Routing specific traffic through a VPN


In this document we are going to go over the basics on how to set up a VPN on a mikrotik router as well as to specify what traffic we would like to have pushed through this and then how to push the traffic through the VPN.

There are two options on how you are able to proceed with this, the first option is to edit the VPN script we sent through and import that while the other option is to configure the settings yourself.


Option 1: editing and importing the script

In this option all we will need to do is edit a file using a text editor of your choice then upload the file to the device, in this guide it will assume that you either have the default configuration applied or a configuration that will allow you to connect to the internet.

Please note that this was designed on and tested for router OS 6.48.3, it should run on other current firmware but if you have any issues please contact support@duxtel.com

Editing the script

The first thing we will need to do is open the vpn.rsc file with your text editor of choice, I personally like to use VS code or notepad++ as it allows you to install languages to see the code a bit easier but it can be opened up in any text editor you choose.

Once this is open you will see that there are some instructions in this, you will need to edit some lines so it will connect to the VPN of your choosing as well as set up the wireless interface and ip addressing correctly.

Please only edit the 10 lines in the section below unless you know exactly what you are doing 




So we will be editing the variables in this section, the important thing to know here is that we will be editing all the test seen in orange, please make sure that if it has brackets or “” around the text to keep them around your new value as they are needed

1:

Enter the VPN server that the provider told you to connect to, this could be a DNS name like in the screenshot above or it could be an IP address

2 + 3:

Enter the username and password that the provider gave you

4:

Keep this as yes if you would like to set up additional SSID’s for the VPN, these will only run if the radios they are attached to are running so make sure you don’t disable them. If your device does no the any wireless interface it does not matter what you set this as.

Please set this to yes if you would like the virtual ssid’s set up otherwise set it to no(or literally anything as the script is just checking if it says yes or not )

5:

This will be for the wireless that we are setting up for the VPN clients(phone pc etc) to connect to, If you have selected yes you will need to change the SSID to be what you want to see/connect to and the line below it will be for the password.

6:

You will need to set this variable to yes or no, other strings will cause the script to error. This option is for if you would like the VPN SSID to be visible when you scan it with your phone etc. If this is set to yes when you scan for networks you will need to select the hidden network option then put in the SSID and password


7:

This will be for the interfaces that will be going through the vpn, the wireless interfaces are already taken care off so this will just be any additional interfaces you would like. For instance in the default settings ether3 and the 2 virtual SSID’s will be going through the vpn tunnel.

You are able to see the name of the interfaces through the interface menu on the main menu on the left hand side of winbox. As well as this if you would like to add multiple interfaces you will need to make sure that there is a semi-colon between entries, the way this should be entered :

{ “ether3”;”ether4”} and so on

8:

This is a list of addresses that will be able to be reached from the VPN address, otherwise the 2 networks will be segregated. You are able to add or remove addresses but please follow the same syntax as we did with the interface/what is shown, you are also able to add full subnets by adding the network address and cidr here like so: {“192.168.88.0/24”;”192.168.89.1”}

9:

This will be the IP address that your local network has on the VPN bridge, this doesn’t really matter what you put in here as long as it is a private address.

As there is a couple different variations of this address that needs to be put in I found that scripting it so we have the last number missing is the easiest way, also this will only create a /24 address as that should be more than enough in most cases.

To change the address make sure you put in something like 192.168.55. or 10.0.1. to make this work, make sure it is just the 3 first octets and include the . at the end of the 3rd octets

10:

This will be the DNS address that will be on the router, if you would like to use any specific dns servers you can put them in here, again it will be the same story as number 7 and 8 where we need all the address within a {} as well as separated between each other in “” with a ; between each entry 


Importing the scripts

To import the scripts we will need to either connect via webfig by opening a browser then going to the IP address that is installed on the device currently or we can open up winbox and connect via mac address or IP address.

As I prefer to use winbox I will go through the steps for that bit I will note where things deviate for webfig.

In winbox all you will have to do is drag and drop the file into the background of winbox, once you have done that you should see a file transfer window then the files menu will pop up as seen below.

If you are using webfig you will need to go to the files menu from the main menu on the left hand side then use the upload button


Once the file is on the device all you will need to do is go to the new teminal option from the main menu on the left hand side, for webig this option will be on your top right of the screen.

Once the terminal is up all you will need to do is type in the command below, note that for the file name most of the time you can just type the first couple of letter and hit tab to make it auto complete the name for you:
import file=”vpn config setup.rsc”



After this has been done you should be able to look around and see that things like the bridge(bridge), firewall(ip>firewall), ip addresses(ip>address) and routes(ip>route) have been edited, if this is the case the configuration has been applied and you should be ok to go 








Option 2: configuring the settings yourself

This guide is going to assume that you have either got the default configuration on the device or have been able so set up the device so internet access is currently available.

Step 1: configuring the VPN client

The first step will be to configure a VPN client, you will need to either log into your account from the VPN host and get the details on how to connect to the VPN or if you are hosing the VPN server you need to look at the secrets you have set up.

The main things to get are what VPN service you are using, what IP address you need to connect to and the user/password for your session.

Once you have these setting you can log into the router and go to the PPP menu from the main menu on the left hand side. Once this has been opened please click the add button and choose the VPN client you would like to configure, for this one we will be using an l2tp tunnel so we will select that.


Once you have clicked this a new window should open, you can ignore the first table labelled general unless you would like to give this VPN client interface a name.

What you will need to do is go to the dial out tab and set the connect to, to the IP address or hostname of the server that you are connecting to and the username and password.

Once you have set these 3 setting you will not need to set anything else and you should be able to just click the ok or apply button.

NOTE: for the l2tp tunnel you might be required to use an IPsec, this can be done buy clicking the checkbox and putting in the password, only set this if specified otherwise do not enable this setting


If everything is set up correctly the interfaces status should go to connected as well as you should be able to see an R next to the vpn client interface indicating it is in a running state.



Step 2: Specifying the traffic you want to flow through the VPN

The next thing we have to do is specify what traffic you would like to go through the VPN interface,

The way this is done is to go to the IP>firewall configuration menu then to go to the mangle tab.


This configuration menu will let us mark the packets so the router will know what ones will need to go through the VPN. What we will do to make this efficient is to make the 1st rule so it will mark the connection then use that connection mark to mark the routing.

Doing it this way means that it will not have to mark every single packet that goes through the router.

This is done by clicking on the add button, setting the chain to pre-routing in the general tab then in the action tab select the action as mark connection, set the new connection mark to a name then ticking the passthough button so it can go to the next rule.





The way the rule is currently configured, all traffic will get this park applied so what we need to do is use the general, advanced and extra tabs to narrow down what traffic we are looking for.

Below you will see that we have refined the traffic so that only traffic coming from the 192.168.89.0/24 network establishing a new connection will get marked.

The next step that needs to be done is to make a routing mark from this connection mark, this is quite simple and all you need to do is make a second rule, keep this on the chain pre-routing then set the connection mark name to the one we made in the rule above. Once this is done go to the action tab, set the actions as mark routing and give this a new routing mark name as well as untick the pass through button.





Step 3: Routing the traffic and helping it return.

Now that we have the VPN client set up and the internal traffic that we want to be sent through that is set up the last thing we need to do is set up a route to tell the router to push this traffic through the VPN and then a NAT (network address translation) to allow this traffic to come back.

The first thing that needs to be done is to set up the route by going to the IP>route menu


In here you will see a couple entries already and it might look a bit different from the one in the screenshot above but that is ok. What we need to do in here is click the plus button to add a new entry.

In this new route we will set up 3 things, the dst address, the gateway as well as the routing mark. The dst address will be where we are going, if you want all traffic using the routing mark to use the vpn you can leave this as 0.0.0.0/0 but if you only want traffic with the destination of Netflix for example you would just put in the IP address for the Netflix server.

The gateway is how we are going to get to that address, usually we would have to put in an IP address instead of an interface for this to work but since we are using a point to point interface like a VPN we can just click the drop down box and select our l2tp vpn interface we made.

Lastly you will need to specify the routing mark, this means that the route will only work for traffic with the routing mark specified. As this is pedantic I would recommend selecting the routing mark from the drop down box as well.



As well as adding the route for the internet the router will also need to know how to go back to the VPN subnet once the traffic returns, this is as simple as adding another route with the destination of the VPN subnet you created, selecting the gateway as the bridge you have put the VPN DHCP server on then adding the VPN routing mark to it.



Once this has been configured the traffic with the routing mark will now be sent out the VPN interface but you will find that you will not be able to connect to anything yet. The reason behind this is that the VPN server does not know how to get to our local lan (192.168.89.0/24) so it does not know how to return the traffic once it comes back.

To fix this we need to translate the traffic to an IP address it does know how to return, this can be done by using a masquerade nat rule.

Going back to the IP>firewall menu we will need to go to the nat tab, you should already have a masquerade rule in here and depending on how this is currently set up we can add what we need in 1 of 2 ways.

1st way, Mikrotiks default configuration. If you are using the default configuration you should see a nat rule like the one below, this has been set to masquerade anything out of the interface list WAN


If this has been set up to add the VPN interface to this rule all you will need to do is go back to the main menu and go to the interface menu then the interface list tab. In there you will need to then click the plus button then add the VPN interface to the WAN interface list and then the masquerade rule should apply to it.



2nd way, masquerade on a single interface. The second way this might need to be done is to create a new rule since the existing masquerade is set to a specific interface like below


If this is the case what we will need to do is to go to the nat tab and click the plus button to make a new rule, in this new rule you will need to set the chain as src-nat, the out interface as the vpn interface we made then go to the action tab and select the action as masquerade.



Once you have clicked the ok or apply button your traffic should be getting nat’ed to the VPN IP address and the traffic should now be able to return to your local subnet.

Attached Files
vpn config setup Final.rsc
404kb