model = RB750Gr3
# serial number = CC210E29ED8C
/interface bridge
add name=bridge1-LAN
/interface ethernet
set [ find default-name=ether1 ] arp=local-proxy-arp
/interface l2tp-server
add name=vpn-Dubai_Stratoni user=charlos_stratoni
add name=vpn-alexis_ipad user=alexis_ipad
add name=vpn-alexis_iphone user=alexis_iphone
add name=vpn-alexis_iphone8 user=iphone8
add name=vpn-alexis_laptop user=alexis_laptop
add name=vpn-charis_disney user=charis_disney
add name=vpn-charlos_iPhone user=charlos_iPhone
add name=vpn-charlos_laptop_dxb user=charlos_laptop_dxb
add name=vpn-charlos_laptop_gr user=charlos_laptop_gr
add name=vpn-evangelia user=evangelia
add name=vpn-manolis user=manolis
add name=vpn-marmenex_iPhone user=marmenex_iPhone
add name=vpn-vivian-iphone user=vivian_iphone
/interface list
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip ipsec mode-config
add connection-mark=NordVPN name=NordVPN responder=no
/ip ipsec policy group
add name=NordVPN
/ip ipsec profile
set [ find default=yes ] dh-group=modp1024 enc-algorithm=\
    aes-256,aes-192,aes-128,3des
add name=NordVPN
/ip ipsec peer
add address=gr53.nordvpn.com exchange-mode=ike2 name=NordVPN profile=NordVPN
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=\
    aes-256-cbc,aes-192-cbc,aes-128-cbc,3des,des
add auth-algorithms=sha256,sha1 name=NordVPN pfs-group=none
/ip pool
add name=vpn_pool ranges=10.10.30.11-10.10.30.20
add name=brigde_pool ranges=10.30.1.11-10.30.1.25
/ip dhcp-server
add add-arp=yes address-pool=brigde_pool interface=bridge1-LAN lease-time=20m \
    name=dhcp1
/port
set 0 name=serial0
/ppp profile
add change-tcp-mss=yes local-address=10.30.10.100 name=vpn-profile \
    remote-address=vpn_pool use-encryption=yes
/system logging action
add disk-file-name=flash/auth.log name=auth target=disk
/interface bridge port
add bridge=bridge1-LAN interface=ether2
add bridge=bridge1-LAN interface=ether3
add bridge=bridge1-LAN interface=ether4
add bridge=bridge1-LAN interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface l2tp-server server
set enabled=yes use-ipsec=required
/interface list member
add interface=ether1 list=WAN
/ip address
add address=10.30.1.1/24 interface=bridge1-LAN network=10.30.1.0
add address=192.168.0.10/24 comment=WAN interface=ether1 network=192.168.0.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=30m
/ip cloud advanced
set use-local-address=yes
/ip dhcp-server network
add address=10.30.1.0/24 dns-server=10.30.1.1 gateway=10.30.1.1
/ip dns
set allow-remote-requests=yes servers=103.86.96.100,103.86.99.100
/ip firewall filter
add action=drop chain=input connection-state=new dst-port=53 in-interface=\
    ether1 protocol=tcp
add action=drop chain=input connection-state=new dst-port=53 in-interface=\
    ether1 protocol=udp
add action=drop chain=input dst-address=192.168.0.10 dst-port=53 \
    in-interface=ether1 protocol=udp
add action=drop chain=output connection-state=new dst-port=53 out-interface=\
    ether1 protocol=tcp
add action=drop chain=output dst-address=192.168.0.10 dst-port=53 \
    out-interface=ether1 protocol=udp
add action=accept chain=forward connection-state=established,related
add action=accept chain=input connection-state=established,related
/ip firewall mangle
add action=mark-connection chain=prerouting new-connection-mark=NordVPN \
    passthrough=yes
# vpn-charlos_laptop_dxb not ready
add action=mark-connection chain=prerouting dst-address=192.168.0.0/24 \
    in-interface=vpn-charlos_laptop_dxb new-connection-mark=no-mark \
    passthrough=yes
# vpn-charlos_iPhone not ready
add action=mark-connection chain=prerouting dst-address=192.168.0.0/24 \
    in-interface=vpn-charlos_iPhone new-connection-mark=no-mark passthrough=\
    yes
add action=mark-connection chain=prerouting dst-address=192.168.0.0/24 \
    in-interface=bridge1-LAN new-connection-mark=no-mark passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat dst-address=192.168.0.0/24
/ip firewall service-port
set ftp disabled=yes
set sip disabled=yes
/ip ipsec identity
add auth-method=eap certificate="" eap-methods=eap-mschapv2 generate-policy=\
    port-strict mode-config=NordVPN peer=NordVPN policy-template-group=\
    NordVPN username=iCWzzzXeEPCDvMyvGsX4pPgg
/ip ipsec policy
add dst-address=0.0.0.0/0 group=NordVPN proposal=NordVPN src-address=\
    0.0.0.0/0 template=yes
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.0.1 \
    pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ppp secret
add name=charlos_iPhone profile=vpn-profile service=l2tp
add name=marmenex_iPhone profile=vpn-profile service=l2tp
add name=alexis_iphone profile=vpn-profile service=l2tp
add name=alexis_laptop profile=vpn-profile service=l2tp
add name=alexis_ipad profile=vpn-profile service=l2tp
add name=charlos_laptop_dxb profile=vpn-profile service=l2tp
add name=charlos_stratoni profile=vpn-profile service=l2tp
add name=vivian_iphone profile=vpn-profile service=l2tp
add name=manolis profile=vpn-profile service=l2tp
add name=evangelia profile=vpn-profile service=l2tp
add name=iphone8 profile=vpn-profile service=l2tp
add name=charlos_laptop_gr profile=vpn-profile service=l2tp
add name=charis_disney service=l2tp
/system clock
set time-zone-name=Asia/Dubai
/system identity
set name=Dubai
/system logging
add action=auth topics=account
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=gr.pool.ntp.org
/system scheduler
add interval=1w name="Weekly Backup to email" on-event=\
    "/system script run email-backup" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=jan/29/2022 start-time=00:15:00
add interval=30m name="DDNS update" on-event="/system script run Dynu\r\
    \n:delay 00:00:10\r\
    \n/system script run DuckDNS" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-time=startup
add name="DDNS update on reboot" on-event="/system script run Dynu\r\
    \n/system script run DuckDNS\r\
    \n:delay 00:00:30\r\
    \n/system script run Dynu\r\
    \n:delay 00:00:40\r\
    \n/system script run DuckDNS" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-time=startup
/system script
add dont-require-permissions=no name=Dynu owner=charlos policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="#\
    #######################################\r\
    \n# DYNU DNS Script for Mikrotik Behind DSL\r\
    \n# 14th JAN-2015\r\
    \n# Syed Jahanzaib / aacable at hotmail dot com\r\
    \n# ####################################################\r\
    \n \r\
    \n# get the current IP address from the internet (in case of double-nat)\r\
    \n \r\
    \n/tool fetch mode=http address=\"checkip.dyndns.org\" src-path=\"/\" dst-\
    path=\"/dyndns.checkip.html\"\r\
    \n:local result [/file get dyndns.checkip.html contents]\r\
    \n \r\
    \n# parse the current IP result\r\
    \n:local resultLen [:len \$result]\r\
    \n:local startLoc [:find \$result \": \" -1]\r\
    \n:set startLoc (\$startLoc + 2)\r\
    \n:local endLoc [:find \$result \"</b\" -1]\r\
    \n:local currentIP [:pick \$result \$startLoc \$endLoc]\r\
    \n#:log warning \"UpdateDynDNS: currentIP = \$currentIP\"\r\
    \n\r\
    \n\r\
    \n######################################################\r\
    \n \r\
    \n:global ddnsuser \"charlosg87\"\r\
    \n:global ddnspass \"********\"\r\
    \n:global ddnshost \"router-dubai.ddnsfree.com\"\r\
    \n:global ipddns [:resolve \$ddnshost];\r\
    \n#:global ipddns 1.2.3.4\r\
    \n\r\
    \n \r\
    \n:if (\$ipddns != \$currentIP) do={\r\
    \n:log info (\"DynuDDNS: IP-Dynu = \$ipddns\")\r\
    \n:log info (\"DynuDDNS: IP-Fresh = \$currentIP\")\r\
    \n:log info \"DynuDDNS: Update IP needed, Sending UPDATE...!\"\r\
    \n:global str \"/nic/update\?hostname=\$ddnshost&myip=\$currentIP\"\r\
    \n/tool fetch address=api.dynu.com src-path=\$str mode=http user=\$ddnsuse\
    r password=\$ddnspass dst-path=(\"/Dynu.\".\$ddnshost)\r\
    \n:delay 1\r\
    \n:global str [/file find name=\"Dynu.\$ddnshost\"];\r\
    \n/file remove \$str\r\
    \n:global ipddns \$currentIP\r\
    \n:log info \"DynuDDNS: IP updated to \$currentIP!\"\r\
    \n} else={\r\
    \n:log info \"DynuDDNS: dont need changes\";\r\
    \n} }"
add dont-require-permissions=no name=DuckDNS owner=charlos policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="#\
    ----------SCRIPT INFORMATION----------------------------------------------\
    -----\r\
    \n#\r\
    \n# Script:  Beeyev DuckDNS.org Dynamic DNS Update Script\r\
    \n# Version: 1.2\r\
    \n# Created: 29/07/2019\r\
    \n# Updated: 06/06/2021\r\
    \n# Author:  Alexander Tebiev\r\
    \n# Website: https://github.com/beeyev\r\
    \n#\r\
    \n#----------MODIFY THIS SECTION AS NEEDED--------------------------------\
    --------\r\
    \n\r\
    \n\r\
    \n# DuckDNS Sub Domain\r\
    \n:local duckdnsSubDomain \"router-dubai.duckdns.org\"\r\
    \n\r\
    \n# DuckDNS Token\r\
    \n:local duckdnsToken \"***************************\"\r\
    \n\r\
    \n# Set true if you want to use IPv6\r\
    \n:local ipv6mode false;\r\
    \n\r\
    \n# Online services which respond with your IPv4, two for redundancy\r\
    \n:local ipDetectService1 \"https://api.ipify.org/\"\r\
    \n:local ipDetectService2 \"https://api4.my-ip.io/ip.txt\"\r\
    \n\r\
    \n# Online services which respond with your IPv6, two for redundancy\r\
    \n:local ipv6DetectService1 \"https://api64.ipify.org\"\r\
    \n:local ipv6DetectService2 \"https://api6.my-ip.io/ip.txt\"\r\
    \n\r\
    \n\r\
    \n#-----------------------------------------------------------------------\
    --------\r\
    \n\r\
    \n:local previousIP; :local currentIP\r\
    \n# DuckDNS Full Domain (FQDN)\r\
    \n:local duckdnsFullDomain \"\$duckdnsSubDomain.duckdns.org\"\r\
    \n\r\
    \n:log warning message=\"START: DuckDNS.org DDNS Update\"\r\
    \n\r\
    \nif (\$ipv6mode = true) do={\r\
    \n\t:set ipDetectService1 \$ipv6DetectService1;\r\
    \n\t:set ipDetectService2 \$ipv6DetectService2;\r\
    \n\t:log error \"DuckDNS: ipv6 mode enabled\"\r\
    \n}\r\
    \n\r\
    \n# Resolve current DuckDNS subdomain ip address\r\
    \n:do {:set previousIP [:resolve \$duckdnsFullDomain]} on-error={ :log war\
    ning \"DuckDNS: Could not resolve dns name \$duckdnsFullDomain\" };\r\
    \n\r\
    \n# Detect our public IP adress useing special services\r\
    \n:do {:set currentIP ([/tool fetch url=\$ipDetectService1 output=user as-\
    value]->\"data\")} on-error={\r\
    \n\t\t:log error \"DuckDNS: Service does not work: \$ipDetectService1\"\r\
    \n\t\t#Second try in case the first one is failed\r\
    \n\t\t:do {:set currentIP ([/tool fetch url=\$ipDetectService2 output=user\
    \_as-value]->\"data\")} on-error={\r\
    \n\t\t\t:log error \"DuckDNS: Service does not work: \$ipDetectService2\"\
    \r\
    \n\t\t};\r\
    \n\t};\r\
    \n\t\r\
    \n\r\
    \n:log info \"DuckDNS: DNS IP (\$previousIP), current internet IP (\$curre\
    ntIP)\"\r\
    \n\r\
    \n:if (\$currentIP != \$previousIP) do={\r\
    \n\t:log info \"DuckDNS: Current IP \$currentIP is not equal to previous I\
    P, update needed\"\r\
    \n\t:log info \"DuckDNS: Sending update for \$duckdnsFullDomain\"\r\
    \n\t:local duckRequestUrl \"https://www.duckdns.org/update\\\?domains=\$du\
    ckdnsSubDomain&token=\$duckdnsToken&ip=\$currentIP&verbose=true\"\r\
    \n\t:log info \"DuckDNS: using GET request: \$duckRequestUrl\"\r\
    \n\r\
    \n\t:local duckResponse\r\
    \n\t:do {:set duckResponse ([/tool fetch url=\$duckRequestUrl output=user \
    as-value]->\"data\")} on-error={\r\
    \n\t\t:log error \"DuckDNS: could not send GET request to the DuckDNS serv\
    er. Going to try again in a while.\"\r\
    \n\t\t:delay 5m;\r\
    \n\t\t\t:do {:set duckResponse ([/tool fetch url=\$duckRequestUrl output=u\
    ser as-value]->\"data\")} on-error={\r\
    \n\t\t\t\t:log error \"DuckDNS: could not send GET request to the DuckDNS \
    server for the second time.\"\r\
    \n\t\t\t\t:error \"DuckDNS: bye!\"\r\
    \n\t\t\t}\r\
    \n\t}\r\
    \n\r\
    \n\t# Checking server's answer\r\
    \n\t:if ([:pick \$duckResponse 0 2] = \"OK\") do={\r\
    \n\t\t:log info \"DuckDNS: New IP address (\$currentIP) for domain \$duckd\
    nsFullDomain has been successfully set!\"\r\
    \n\t} else={ \r\
    \n\t\t:log warning \"DuckDNS: There is an error occurred during IP address\
    \_update, server did not answer with \\\"OK\\\" response!\"\r\
    \n\t}\r\
    \n\r\
    \n\t:log info \"DuckDNS: server answer is: \$duckResponse\"\r\
    \n} else={\r\
    \n\t:log info \"DuckDNS: Previous IP (\$previousIP) is equal to current IP\
    \_(\$currentIP), no need to update\"\r\
    \n}\r\
    \n\r\
    \n:log warning message=\"END: DuckDNS.org DDNS Update finished\""
add dont-require-permissions=no name=email-backup owner=charlos policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
    system backup save name=email_bk\r\
    \n:delay 00:00:05\r\
    \n/export file=backup\r\
    \n:delay 00:00:10\r\
    \ntool e-mail send file=email_bk.backup to=\"char******@gmail.com\" body=\
    \"Router Dubai weekly backup file attached.\"  \\\r\
    \n subject=\"RB750Gr3  \$[/system clock get date] at \$[/system clock get \
    time]  Backup\"\r\
    \n/export file=backup\r\
    \ntool e-mail send file=backup.rsc to=\"char*******@gmail.com\" body=\"Rout\
    er Dubai weekly backup file attached.\"  \\\r\
    \n subject=\"RB750Gr3  \$[/system clock get date] at \$[/system clock get \
    time]  Backup\"\r\
    \n:delay 00:00:30\r\
    \n/file remove email_bk.backup\r\
    \n/file remove backup.rsc"
/tool e-mail
set address=smtp.gmail.com from="<Mk Dubai>" port=587 tls=starttls user=\
    charl******@gmail.com
 
charlosg87
just joined
Topic Author
Posts: 2
Joined: Sun May 28, 2023 8:59 am

Re: NordVPN on hEX and DNS leak

Wed May 31, 2023 5:56 pm

Hi everyone,
Any update?
Thank you
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: NordVPN on hEX and DNS leak

Wed May 31, 2023 6:15 pm

Use wireguard................. if NordVPn doesnt use wireguard, then they are in the dark ages.

Who is online

Users browsing this forum: baragoon, BinaryTB, Bing [Bot], raphaps, rplant and 73 guests