Page 1 of 1

Tunnel traffic through VPN

Posted: Fri Aug 16, 2019 8:28 pm
by madmoses
Hi,

I run a small WiFi Hotspot for hotel guests. We had a small legal issue because some of our clients are downloading illegal movies from Bittorent websites.

1) Is it possible to tunnel all the traffic trough a VPN provider?
2) Which VPN provider is supported by Mikrotik?
3) Are there any providers which already have filters for illegal BitTorrent websites? Or the possibility to block Bittorent at all?
4) Can I block somehow Bittorent with my Mikrotik router?

Regards

Re: Tunnel traffic through VPN

Posted: Sat Aug 17, 2019 1:29 am
by formerandroider
RouterOS supports creating VPN tunnels, I know L2TP is supported as I use it myself. As long as a standard (though perhaps not bleeding edge) protocol is used, it'll be supported.

Alternatively, you could just block the relevant bittorrent protocol ports using the RouterOS firewall.

Re: Tunnel traffic through VPN

Posted: Mon Aug 19, 2019 11:28 am
by madmoses
I blocked the ports in my fritzbox and does not help. Bittorent just try to use other ports.

I found a VPN provider (NordVPN) which is using internally OpenVPN. Is this a good or bad idea to use OpenVPN? We have up to 100 Users in the guest WiFi and all are limited to 6MBbs/down and 256kb/up-stream.

Re: Tunnel traffic through VPN

Posted: Mon Aug 19, 2019 11:46 am
by pe1chl
It is unlikely that the MikroTik OpenVPN implementation is going to work with them.
(I have no personal experience with this particular combination, but in general MikroTik OpenVPN is missing a lot of features that most servers require these days)

You will have more luck with IPsec (IKEv2) I think.

Re: Tunnel traffic through VPN

Posted: Mon Aug 19, 2019 1:57 pm
by madmoses
Okay thank you for this information.

I tried https://www.expressvpn.com/ on my desktop, but I get only 25-100mbit/s

I have a 400mbit connection it would be nice if I could use at least 200mbit. Any recommendation for a good VPN service?

Re: Tunnel traffic through VPN

Posted: Mon Aug 19, 2019 2:45 pm
by BlumKram
I'm using NordVPN for now, but I'd like to change it to another one, because of low connection. So If anyone got an idea, I'd connect to the topic too.

Re: Tunnel traffic through VPN

Posted: Mon Aug 19, 2019 2:48 pm
by msatter
NordVPN is fast and I get with two RB760iGS in cascade 250/250Mbit/s. Single RB760iGS shuffles around 170Mbit/s over the IKEv2 tunnel.

With a RB4011 you will get between 250 an 300Mbit/s through NordVPN.

Re: Tunnel traffic through VPN

Posted: Mon Aug 19, 2019 2:58 pm
by pe1chl
I tried https://www.expressvpn.com/ on my desktop, but I get only 25-100mbit/s
What router type do you have? Of course this is not going to work with a RB2011 or RB750G2!
You need a modern router with encryption acceleration to get those high speeds.

Re: Tunnel traffic through VPN

Posted: Mon Aug 19, 2019 5:58 pm
by madmoses
I tried https://www.expressvpn.com/ on my desktop, but I get only 25-100mbit/s
What router type do you have? Of course this is not going to work with a RB2011 or RB750G2!
You need a modern router with encryption acceleration to get those high speeds.
What about not encrypting the connection and just use L2TP?

https://mikrotik.com/product/hex_s
Is this one powerfull enough? I have a RB750G2 at the moment running

Re: Tunnel traffic through VPN

Posted: Mon Aug 19, 2019 6:12 pm
by pe1chl
Your VPN provider probably does not offer that option.

Yes, the hEX S (or the normal hEX, this is now the RB750Gr3) is powerful enough for fast IPsec encryption at the speed you want.
This of course still does not guarantee you will achieve that speed, there can be other bottlenecks in the network.
But 200 Mbps should be possible.

Re: Tunnel traffic through VPN

Posted: Tue Aug 20, 2019 4:35 pm
by madmoses
I tried PPTP, LT2P and LT2P with IPSec

All of them are extremly slow. (Around 1Mbit)

Only LT2P with IPSec gives me SOMETIMES 10MBit.

I followed this instruction: https://support.safervpn.com/hc/en-us/a ... tik-Router

I have the feeling that there is a problem with this configuration. I tried LT2P without IPSec on my desktop and I get speeds around 250Mbit...

Re: Tunnel traffic through VPN

Posted: Tue Aug 20, 2019 4:58 pm
by pe1chl
You probably will have MTU issues that are usual with VPN. Try to add this:
/ip firewall mangle
add action=change-mss chain=forward new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn

Re: Tunnel traffic through VPN

Posted: Tue Aug 20, 2019 6:02 pm
by msatter
I tried PPTP, LT2P and LT2P with IPSec

All of them are extremly slow. (Around 1Mbit)

Only LT2P with IPSec gives me SOMETIMES 10MBit.

I followed this instruction: https://support.safervpn.com/hc/en-us/a ... tik-Router

I have the feeling that there is a problem with this configuration. I tried LT2P without IPSec on my desktop and I get speeds around 250Mbit...
The 750GR2 does not support hardware encryption, I can't find it being stated, and it has the QCA9556 as processor.

https://wikidevi.com/wiki/MikroTik_Rout ... B750Gr2%29

The 750Gr3 and 760IGs do support hardware encryption and many more Mikrotik routers.

Re: Tunnel traffic through VPN

Posted: Tue Aug 20, 2019 6:06 pm
by madmoses
Thank you! MTU was a problem!

The command did not help but I played manually with the values and now I get speeds around 140Mbit/s (Only LT2P without IPSec)

I am tunneling now all my traffic through the VPN. Because of this I can not connect to my DNS-Server on my router.

In the document here: https://support.safervpn.com/hc/en-us/a ... tik-Router they are adding manually some DNS Server.
1) But what they do is not working for me
2) It feels a bit hacky
3) I guess it would be best to use the DNS Server which is configured in my router. But how could I do this?

Re: Tunnel traffic through VPN

Posted: Tue Aug 20, 2019 6:15 pm
by msatter
When you buy an different router with hardware support you can use IKEv2 which is safe, L2TP is not, you can use connection marking by default to split traffic to go into the tunnel and traffic that that not has to be in the tunnel.

You can then use your local DNS if you want.

Re: Tunnel traffic through VPN

Posted: Wed Aug 21, 2019 10:35 am
by madmoses
Security is not an issue.

> you can use connection marking by default to split traffic to go into the tunnel and traffic that that not has to be in the tunnel.
How is this feature called? I what like to read more about this

Also I have a problem that netflix and amazon is not working through that tunnel. Can I also use the above technic to prevent that kind of traffic to not go through the tunnel?


https://mikrotik.com/product/hex_s#fndtn-testresults
This is also interessting. Increasing the MTU seems to speed up everything. This is something I would like to try tonight.

Re: Tunnel traffic through VPN

Posted: Wed Aug 21, 2019 12:48 pm
by pe1chl
When you buy an different router with hardware support you can use IKEv2 which is safe, L2TP is not
For this purpose it does not really matter if the VPN is "safe"...
Traditionally VPN was used to inter-connect two isolated networks (e.g. subsidiary local area networks) over a public network, and it was important to make sure that someone who could capture packets on the public network would not be able to look into the transported packets, insert new packets into the stream to attack systems on the isolated networks, etc.
Hence the use of authentication and encryption.

However, today most people (including the starter of this topic) use VPN in a slightly different meaning: to transport all their traffic that is to be sent to/from the public network to another place where it will then be released onto the public network.
They can do that for a couple of reasons:
- because their local connection is unsafe and can be tapped by bystanders (e.g. public WiFi)
- because their ISP is somehow modifying the traffic in a way they don't desire (e.g. interception of DNS requests and insertion of own code into http traffic)
- because they do not want to associate their traffic exit-point with themselves
- because they want to have their traffic exit-point in another country, e.g. to circumvent regional locking

In all but the first case it does not really matter how safe it is. You could just use an unencrypted GRE or IPIP tunnel. In the second case it could be problematic but it probably isn't, the ISP likely is not going to the trouble to look in such tunnels anyway.

So in fact this security is only burdening the router, which has to encrypt and decrypt everything, and it has costs in performance due to the larger headers of encrypted/authenticated tunnels vs the simple ones. With a better router (like RB750Gr3) you won't be troubled by the encryption CPU overhead, but you still have the header overhead.

Of course when you want to use an existing "VPN provider" (in the sense of providing a different exit-point) and it likely does not provide the option of using such simple tunnels. So then you are obliged to jump to the "secure" hoops, even though it is not really needed.

Re: Tunnel traffic through VPN

Posted: Wed Aug 21, 2019 1:04 pm
by msatter
Security is not an issue.

> you can use connection marking by default to split traffic to go into the tunnel and traffic that that not has to be in the tunnel.
How is this feature called? I what like to read more about this

Also I have a problem that netflix and amazon is not working through that tunnel. Can I also use the above technic to prevent that kind of traffic to not go through the tunnel?
https://wiki.mikrotik.com/wiki/Manual:I ... all/Mangle
at the bottom of that page.

Re: Tunnel traffic through VPN

Posted: Fri Aug 23, 2019 5:40 pm
by madmoses
I can't get it work. How can I accept the traffic to the DNS Server on my router which uses the IP 192.168.178.1 ?

Re: Tunnel traffic through VPN

Posted: Sat Aug 29, 2020 12:06 pm
by muhlpaul
Security is not an issue.

> you can use connection marking by default to split traffic to go into the tunnel and traffic that that not has to be in the tunnel.
How is this feature called? I what like to read more about this

Also I have a problem that netflix and amazon is not working through that tunnel. Can I also use the above technic to prevent that kind of traffic to not go through the tunnel?
https://wiki.mikrotik.com/wiki/Manual:I ... all/Mangle
at the bottom of that page.
Hi regarding Amazon video problem - not working via vpn - do you have a working script/mangle rules... a actual ip-adress list of amazon servers etc. ?
i was already thinking before to route the amazon traffic directly to the internet without using the vpn, but i have no idea how to manage it....

Re: Tunnel traffic through VPN

Posted: Sat Aug 29, 2020 9:38 pm
by erkexzcx
1) Is it possible to tunnel all the traffic trough a VPN provider?
2) Which VPN provider is supported by Mikrotik?
3) Are there any providers which already have filters for illegal BitTorrent websites? Or the possibility to block Bittorent at all?
4) Can I block somehow Bittorent with my Mikrotik router?
Some de facto standards and other key points:

1. Get NordVPN - they won't ever tell you for downloading pirated movies etc.
2. No, you can't effectively filter out torrents traffic so only such traffic goes under VPN. You need to either whitelist some ports, such as 80 and 443, or route all traffic under VPN.
3. What you are looking for is IPSEC/IKEv2 protocol. You can use it with NordVPN and there are instructions only (hosted in both Mikrotik and NordVPN websites). From my personal experience, you will need to figure out how to implement killswitch with Mikrotik and also reduce TCP MSS size in order for VPN to work (these things we not mentioned in both guides).