Community discussions

MikroTik App
 
wuhoatu
just joined
Topic Author
Posts: 8
Joined: Tue Nov 15, 2022 4:22 am

Surfshark VPN does not work with WG on MT

Sat Nov 19, 2022 12:19 pm

I need a 3rd party VPN solution. So I try Surfshark VPN with WG on my Hex S but it seems Surfshark does not work with WG on MT. Could you please give me your hand.
Thx U so much.

The concern script as follows:
# model = RB760iGS

/interface wireguard
add listen-port=13231 mtu=1420 name=WG-Surfshark

/ip pool
add name=dhcp_pool0 ranges=192.168.1.101-192.168.1.164

/ip dhcp-server
add address-pool=dhcp_pool0 interface=LAN name=LocalDHCP

/routing table
add disabled=no fib name=to-WGuard

/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=hk-hkg.prod.surfshark.com \
    endpoint-port=51820 interface=WG-Surfshark public-key=\
    "JYHdktdtuM7inbtsxRKSDpnBVTWQ5+QLZ/cWWmf4VRg="

/ip address
add address=192.168.1.1/24 interface=LAN network=192.168.1.0
add address=10.14.0.2/16 interface=WG-Surfshark network=10.14.0.0

/ip dhcp-server network
add address=10.14.0.0/16 dns-server=162.252.172.57,149.154.159.92 gateway=\
    10.14.0.1

/ip dns
set servers=162.252.172.57,149.154.159.92

/ip firewall mangle
add action=accept chain=forward out-interface=WG-Surfshark src-address=\
    192.168.1.0/24

/ip firewall nat
add action=masquerade chain=srcnat out-interface=WG-Surfshark

/ip route
add check-gateway=bfd disabled=no dst-address=0.0.0.0/0 gateway=WG-Surfshark \
    routing-table=to-WGuard suppress-hw-offload=no

/routing rule
add action=lookup disabled=no src-address=192.168.1.0/24 table=to-WGuard
But no trafic go through WG. ipleak.net keep detect my public IP from my ISP, not Surfshark.
No trafic found in /ip firewall nat but found in WG interface as you see in pictures
NAT.jpg
Interface.jpg
Case I route a local IP to WG, the client cannot access internet any more.
add action=mark-routing chain=prerouting dst-address-list=!DomesticIP \
    dst-address-type=!local new-routing-mark=to-WGuard passthrough=no \
    src-address=192.168.1.7
WG Surfshark config file as follows:
#
# Use this configuration with WireGuard client
#
[Interface]
Address = 10.14.0.2/16
PrivateKey = <Private Key here>
DNS = 162.252.172.57, 149.154.159.92
[Peer]
PublicKey = JYHdktdtuM7inbtsxRKSDpnBVTWQ5+QLZ/cWWmf4VRg=
AllowedIPs = 0.0.0.0/0
Endpoint = hk-hkg.prod.surfshark.com:51820
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 14401
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Surfshark VPN does not work with WG on MT

Tue Nov 22, 2022 12:30 am

YOu would need to provide the full export to be helpful

/export file=anynameyouwish (minus router serial Number and any public WANIP information )

Also read this - viewtopic.php?t=182340
Paragraph 7 applies!!!


It would make sense to on the MT to set the Ip address of the wireguard as follows
add address=10.14.0.2/24 gateway=WG-Surfshark

Also ensure that you have a sourcenat rule.
add action=masquerade chain=srcnat out-interface=WG-Surfshark

This will ensure that all router traffic will get natted with the acceptable IP address you were assigned.
 
wuhoatu
just joined
Topic Author
Posts: 8
Joined: Tue Nov 15, 2022 4:22 am

Re: Surfshark VPN does not work with WG on MT

Wed Nov 23, 2022 8:10 am

YOu would need to provide the full export to be helpful

/export file=anynameyouwish (minus router serial Number and any public WANIP information )

Also read this - viewtopic.php?t=182340
Paragraph 7 applies!!!


It would make sense to on the MT to set the Ip address of the wireguard as follows
add address=10.14.0.2/24 gateway=WG-Surfshark

Also ensure that you have a sourcenat rule.
add action=masquerade chain=srcnat out-interface=WG-Surfshark

This will ensure that all router traffic will get natted with the acceptable IP address you were assigned.
Thank you @anav
indeed I make right to viewtopic.php?t=182340 (Para 7)
I also tried add address=10.14.0.2/24 gateway=WG-Surfshark with no luck. Sure that add action=masquerade chain=srcnat out-interface=WG-Surfshark is set on /ip firewall NAT too.
I can ping to any internet address but internet site cannot be tracert nor accessed with any browser. It seem that Surfshark+Wiregard cause DNS issue.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 14401
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Surfshark VPN does not work with WG on MT

Wed Nov 23, 2022 2:13 pm

Need to see the config on the MT
/export file=anynameyouwish ( minus router serial number and any public WANIP info )
 
mmotti
just joined
Posts: 15
Joined: Thu Nov 17, 2022 9:50 pm

Re: Surfshark VPN does not work with WG on MT

Fri Nov 25, 2022 3:18 pm

I had similar problems with SurfShark (coming from Mullvad) and to get internet access I had to use:
/ip firewall mangle
add chain=forward action=change-mss new-mss=clamp-to-pmtu tcp-flags=syn protocol=tcp out-interface=wg0
Although I still seem to get some weird connection / speed issues with this. If I run consecutive speed tests (speedtest.net) my upload speed will regularly register as 0Mbps but it won't do it every time.

No idea what's going on or whether this is related to "clamp-to-pmtu" not being the correct fix.
 
wuhoatu
just joined
Topic Author
Posts: 8
Joined: Tue Nov 15, 2022 4:22 am

Re: Surfshark VPN does not work with WG on MT

Fri Nov 25, 2022 3:43 pm

Need to see the config on the MT
/export file=anynameyouwish ( minus router serial number and any public WANIP info )
Thank you @anav for your support. Bellows is export file content:
# nov/25/2022 20:26:53 by RouterOS 7.6
# software id = DLIQ-U8Q4
#
# model = RB760iGS
# serial number = <S/N here>
/interface bridge
add add-dhcp-option82=yes dhcp-snooping=yes igmp-snooping=yes name=LAN
/interface ethernet
set [ find default-name=ether1 ] loop-protect=on name=WAN1
set [ find default-name=ether2 ] disabled=yes loop-protect=on name=WAN2
set [ find default-name=ether3 ] loop-protect=on
set [ find default-name=ether4 ] loop-protect=on
set [ find default-name=ether5 ] loop-protect=on poe-out=off
set [ find default-name=sfp1 ] disabled=yes
/interface wireguard
add listen-port=13231 name=WG-Surfshark
/interface pppoe-client
add add-default-route=yes disabled=no interface=WAN1 name=PPPoE service-name=\
    078995MEN use-peer-dns=yes user=vu-thinh
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name="LocalPool()" ranges=192.168.1.101-192.168.1.164
/ip dhcp-server
add address-pool="LocalPool()" interface=LAN name=LocalDHCP
/port
set 0 name=serial0
/routing table
add disabled=no fib name=to-WGuard
/system logging action
set 0 memory-lines=100
/interface bridge port
add bridge=LAN interface=ether3
add bridge=LAN interface=ether4
add bridge=LAN interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=none
/interface detect-internet
set detect-interface-list=all internet-interface-list=*2000010 \
    wan-interface-list=*2000010
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=vn-hcm.prod.surfshark.com \
    endpoint-port=51820 interface=WG-Surfshark public-key=\
    "Mioou38fh5H+3LWMpitLOWT3JaDGg2gXxqjl2eXkPFU="
/ip address
add address=192.168.1.1/24 interface=LAN network=192.168.1.0
add address=10.14.0.2/16 interface=WG-Surfshark network=10.14.0.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1h

/ip dhcp-server network
add address=10.14.0.0/24 dns-server=162.252.172.57,149.154.159.92 gateway=\
    10.14.0.1
add address=192.168.1.0/24 dns-server=162.252.172.57,149.154.159.92 gateway=\
    192.168.1.1
/ip dns
set servers=162.252.172.57,149.154.159.92

/ip firewall filter
add action=accept chain=input comment="Allow access Winbox from Local IP" \
    dst-port=8291 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward out-interface=WG-Surfshark src-address=\
    192.168.1.230
add action=drop chain=input comment="Block Black List" src-address-list=\
    BlackList
/ip firewall nat
add action=masquerade chain=srcnat comment=ISP out-interface=PPPoE
add action=masquerade chain=srcnat comment=WG-Surfshark out-interface=\
    WG-Surfshark

/ip route
add check-gateway=bfd disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    WG-Surfshark pref-src="" routing-table=to-WGuard scope=30 \
    suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=LAN type=internal
add interface=PPPoE type=external
/routing rule
add action=lookup disabled=no src-address=192.168.1.230/32 table=to-WGuard
/system clock
set time-zone-name=Asia/Bangkok
/system logging
set 0 disabled=yes
/system ntp client
set enabled=yes
/system ntp client servers
add address=time.windows.com
add address=time.google.com
add address=time.nist.gov
/tool bandwidth-server
set enabled=no
/tool mac-server ping
set enabled=no
I also tried to change MTU from 1420 to 1500 but no luck.
I had similar problems with SurfShark (coming from Mullvad) and to get internet access I had to use:
/ip firewall mangle
add chain=forward action=change-mss new-mss=clamp-to-pmtu tcp-flags=syn protocol=tcp out-interface=wg0
Although I still seem to get some weird connection / speed issues with this. If I run consecutive speed tests (speedtest.net) my upload speed will regularly register as 0Mbps but it won't do it every time.

No idea what's going on or whether this is related to "clamp-to-pmtu" not being the correct fix.
Thank you @mmotti for sharing. clamp-to-pmtu does not work for me.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 14401
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Surfshark VPN does not work with WG on MT

Fri Nov 25, 2022 4:15 pm

Naming the bridge LAN, is very confusing for us MT types as LAN is very much used to identify an interface list and attach members to it.......

I would use the word bridge-lan or just bridge

Then create my interface list
add name=WAN
add name=LAN

and interface list members
add interface=ether1 list=WAN
add interface=PPPoE list=WAN
add interface=bridge list=LAN



Then I would use this
/ip neighbor discovery-settings
set discover-interface-list=LAN


THis needs to be changed to NONE
/interface detect-internet
set detect-interface-list=NONE


Change IP address to
add address=10.14.0.2/24 interface=WG-Surfshark network=10.14.0.0

REMOVE THIS , no idea why you put this here........... You dont dhcp server wireguard !!!!!.
add address=10.14.0.0/24 dns-server=162.252.172.57,149.154.159.92 gateway=\
10.14.0.1

Why are you only allowing one LAN IP address to go out wireguard? Was that your intent?
add action=accept chain=forward out-interface=WG-Surfshark src-address=\
192.168.1.230


If these are your only firewall rules and you are attached to the internet, then I cannot help you further until you fix them.
Suggest take a look at - viewtopic.php?t=180838

Other than that see no issues LOL

++++++++++++++++++++++++++++
In summary the only things that could be interfering that I see are the DHCP server entry, and the detect internet is known to cause funny issues so best to set to NONE. The rest are comments to make the config better.
 
wuhoatu
just joined
Topic Author
Posts: 8
Joined: Tue Nov 15, 2022 4:22 am

Re: Surfshark VPN does not work with WG on MT

Sun Nov 27, 2022 5:25 am

thank you @anav. I made all changes as your recomendation.

especially IP address has been changed to
add address=10.14.0.2/24 interface=WG-Surfshark network=10.14.0.0
This is also be done
REMOVE THIS , no idea why you put this here........... You dont dhcp server wireguard !!!!!.
add address=10.14.0.0/24 dns-server=162.252.172.57,149.154.159.92 gateway=\
10.14.0.1
Why are you only allowing one LAN IP address to go out wireguard? Was that your intent?
add action=accept chain=forward out-interface=WG-Surfshark src-address=\
192.168.1.230
I intent to test VPN for my laptop only, not all LAN IP. However, it also change to LAN IP 192/168.1.0/24 with no success
I can ping to any internet site but cannot access with any browser. Only google.com can accessed and working normally with browser.
 
mmotti
just joined
Posts: 15
Joined: Thu Nov 17, 2022 9:50 pm

Re: Surfshark VPN does not work with WG on MT

Sun Nov 27, 2022 1:42 pm

Thank you @mmotti for sharing. clamp-to-pmtu does not work for me.
Just checking - Did you change wg0 in the snippet I provided from wg0 to your WG interface name?
 
wuhoatu
just joined
Topic Author
Posts: 8
Joined: Tue Nov 15, 2022 4:22 am

Re: Surfshark VPN does not work with WG on MT

Sun Nov 27, 2022 2:29 pm

Thank you @mmotti for sharing. clamp-to-pmtu does not work for me.
Just checking - Did you change wg0 in the snippet I provided from wg0 to your WG interface name?
absolutely. No working. Thx U
 
wuhoatu
just joined
Topic Author
Posts: 8
Joined: Tue Nov 15, 2022 4:22 am

Re: Surfshark VPN does not work with WG on MT

Sat Jan 07, 2023 12:44 pm

Surfshark VPN finally works with my Hex S and Wireguard.
The most important thing is mangle script change MSS

/interface wireguard
add listen-port=51820 mtu=1420 name=WG-Surfshark

/routing table
add disabled=no fib name=to-WireGuard

/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=sg-sng.prod.surfshark.com \
endpoint-port=51820 interface=WG-Surfshark public-key=\
"Public Key of VPN Server Here"

/ip address
add address=10.14.0.2/16 interface=WG-Surfshark network=10.14.0.0

/ip firewall mangle
add action=change-mss chain=forward comment="Modification for Surfshark" \
new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn

add action=mark-routing chain=prerouting dst-address-list=YourIP_List \
dst-address-type=!local new-routing-mark=to-WireGuard passthrough=yes \
src-address=192.168.1.0/24

/ip firewall nat
add action=masquerade chain=srcnat comment="WG-Hongkong VPN" out-interface=WG-Surfshark

/ip route
add check-gateway=bfd disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
WG-Surfshark pref-src="" routing-table=to-WireGuard scope=30 \
suppress-hw-offload=no target-scope=10

Who is online

Users browsing this forum: Semrush [Bot] and 22 guests