Surfshark VPN does not work with WG on MT

wuhoatu · Sat Nov 19, 2022 12:19 pm

I need a 3rd party VPN solution. So I try Surfshark VPN with WG on my Hex S but it seems Surfshark does not work with WG on MT. Could you please give me your hand.
Thx U so much.

The concern script as follows:

# model = RB760iGS

/interface wireguard
add listen-port=13231 mtu=1420 name=WG-Surfshark

/ip pool
add name=dhcp_pool0 ranges=192.168.1.101-192.168.1.164

/ip dhcp-server
add address-pool=dhcp_pool0 interface=LAN name=LocalDHCP

/routing table
add disabled=no fib name=to-WGuard

/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=hk-hkg.prod.surfshark.com \
    endpoint-port=51820 interface=WG-Surfshark public-key=\
    "JYHdktdtuM7inbtsxRKSDpnBVTWQ5+QLZ/cWWmf4VRg="

/ip address
add address=192.168.1.1/24 interface=LAN network=192.168.1.0
add address=10.14.0.2/16 interface=WG-Surfshark network=10.14.0.0

/ip dhcp-server network
add address=10.14.0.0/16 dns-server=162.252.172.57,149.154.159.92 gateway=\
    10.14.0.1

/ip dns
set servers=162.252.172.57,149.154.159.92

/ip firewall mangle
add action=accept chain=forward out-interface=WG-Surfshark src-address=\
    192.168.1.0/24

/ip firewall nat
add action=masquerade chain=srcnat out-interface=WG-Surfshark

/ip route
add check-gateway=bfd disabled=no dst-address=0.0.0.0/0 gateway=WG-Surfshark \
    routing-table=to-WGuard suppress-hw-offload=no

/routing rule
add action=lookup disabled=no src-address=192.168.1.0/24 table=to-WGuard

But no trafic go through WG. ipleak.net keep detect my public IP from my ISP, not Surfshark.
No trafic found in /ip firewall nat but found in WG interface as you see in pictures

NAT.jpg

Interface.jpg

Case I route a local IP to WG, the client cannot access internet any more.

add action=mark-routing chain=prerouting dst-address-list=!DomesticIP \
    dst-address-type=!local new-routing-mark=to-WGuard passthrough=no \
    src-address=192.168.1.7

WG Surfshark config file as follows:

#
# Use this configuration with WireGuard client
#
[Interface]
Address = 10.14.0.2/16
PrivateKey = <Private Key here>
DNS = 162.252.172.57, 149.154.159.92
[Peer]
PublicKey = JYHdktdtuM7inbtsxRKSDpnBVTWQ5+QLZ/cWWmf4VRg=
AllowedIPs = 0.0.0.0/0
Endpoint = hk-hkg.prod.surfshark.com:51820

anav · Tue Nov 22, 2022 12:30 am

YOu would need to provide the full export to be helpful

/export file=anynameyouwish (minus router serial Number and any public WANIP information )

Also read this - viewtopic.php?t=182340
Paragraph 7 applies!!!

It would make sense to on the MT to set the Ip address of the wireguard as follows
add address=10.14.0.2/24 gateway=WG-Surfshark

Also ensure that you have a sourcenat rule.
add action=masquerade chain=srcnat out-interface=WG-Surfshark

This will ensure that all router traffic will get natted with the acceptable IP address you were assigned.

wuhoatu · Wed Nov 23, 2022 8:10 am

YOu would need to provide the full export to be helpful

/export file=anynameyouwish (minus router serial Number and any public WANIP information )

Also read this - viewtopic.php?t=182340
Paragraph 7 applies!!!

It would make sense to on the MT to set the Ip address of the wireguard as follows
add address=10.14.0.2/24 gateway=WG-Surfshark

Also ensure that you have a sourcenat rule.
add action=masquerade chain=srcnat out-interface=WG-Surfshark

This will ensure that all router traffic will get natted with the acceptable IP address you were assigned.

Thank you @anav
indeed I make right to viewtopic.php?t=182340 (Para 7)
I also tried add address=10.14.0.2/24 gateway=WG-Surfshark with no luck. Sure that add action=masquerade chain=srcnat out-interface=WG-Surfshark is set on /ip firewall NAT too.
I can ping to any internet address but internet site cannot be tracert nor accessed with any browser. It seem that Surfshark+Wiregard cause DNS issue.

anav · Wed Nov 23, 2022 2:13 pm

Need to see the config on the MT
/export file=anynameyouwish ( minus router serial number and any public WANIP info )

mmotti · Fri Nov 25, 2022 3:18 pm

I had similar problems with SurfShark (coming from Mullvad) and to get internet access I had to use:

/ip firewall mangle
add chain=forward action=change-mss new-mss=clamp-to-pmtu tcp-flags=syn protocol=tcp out-interface=wg0

Although I still seem to get some weird connection / speed issues with this. If I run consecutive speed tests (speedtest.net) my upload speed will regularly register as 0Mbps but it won't do it every time.

No idea what's going on or whether this is related to "clamp-to-pmtu" not being the correct fix.

wuhoatu · Fri Nov 25, 2022 3:43 pm

Need to see the config on the MT
/export file=anynameyouwish ( minus router serial number and any public WANIP info )

Thank you @anav for your support. Bellows is export file content:

# nov/25/2022 20:26:53 by RouterOS 7.6
# software id = DLIQ-U8Q4
#
# model = RB760iGS
# serial number = <S/N here>
/interface bridge
add add-dhcp-option82=yes dhcp-snooping=yes igmp-snooping=yes name=LAN
/interface ethernet
set [ find default-name=ether1 ] loop-protect=on name=WAN1
set [ find default-name=ether2 ] disabled=yes loop-protect=on name=WAN2
set [ find default-name=ether3 ] loop-protect=on
set [ find default-name=ether4 ] loop-protect=on
set [ find default-name=ether5 ] loop-protect=on poe-out=off
set [ find default-name=sfp1 ] disabled=yes
/interface wireguard
add listen-port=13231 name=WG-Surfshark
/interface pppoe-client
add add-default-route=yes disabled=no interface=WAN1 name=PPPoE service-name=\
    078995MEN use-peer-dns=yes user=vu-thinh
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name="LocalPool()" ranges=192.168.1.101-192.168.1.164
/ip dhcp-server
add address-pool="LocalPool()" interface=LAN name=LocalDHCP
/port
set 0 name=serial0
/routing table
add disabled=no fib name=to-WGuard
/system logging action
set 0 memory-lines=100
/interface bridge port
add bridge=LAN interface=ether3
add bridge=LAN interface=ether4
add bridge=LAN interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=none
/interface detect-internet
set detect-interface-list=all internet-interface-list=*2000010 \
    wan-interface-list=*2000010
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=vn-hcm.prod.surfshark.com \
    endpoint-port=51820 interface=WG-Surfshark public-key=\
    "Mioou38fh5H+3LWMpitLOWT3JaDGg2gXxqjl2eXkPFU="
/ip address
add address=192.168.1.1/24 interface=LAN network=192.168.1.0
add address=10.14.0.2/16 interface=WG-Surfshark network=10.14.0.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1h

/ip dhcp-server network
add address=10.14.0.0/24 dns-server=162.252.172.57,149.154.159.92 gateway=\
    10.14.0.1
add address=192.168.1.0/24 dns-server=162.252.172.57,149.154.159.92 gateway=\
    192.168.1.1
/ip dns
set servers=162.252.172.57,149.154.159.92

/ip firewall filter
add action=accept chain=input comment="Allow access Winbox from Local IP" \
    dst-port=8291 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward out-interface=WG-Surfshark src-address=\
    192.168.1.230
add action=drop chain=input comment="Block Black List" src-address-list=\
    BlackList
/ip firewall nat
add action=masquerade chain=srcnat comment=ISP out-interface=PPPoE
add action=masquerade chain=srcnat comment=WG-Surfshark out-interface=\
    WG-Surfshark

/ip route
add check-gateway=bfd disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    WG-Surfshark pref-src="" routing-table=to-WGuard scope=30 \
    suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=LAN type=internal
add interface=PPPoE type=external
/routing rule
add action=lookup disabled=no src-address=192.168.1.230/32 table=to-WGuard
/system clock
set time-zone-name=Asia/Bangkok
/system logging
set 0 disabled=yes
/system ntp client
set enabled=yes
/system ntp client servers
add address=time.windows.com
add address=time.google.com
add address=time.nist.gov
/tool bandwidth-server
set enabled=no
/tool mac-server ping
set enabled=no

I also tried to change MTU from 1420 to 1500 but no luck.

I had similar problems with SurfShark (coming from Mullvad) and to get internet access I had to use:
Code: Select all
/ip firewall mangle
add chain=forward action=change-mss new-mss=clamp-to-pmtu tcp-flags=syn protocol=tcp out-interface=wg0
Although I still seem to get some weird connection / speed issues with this. If I run consecutive speed tests (speedtest.net) my upload speed will regularly register as 0Mbps but it won't do it every time.

No idea what's going on or whether this is related to "clamp-to-pmtu" not being the correct fix.

Thank you @mmotti for sharing. clamp-to-pmtu does not work for me.

anav · Fri Nov 25, 2022 4:15 pm

Naming the bridge LAN, is very confusing for us MT types as LAN is very much used to identify an interface list and attach members to it.......

I would use the word bridge-lan or just bridge

Then create my interface list
add name=WAN
add name=LAN

and interface list members
add interface=ether1 list=WAN
add interface=PPPoE list=WAN
add interface=bridge list=LAN

Then I would use this
/ip neighbor discovery-settings
set discover-interface-list=LAN

THis needs to be changed to NONE
/interface detect-internet
set detect-interface-list=NONE

Change IP address to
add address=10.14.0.2/24 interface=WG-Surfshark network=10.14.0.0

REMOVE THIS , no idea why you put this here........... You dont dhcp server wireguard !!!!!.
add address=10.14.0.0/24 dns-server=162.252.172.57,149.154.159.92 gateway=\
10.14.0.1

Why are you only allowing one LAN IP address to go out wireguard? Was that your intent?
add action=accept chain=forward out-interface=WG-Surfshark src-address=\
192.168.1.230

If these are your only firewall rules and you are attached to the internet, then I cannot help you further until you fix them.
Suggest take a look at - viewtopic.php?t=180838

Other than that see no issues LOL

++++++++++++++++++++++++++++
In summary the only things that could be interfering that I see are the DHCP server entry, and the detect internet is known to cause funny issues so best to set to NONE. The rest are comments to make the config better.

wuhoatu · Sun Nov 27, 2022 5:25 am

thank you @anav. I made all changes as your recomendation.

especially IP address has been changed to

add address=10.14.0.2/24 interface=WG-Surfshark network=10.14.0.0

This is also be done

REMOVE THIS , no idea why you put this here........... You dont dhcp server wireguard !!!!!.
add address=10.14.0.0/24 dns-server=162.252.172.57,149.154.159.92 gateway=\
10.14.0.1

Why are you only allowing one LAN IP address to go out wireguard? Was that your intent?
add action=accept chain=forward out-interface=WG-Surfshark src-address=\
192.168.1.230

I intent to test VPN for my laptop only, not all LAN IP. However, it also change to LAN IP 192/168.1.0/24 with no success
I can ping to any internet site but cannot access with any browser. Only google.com can accessed and working normally with browser.

mmotti · Sun Nov 27, 2022 1:42 pm

Thank you @mmotti for sharing. clamp-to-pmtu does not work for me.

Just checking - Did you change wg0 in the snippet I provided from wg0 to your WG interface name?

wuhoatu · Sun Nov 27, 2022 2:29 pm

Thank you @mmotti for sharing. clamp-to-pmtu does not work for me.
Just checking - Did you change wg0 in the snippet I provided from wg0 to your WG interface name?

absolutely. No working. Thx U

wuhoatu · Sat Jan 07, 2023 12:44 pm

Surfshark VPN finally works with my Hex S and Wireguard.
The most important thing is mangle script change MSS

/interface wireguard
add listen-port=51820 mtu=1420 name=WG-Surfshark

/routing table
add disabled=no fib name=to-WireGuard

/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=sg-sng.prod.surfshark.com \
endpoint-port=51820 interface=WG-Surfshark public-key=\
"Public Key of VPN Server Here"

/ip address
add address=10.14.0.2/16 interface=WG-Surfshark network=10.14.0.0

/ip firewall mangle
add action=change-mss chain=forward comment="Modification for Surfshark" \
new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn
add action=mark-routing chain=prerouting dst-address-list=YourIP_List \
dst-address-type=!local new-routing-mark=to-WireGuard passthrough=yes \
src-address=192.168.1.0/24

/ip firewall nat
add action=masquerade chain=srcnat comment="WG-Hongkong VPN" out-interface=WG-Surfshark

/ip route
add check-gateway=bfd disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
WG-Surfshark pref-src="" routing-table=to-WireGuard scope=30 \
suppress-hw-offload=no target-scope=10

t4thfavor · Mon Mar 06, 2023 9:52 pm

I was able to configure surshark using wireguard on my 4011 today. It does work, but I noticed that a lot of sites are just plain old blocking the IP address endpoints. Torrents work perfectly, but if I try to browse youtube, or a lot of other sites, the connections just flat out timeout. I am able to pass the DNS leak and IP leak tests on their site so I know it's "working".

Just my experience.

anav · Mon Mar 06, 2023 9:56 pm

that sounds more like MTU issues unless by blocking you mean sites like NETFLIX can detect the fact that a gazillion user are coming from one IP address and shut it down??

t4thfavor · Wed Mar 08, 2023 10:19 pm

that sounds more like MTU issues unless by blocking you mean sites like NETFLIX can detect the fact that a gazillion user are coming from one IP address and shut it down??

I'm not sure what's happening, I can't even load surfshark site today. I set the MTU to 1350 just in case, and no change.

Still can ping ip's and names over the internet, but no pages will load.

anav · Thu Mar 09, 2023 1:59 am

What did surfshark say to use for MTU?
IF something specific ensure you set that on the WIREGUARD Interface.

If not assume the default value to see if it works, 1420.
if not try 1500.
If not go back to 1420 on the wireguard interface and try using the clamp rule.
add action=change-mss chain=forward comment="Modification for Surfshark" \
new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn

If that doesnt work try 1500 and the clamping rule
if that doesnt work not sure what is next.

Last resort, go back to firmware 7.6 and try the above...........

deltaplaned · Sun Apr 09, 2023 2:52 am

Surfshark VPN finally works with my Hex S and Wireguard.
The most important thing is mangle script change MSS

/interface wireguard
add listen-port=51820 mtu=1420 name=WG-Surfshark

/routing table
add disabled=no fib name=to-WireGuard

/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=sg-sng.prod.surfshark.com \
endpoint-port=51820 interface=WG-Surfshark public-key=\
"Public Key of VPN Server Here"

/ip address
add address=10.14.0.2/16 interface=WG-Surfshark network=10.14.0.0

/ip firewall mangle
add action=change-mss chain=forward comment="Modification for Surfshark" \
new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn
add action=mark-routing chain=prerouting dst-address-list=YourIP_List \
dst-address-type=!local new-routing-mark=to-WireGuard passthrough=yes \
src-address=192.168.1.0/24

/ip firewall nat
add action=masquerade chain=srcnat comment="WG-Hongkong VPN" out-interface=WG-Surfshark

/ip route
add check-gateway=bfd disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
WG-Surfshark pref-src="" routing-table=to-WireGuard scope=30 \
suppress-hw-offload=no target-scope=10

works! thanks for your detailed steps!
It will be very good to create a new topic with this solutions in the first message.

almrasi · Sun May 21, 2023 9:22 am

Surfshark VPN finally works with my Hex S and Wireguard.
The most important thing is mangle script change MSS

/interface wireguard
add listen-port=51820 mtu=1420 name=WG-Surfshark

/routing table
add disabled=no fib name=to-WireGuard

/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=sg-sng.prod.surfshark.com \
endpoint-port=51820 interface=WG-Surfshark public-key=\
"Public Key of VPN Server Here"

/ip address
add address=10.14.0.2/16 interface=WG-Surfshark network=10.14.0.0

/ip firewall mangle
add action=change-mss chain=forward comment="Modification for Surfshark" \
new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn
add action=mark-routing chain=prerouting dst-address-list=YourIP_List \
dst-address-type=!local new-routing-mark=to-WireGuard passthrough=yes \
src-address=192.168.1.0/24

/ip firewall nat
add action=masquerade chain=srcnat comment="WG-Hongkong VPN" out-interface=WG-Surfshark

/ip route
add check-gateway=bfd disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
WG-Surfshark pref-src="" routing-table=to-WireGuard scope=30 \
suppress-hw-offload=no target-scope=10

Hi pro,
many Thanks

lf777 · Fri Jun 30, 2023 7:53 pm

Hi, the route entry from

/ip route
add check-gateway=bfd disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
WG-Surfshark pref-src="" routing-table=to-WireGuard scope=30 \
suppress-hw-offload=no target-scope=10

was created and its status went

USI

.
No idea why it reports as U:unreachable.

I have another entry in the route table with dst-address 0.0.0.0/0.
This was the pre-existing non-VPN configuration.

Has anyone encountered a similar occurrence?

sebus46 · Mon Aug 26, 2024 6:18 pm

Exactly the same USI

Make sure you have check-gateway="none"

sebus46 · Mon Aug 26, 2024 7:28 pm

Surfshark VPN finally works with my Hex S and Wireguard

These instructions are incomplete, at least missing private key part and DNS entries (as one gets from Surfshark account configuration download)

One must create WG-Surfshark interface with private-key="YOUR PRIVATE KEY as generated on Surfshark account page"
When connected successfully one can ping the provided DNS server

ping 162.252.172.57 interface=WG-Surfshark 
  SEQ HOST                                     SIZE TTL TIME       STATUS                                          
    0 162.252.172.57                             56  49 127ms330us
    1 162.252.172.57                             56  49 127ms290us
    2 162.252.172.57                             56  49 127ms467us
    3 162.252.172.57                             56  49 127ms     
    sent=4 received=4 packet-loss=0% min-rtt=127ms avg-rtt=127ms271us max-rtt=127ms467us

Also gateway entry MUST have check-gateway="none", otherwise it will go after few seconds USI

Surfshark VPN does not work with WG on MT

Surfshark VPN does not work with WG on MT

Re: Surfshark VPN does not work with WG on MT

Re: Surfshark VPN does not work with WG on MT

Re: Surfshark VPN does not work with WG on MT

Re: Surfshark VPN does not work with WG on MT

Re: Surfshark VPN does not work with WG on MT

Re: Surfshark VPN does not work with WG on MT

Re: Surfshark VPN does not work with WG on MT

Re: Surfshark VPN does not work with WG on MT

Re: Surfshark VPN does not work with WG on MT

Re: Surfshark VPN does not work with WG on MT

Re: Surfshark VPN does not work with WG on MT

Re: Surfshark VPN does not work with WG on MT

Re: Surfshark VPN does not work with WG on MT

Re: Surfshark VPN does not work with WG on MT

Re: Surfshark VPN does not work with WG on MT

Re: Surfshark VPN does not work with WG on MT

Re: Surfshark VPN does not work with WG on MT

Re: Surfshark VPN does not work with WG on MT

Re: Surfshark VPN does not work with WG on MT

Who is online