Community discussions

MikroTik App
 
kakana
just joined
Topic Author
Posts: 9
Joined: Fri Mar 04, 2022 1:12 pm

VPN killswitch in ROS7

Thu Mar 24, 2022 1:13 pm

I am trying to implement a killswitch for ProtonVPN IPsec setup. However, their guide provides commands only for ROS6. So I am trying to translate these for ROS 7.1:
/interface bridge add name=protonvpn_blackhole protocol-mode=none
/ip route add gateway=protonvpn_blackhole routing-mark=protonvpn_blackhole
/ip firewall mangle add chain=prerouting src-address-list=under_protonvpn action=mark-routing new-routing-mark=protonvpn_blackhole passthrough=yes
I came up with something like this:
/routing table add name=protonvpn_blackhole fib
/ip firewall mangle add chain=prerouting src-address-list=10.0.20.0/24 action=mark-routing new-routing-mark=protonvpn_blackhole passthrough=yes
However, , it doesn't seem to work as when the VPN is down, I am still able to access internet using my ISPs IP and DNS. Do you have any suggestions how to better translate the recommended killswitch from ROS6 to 7.1?
 
kevinds
Member
Member
Posts: 423
Joined: Wed Jan 14, 2015 8:41 am

Re: VPN killswitch in ROS7

Fri Apr 15, 2022 1:43 am

I would remove the default route going to your ISP. Set a single route for the VPN server..

With the default route set for the VPN, no other traffic will have a route if the VPN is down.

Removing other src-nat rules so that only the VPN's interface src-nat rule provides NAT would work too.
 
msatter
Forum Guru
Forum Guru
Posts: 2716
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: VPN killswitch in ROS7

Fri Apr 15, 2022 9:35 pm

If you remove the default gateway then IKEv2 also stops working because it is also used that to make their connection.
 
avraamd
just joined
Posts: 7
Joined: Mon Oct 11, 2021 6:11 pm

Re: VPN killswitch in ROS7

Sat May 07, 2022 2:11 pm

I am trying to implement a killswitch for ProtonVPN IPsec setup. However, their guide provides commands only for ROS6. So I am trying to translate these for ROS 7.1:
/interface bridge add name=protonvpn_blackhole protocol-mode=none
/ip route add gateway=protonvpn_blackhole routing-mark=protonvpn_blackhole
/ip firewall mangle add chain=prerouting src-address-list=under_protonvpn action=mark-routing new-routing-mark=protonvpn_blackhole passthrough=yes






I came up with something like this:
/routing table add name=protonvpn_blackhole fib
/ip firewall mangle add chain=prerouting src-address-list=10.0.20.0/24 action=mark-routing new-routing-mark=protonvpn_blackhole passthrough=yes
However, , it doesn't seem to work as when the VPN is down, I am still able to access internet using my ISPs IP and DNS. Do you have any suggestions how to better translate the recommended killswitch from ROS6 to 7.1?
Did you manage to translate it to ROS7 successfully? I also have this problem.
 
kakana
just joined
Topic Author
Posts: 9
Joined: Fri Mar 04, 2022 1:12 pm

Re: VPN killswitch in ROS7  [SOLVED]

Fri May 27, 2022 12:42 am

Sorry, I didn't receive any notification about new posts in this discussion. I contacted ProtonVPN and here is what they sent me, which seems to work fine:
/interface bridge add name=protonvpn_blackhole protocol-mode=none
/routing table add name=protonvpn_blackhole fib
/ip firewall mangle add chain=prerouting src-address-list=under_protonvpn action=mark-routing new-routing-mark=protonvpn_blackhole passthrough=yes
/ip route add routing-table=protonvpn_blackhole gateway=protonvpn_blackhole
 
msatter
Forum Guru
Forum Guru
Posts: 2716
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: VPN killswitch in ROS7

Fri May 27, 2022 4:42 am


However, , it doesn't seem to work as when the VPN is down, I am still able to access internet using my ISPs IP and DNS. Do you have any suggestions how to better translate the recommended killswitch from ROS6 to 7.1?
Did you manage to translate it to ROS7 successfully? I also have this problem.

You have this src-address-list=10.0.20.0/24 and should be src-address=10.0.20.0/24
 
surinameclubcard
just joined
Posts: 13
Joined: Fri Mar 20, 2020 2:26 pm

Re: VPN killswitch in ROS7

Tue Aug 09, 2022 12:13 am

Sorry, I didn't receive any notification about new posts in this discussion. I contacted ProtonVPN and here is what they sent me, which seems to work fine:
/interface bridge add name=protonvpn_blackhole protocol-mode=none
/routing table add name=protonvpn_blackhole fib
/ip firewall mangle add chain=prerouting src-address-list=under_protonvpn action=mark-routing new-routing-mark=protonvpn_blackhole passthrough=yes
/ip route add routing-table=protonvpn_blackhole gateway=protonvpn_blackhole
Unfortunately this didn't work for me. Adding this snippet disallows clients to communicate through the IPsec completely. If I disable the mangle line, it instantly works again. I have no clue about this. ROS 7.4 on RB4011.
 
Romanowski
just joined
Posts: 1
Joined: Thu Oct 13, 2022 4:25 am

Re: VPN killswitch in ROS7

Mon Oct 31, 2022 4:17 pm

Has there been any update on this? I would like to implement the same thing

Who is online

Users browsing this forum: Amazon [Bot], Semrush [Bot] and 17 guests