Community discussions

MikroTik App
 
SomeYoungGuy
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 70
Joined: Mon Oct 22, 2012 10:18 am

Route all traffic via VPN

Mon Jun 17, 2013 5:43 pm

Ok, so i have a VPN client (MikroTik) connected to a VPN Server (whatever), and the VPN client with an IP of say 192.168.1.1 is our PC's gateway... right bog standard!

For what ever reason i want to route all my "internet" traffic via the VPN.
Now i cannot add another default route something like: dst:0.0.0.0/0 gw: pptp-out1 since the router its self needs a default gateway to be able to establish the VPN in the first place.

So how do i identify only the "public internet" traffic? like it should exclude 192.168... etc etc I think its called A class network? (I can always specify an 10.0.0.0 range ips if im using any).

I want to put some clever network in like: Dst Address : X.Y.Z.0/A gw: pptp-out1

This would then identify any traffic heading for the internet and route it out via the VPN.
 
mixig
Member Candidate
Member Candidate
Posts: 277
Joined: Thu Oct 27, 2011 2:19 pm

Re: Route all traffic via VPN

Mon Jun 17, 2013 7:20 pm

Step one, if you want push public traffic through VPN create three address list (private ip addresses):
/ip firewall address-list
add address=10.0.0.0/8 disabled=no list="Local subnet"
add address=172.16.0.0/12 disabled=no list="Local subnet"
add address=192.168.0.0/16 disabled=no list="Local subnet"
then mark all interent traffic (and exclude traffic which has private ip as destination (assume that you lan interface is ether1-LAN, and you lan range is 192.168.1.0/24), be careful -> dst-address list has "!" mark which means everthing except private ip addresses (inversion)
/ip firewall mangle
add action=mark-routing chain=prerouting disabled=no dst-address-list="!Local subnet" in-interface=ether1-LAN new-routing-mark=traffif_for_VPN passthrough=yes src-address=192.168.1.0/24
step three create def route for that traffic (traffich which has routing mark traffic_for_VPN in step 2) and changee your gateway (in my case it is pptp-out1):
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=pptp-out1 routing-mark=traffic_for_VPN scope=30 target-scope=10
so all traffic from your LAN will go through VPN, router will have connection through "normal default route"

you can adjust this configuration for your self (range od private ip addresses)... etc.
 
tob
just joined
Posts: 2
Joined: Sat Mar 28, 2015 2:15 am

Re: Route all traffic via VPN

Sat Mar 28, 2015 2:19 am

Hello,

is here way, how to route to vpn also the traffic from the router itself? It means that all communication from LAN network and also from router will be routed to vpn?

I have configured properly routing from LAN network to VPN, but I'm not able to set up routing for router itself.

Thank you.
 
tob
just joined
Posts: 2
Joined: Sat Mar 28, 2015 2:15 am

Re: Route all traffic via VPN

Sat Mar 28, 2015 2:24 am

Hello,

is here way, how to configure also communication of router itself be routed to vpn? It means whole communication from LAN and from router itself will be routed to VPN.

Currently, I have configurated routing for LAN network to VPN, but I'm not able to configure routing for router itself.

Thanks.
 
9wYDY
just joined
Posts: 4
Joined: Fri Feb 26, 2016 3:28 pm

Re: Route all traffic via VPN

Fri Feb 26, 2016 3:33 pm

Step one, if you want push public traffic through VPN create three address list (private ip addresses):
/ip firewall address-list
add address=10.0.0.0/8 disabled=no list="Local subnet"
add address=172.16.0.0/12 disabled=no list="Local subnet"
add address=192.168.0.0/16 disabled=no list="Local subnet"
then mark all interent traffic (and exclude traffic which has private ip as destination (assume that you lan interface is ether1-LAN, and you lan range is 192.168.1.0/24), be careful -> dst-address list has "!" mark which means everthing except private ip addresses (inversion)
/ip firewall mangle
add action=mark-routing chain=prerouting disabled=no dst-address-list="!Local subnet" in-interface=ether1-LAN new-routing-mark=traffif_for_VPN passthrough=yes src-address=192.168.1.0/24
step three create def route for that traffic (traffich which has routing mark traffic_for_VPN in step 2) and changee your gateway (in my case it is pptp-out1):
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=pptp-out1 routing-mark=traffic_for_VPN scope=30 target-scope=10
so all traffic from your LAN will go through VPN, router will have connection through "normal default route"

you can adjust this configuration for your self (range od private ip addresses)... etc.

Is this at the same time way to prevent any traffic to go skipping VPN? I want to be sure that specific traffic is not possible outside VPN. In other words If the VPN is not available etc. the traffic is not possible.
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 6176
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: Route all traffic via VPN

Fri Feb 26, 2016 3:48 pm

easiest way is to add specific route only to VPN server and default route over VPN.
 
astrae
just joined
Posts: 3
Joined: Sat Aug 16, 2014 11:31 am

Re: Route all traffic via VPN

Fri Feb 26, 2016 11:54 pm

easiest way is to add specific route only to VPN server and default route over VPN.
This is what I have done. Really simple.

My WAN interface is PPPoe. When setting this up I haven't created a default route.

I created a static route to the vpn server using PPPoe gateway.

My VPN connection uses a L2TP client so I created this and it connects to the VPN server using the static route.

Then create a default route 0.0.0.0/0 using the L2TP client as the gateway.

easy, all traffic that isn't LAN traffic goes over the VPN.
 
asmadeus08
just joined
Posts: 1
Joined: Tue Oct 04, 2016 10:50 pm

Re: Route all traffic via VPN

Tue Oct 04, 2016 10:57 pm

I have the same problem but dont udnerstand anything into Linux. Have already installed vps on openvz vps + installed obfs on client/server. Now i need someone help who can do what's described on second post cause i wanna setup all my router traffic goes through remote vpn. Can anyone help to me? My skype id - parsi19881
 
mackey22
just joined
Posts: 1
Joined: Sun Feb 11, 2018 4:25 pm

Re: Route all traffic via VPN

Sun Feb 11, 2018 4:36 pm

easiest way is to add specific route only to VPN server and default route over VPN.
Hi,
I am new here so hello everyone!
I have bought new MikroTik router from Lithuania and I configured it as vpn client. Now I am trining to redirect all my wi-fi devices to use openvpn interface as main gateway so the entire traffic would be trough vpn in Poland. The reason is because I am using vpn in Poland and I would like to watch some services not available abroad. Thank you in advance.

Cheers
Cez
 
davidand
just joined
Posts: 7
Joined: Tue Aug 18, 2020 7:52 pm

Re: Route all traffic via VPN

Wed Sep 23, 2020 5:32 pm

Hi guys,

Is there any way to enhance the configuration below with a protection so that when a VPN connection is down, no packets are forwarded via the default gateway, - in other words, enforcing using the VPN connection?

Thanks.
Step one, if you want push public traffic through VPN create three address list (private ip addresses):
/ip firewall address-list
add address=10.0.0.0/8 disabled=no list="Local subnet"
add address=172.16.0.0/12 disabled=no list="Local subnet"
add address=192.168.0.0/16 disabled=no list="Local subnet"
then mark all interent traffic (and exclude traffic which has private ip as destination (assume that you lan interface is ether1-LAN, and you lan range is 192.168.1.0/24), be careful -> dst-address list has "!" mark which means everthing except private ip addresses (inversion)
/ip firewall mangle
add action=mark-routing chain=prerouting disabled=no dst-address-list="!Local subnet" in-interface=ether1-LAN new-routing-mark=traffif_for_VPN passthrough=yes src-address=192.168.1.0/24
step three create def route for that traffic (traffich which has routing mark traffic_for_VPN in step 2) and changee your gateway (in my case it is pptp-out1):
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=pptp-out1 routing-mark=traffic_for_VPN scope=30 target-scope=10
so all traffic from your LAN will go through VPN, router will have connection through "normal default route"

you can adjust this configuration for your self (range od private ip addresses)... etc.
 
sindy
Forum Guru
Forum Guru
Posts: 6658
Joined: Mon Dec 04, 2017 9:19 pm

Re: Route all traffic via VPN

Wed Sep 23, 2020 5:53 pm

Is there any way to enhance the configuration below with a protection so that when a VPN connection is down, no packets are forwarded via the default gateway, - in other words, enforcing using the VPN connection?
Sure. The key is to add a type=blackhole default route with routing-mark=traffic_for_VPN and distance=20. While the VPN's virtual interface is active, the route through it (with a default value of distance which is 1) will be used; whenever that interface goes down and the route using it becomes inactive, the blackhole route becomes active.

Currently, as there is no other route in the routing table traffic_for_VPN, routing uses routing table main as a fallback.

PPTP has not been considered secure since years, so if you are really serious about privacy, don't use it.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.

Who is online

Users browsing this forum: AlexM2020, DeWitt, giannici, nichky, pe1chl and 179 guests