Script required for wireguard and dns...

KiwiBloke · Mon Jan 27, 2025 12:37 pm

Hi all, this evening I successfully configured Proton VPN to my router, however I quickly found a limitation when I wanted to watch ondemand TV from our location. Naturally, with the VPN active our local ondemand video outlets wouldn't work.

I have since discovered that by simply disabling both the wireguard interface and peers along with changing the DNS server to 1.1.1.1, turns off the VPN and therefore lets me stream local ondemand content.

So, what I'd like to do now is create a script that will disable wireguard and peers and also change the DNS to 1.1.1.1. It would then make sense to have another script that I could run which would enable both wireguard, peers and change the DNS back to Proton's.

This would make it much easier for me to run the script in Winbox to disable VPN and then enable it again when ready.

Hoping someone can help.

Cheers.

ConnyMercier · Mon Jan 27, 2025 9:58 pm

wouldn`t it be easiert to keep the VPN active, but create exeptions for specific device ,for exemple
your TV that streams the OnDemand content?

Alternatively, a better Solution could be to Identify the connections needed for your OnDemand-Services
and create an alternate Route that doesn`t go trough the VPN ...

KiwiBloke · Tue Jan 28, 2025 11:47 pm

Alternatively, a better Solution could be to Identify the connections needed for your OnDemand-Services
and create an alternate Route that doesn`t go trough the VPN ...

That sounds far better! Thanks Conny.

Any chance you could help with that please?

ConnyMercier · Wed Jan 29, 2025 2:09 am

can you provide an Export of your ROuter ?
(/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc.))

KiwiBloke · Wed Jan 29, 2025 4:07 am

Thanks Conny, here it is...

# 2025-01-29 14:57:39 by RouterOS 7.17
# software id = ZIP9-864Y
#
# model = RB952Ui-5ac2nD
/interface bridge
add admin-mac=xx:xx:xx:xx auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-g/n channel-width=20/40mhz-eC \
    country="new zealand" disabled=no distance=indoors frequency=2472 \
    installation=indoor mode=ap-bridge ssid=NeverUMind wireless-protocol=\
    802.11
set [ find default-name=wlan2 ] antenna-gain=0 band=5ghz-onlyac \
    channel-width=20/40/80mhz-eCee country="new zealand" disabled=no \
    distance=indoors frequency=5260 installation=indoor mode=ap-bridge ssid=\
    NeverUMind wireless-protocol=802.11
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard-inet
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wifi configuration
add name="name=guestcfg ssid=\"Guest\" \\"
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
    dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys name=profile \
    supplicant-identity=MikroTik
/interface wireless
add disabled=no mac-address=4A:8F:5A:20:34:C7 master-interface=wlan2 name=\
    wlan3 security-profile=profile ssid=Guest
add disabled=no mac-address=4A:8F:5A:20:34:C8 master-interface=wlan1 name=\
    wlan4 security-profile=profile ssid=Guest
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=10m name=defconf
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge filter
add action=drop chain=forward in-interface=wlan3
add action=drop chain=forward out-interface=wlan3
add action=drop chain=forward in-interface=wlan4
add action=drop chain=forward out-interface=wlan4
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
add bridge=bridge interface=wlan3
add bridge=bridge interface=wlan4
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=149.22.80.114 endpoint-port=\
    51820 interface=wireguard-inet name=peer1 persistent-keepalive=25s \
    public-key="xxxx="
/interface wireless access-list
add ap-tx-limit=8 interface=wlan4
add ap-tx-limit=8 interface=wlan3
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=10.2.0.2/30 interface=wireguard-inet network=10.2.0.0
/ip dhcp-client
add comment=defconf interface=ether1 use-peer-dns=no
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=wireguard-inet src-address=\
    192.168.88.0/24
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/1 gateway=10.2.0.1 pref-src="" \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=128.0.0.0/1 gateway=10.2.0.1 pref-src=\
    "" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no dst-address=xx.xx.xx.xx/32 gateway=10.177.0.4 \
    routing-table=main suppress-hw-offload=no
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Pacific/Auckland
/system identity
set name=Router/AP
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set broadcast=yes enabled=yes manycast=yes multicast=yes
/system ntp client servers
add address=time.cloudflare.com
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool romon
set enabled=yes

ConnyMercier · Thu Jan 30, 2025 1:22 am

Sorry friend for the late response...
But for some reason or another (most likely a Layer 8 issue),
I had some problems recreating your Setup in my LAB...

Nevertheless, I was able to achive the Result you desire

Step 1: Wireguard
Configured Wireguard Site-2-Site as recommended on Mikrotik Website (https://help.mikrotik.com/docs/spaces/R ... /WireGuard)

/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=x.x.x.x endpoint-port=13231 interface=wireguard1 name=peer1 persistent-keepalive=25s public-key="fsdfsdfsdfsdfsdfsdfsdfsdfsdfsdfsd"

**This is most likely what you also did, resulting in a working VPN-Connection, but no "Internet" Traffic flowing thru, as the Default-Gateway (0.0.0.0/0) was still assigned to the ether1-Interface. Resulting in you having to create some additional "/IP/Route" , that are no longer needed in this setup.

Step 2: Routing-Table
Created an additional Routing-Table called "VPN"

/routing table
add disabled=no fib name=VPN

and added a Default-Gateway Route thru the Wireguard-Tunnel

/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.255.255.1 routing-table=VPN scope=30 suppress-hw-offload=no target-scope=10

*** I used the IP-Addresses from the Mikrotik-Exemple, but in your Setup, you will need to change "10.255.255.1" to "10.2.0.1" ( assuming that the Export you provided is still accurate)

Step 3: NAT
Created a NAT-Rule

/ip firewall nat
add action=masquerade chain=srcnat out-interface=wireguard1

*** You already have this correctly configured

Step 4: Mangel
The following isn`t optimal YET, I just didn`t have the Time to refine the Rules .

I created an Address-List, that contained Local-Network`s that should NOT go thru the
Wireguard-Tunnel.

/ip firewall address-list
add address=10.1.22.0/24 disabled=no dynamic=no list=LocalAddress
add address=192.168.88.0/24 disabled=no dynamic=no list=LocalAddress

and made a very VERY basic Mangle-Rule that assigns the Routing-Table "VPN" to anything from the LAN going to the Internet.

/ip firewall mangle
add action=mark-routing chain=prerouting dst-address=0.0.0.0/0 dst-address-list=!LocalAddress in-interface=bridge new-routing-mark=VPN

Again, please see the last Step / Mangel-Rule as a Proof of Concept....
If you make the changes to your router, All your Traffic from you LAN should still only go thru your Wireguard-Tunnel
But we can then create some new mangel-rules that target specific Devices in your LAN to bypass the VPN and/or specific Services.

*P.S: Don`t forget to Backup your Device before making changes to it. :D

KiwiBloke · Thu Jan 30, 2025 3:56 am

Thanks again Conny.

I actually got the wireguard config from Proton, the VPN provider, for Mikrotik routers, here: https://protonvpn.com/support/wireguard ... ik-routers

Does this change anything to your changes above?

ConnyMercier · Thu Jan 30, 2025 2:20 pm

It doesn`t really change anything....

You will need to disable the Route's you set up in Step 7 "Redirect all internet traffic through WireGuard" of the Proton`s Guide
and execute Steps 2 (Routing-Table) and Step 4 (Mangel) from my post.

Script required for wireguard and dns...

Script required for wireguard and dns...

Re: Script required for wireguard and dns...

Re: Script required for wireguard and dns...

Re: Script required for wireguard and dns...

Re: Script required for wireguard and dns...

Re: Script required for wireguard and dns...

Re: Script required for wireguard and dns...

Re: Script required for wireguard and dns...