Community discussions

MikroTik App
 
stiga
just joined
Topic Author
Posts: 14
Joined: Sat Apr 10, 2021 4:19 am

hEX + Surfshark - getting different VPN connections on port 1,2,3 and 4.

Sat Nov 26, 2022 4:46 pm

Hi,
Just purchased a hEX RB750Gr3.
ether1 is connected to my network, and got an internal IP.
Managed to configure surfshark and got the VPN connection working _on_ det hEX istelf.
DNS is working. I can ping google.com.
But connecting to ether2,ether3,ether4 or ether5 is not working.

What I would like is to connect to
ether2 - and get VPN connection to Denmark
ether3 - and get VPN connection to Finland
ether4 - and get VPN connection to USA
ether5 - and get VPN connection to Germany

How do I brigde/connect the ether-ports to be able to use different VPN connections ?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 14520
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: hEX + Surfshark - getting different VPN connections on port 1,2,3 and 4.

Sat Nov 26, 2022 5:00 pm

viewtopic.php?p=908118

That is not how wireguard works.... its peer to peer!
You will need a new IP and a different wireguard interface for each location
 
stiga
just joined
Topic Author
Posts: 14
Joined: Sat Apr 10, 2021 4:19 am

Re: hEX + Surfshark - getting different VPN connections on port 1,2,3 and 4.

Sat Nov 26, 2022 5:15 pm

Ah, that makes sense. Thank you. Only one VPN connection can be enabled with wireguard.
Next step is to get PC that are connected to ether2-5 to be able to use the VPN then.
 
Sob
Forum Guru
Forum Guru
Posts: 9049
Joined: Mon Apr 20, 2009 9:11 pm

Re: hEX + Surfshark - getting different VPN connections on port 1,2,3 and 4.

Sat Nov 26, 2022 6:58 pm

You can have many connections even with single WG interface. But remote addresses must not overlap. But when you want to route traffic to internet over it (i.e. remote address can be anything), they would always overlap. So you need separate WG interface for each.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 14520
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: hEX + Surfshark - getting different VPN connections on port 1,2,3 and 4.

Sat Nov 26, 2022 7:08 pm

Well stated as the op seemingly wants internet access to various sites and since such an allowed IP setting is 0.0.0.0/0 on the wireguard, it becomes clear that a different wireguard interface is required as the router would always pick the first peer for every internet attempt. ( order counts ) and never attempt to reach the rest of the sites.
 
stiga
just joined
Topic Author
Posts: 14
Joined: Sat Apr 10, 2021 4:19 am

Re: hEX + Surfshark - getting different VPN connections on port 1,2,3 and 4.

Sat Nov 26, 2022 8:37 pm

Do I need to setup dhcp server on the hEX for ether2-5 ?.
Try to read up here;
https://help.mikrotik.com/docs/display/ROS/WireGuard
https://help.mikrotik.com/docs/display/ROS/DHCP
Also trying to youtube too..
https://www.youtube.com/watch?v=P6f8Qc4EItc
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 14520
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: hEX + Surfshark - getting different VPN connections on port 1,2,3 and 4.

Sat Nov 26, 2022 10:04 pm

Wont give any advice until you decide what the requirements are, seems to be a bit disjointed at the moment.
Try drawing a network diagram to show your intentions.
Then post full config
/export file=anynameyouwish ( minus router serial number or any public WANIP information )
 
stiga
just joined
Topic Author
Posts: 14
Joined: Sat Apr 10, 2021 4:19 am

Re: hEX + Surfshark - getting different VPN connections on port 1,2,3 and 4.

Sat Nov 26, 2022 11:59 pm

Okey, so what i'm trying to figure out is how to use this device, as a "easy connect to different vpn countries".
Did manage to enable dhcp server and when I connect PC to ether2/3/4/5 - check whatsmyip - and I can see that i'm using the VPN tunnel. I can ping google.com etc, but I cannot use web or netflix.

My config:
# nov/26/2022 22:36:40 by RouterOS 7.6#
# model = RB750Gr3

/interface bridge
add fast-forward=no name=BridgeLAN
/interface ethernet
set [ find default-name=ether1 ] name=ether1.ISP
/interface wireguard
add listen-port=13231 mtu=1420 name=Wireguard-Denmark
/interface list
add name=WAN
add name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=se
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=pool1.LAN ranges=192.168.50.2-192.168.50.100
/ip dhcp-server
add address-pool=pool1.LAN interface=BridgeLAN name=server1.LAN
/port
set 0 name=serial0
/interface bridge port
add bridge=BridgeLAN interface=ether2
add bridge=BridgeLAN interface=ether3
add bridge=BridgeLAN interface=ether4
add bridge=BridgeLAN interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add interface=ether1.ISP list=WAN
add list=LAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=195.26.6.39 endpoint-port=\
    51820 interface=Wireguard-Denmark public-key=\
    "oUFRc+2234gogDVWnJF4RAzr72P5afCzMVeQOgG92lY="
/ip address
add address=10.14.0.2/16 interface=Wireguard-Denmark network=10.14.0.0
add address=192.168.50.1/24 interface=BridgeLAN network=192.168.50.0
/ip dhcp-client
add interface=ether1.ISP
/ip dhcp-server network
add address=192.168.50.0/24 comment="LAN DHCP" gateway=192.168.50.1 netmask=\
    24
/ip dns
set allow-remote-requests=yes servers=162.252.172.57,149.154.159.92,8.8.8.8
/ip firewall address-list
add address=192.168.1.0/24 list=Surfshark
/ip firewall filter
add action=accept chain=output
add action=accept chain=input disabled=yes
add action=accept chain=forward
/ip firewall nat
add action=masquerade chain=srcnat log=yes out-interface=ether1.ISP
add action=masquerade chain=srcnat out-interface=Wireguard-Denmark
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=Wireguard-Denmark \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add disabled=no distance=1 dst-address=195.26.6.39/32 gateway=192.168.1.1 \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add disabled=yes distance=1 dst-address=192.168.1.0/24 gateway=\
    Wireguard-Denmark pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add disabled=yes distance=1 dst-address=192.168.0.10/32 gateway=\
    Wireguard-Denmark pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add disabled=yes distance=1 dst-address=192.168.1.0/24 gateway=192.168.1.1 \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Stockholm
 
stiga
just joined
Topic Author
Posts: 14
Joined: Sat Apr 10, 2021 4:19 am

Re: hEX + Surfshark - getting different VPN connections on port 1,2,3 and 4.

Sun Nov 27, 2022 12:13 am

Tried to draw this.
Untitled Diagram.drawio.png
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 14520
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: hEX + Surfshark - getting different VPN connections on port 1,2,3 and 4.

Sun Nov 27, 2022 3:23 am

Not interested in a config with a firewall that is non-existent. If its facing the internet you should at least have a decent firewall.
viewtopic.php?t=180838
/ip firewall filter ?????
add action=accept chain=output
add action=accept chain=input disabled=yes
add action=accept chain=forward


What I dont understand are your routes.

You need
a. standard route for going out your WANIP address

THen for wireguard you need.
a. table

/routing table
add name=use-WG-Denmark fib

b. a route.
add dst=address=0.0.0.0/0 gwy=Wireguard-Denmark table=use=WG-Denmark

c. a routing rule to force people out wireguard and not the local WANIP.
but we dont know quite enough yet to formulate ........
+++++++++++++++++++++++++++++++++

Now we need to know what your requirements are.
Which LAN subnet should go out wireguard and if wireguard is not working for whatever reason should they be able then to fall back on and use the local WANIP?
Last edited by anav on Sun Nov 27, 2022 3:26 am, edited 1 time in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 14520
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: hEX + Surfshark - getting different VPN connections on port 1,2,3 and 4.

Sun Nov 27, 2022 3:26 am

If you are planning on buying enough vpns from a provider, then

a. as many tables needed, one for each wg configuration
/routing table
add name=use-WG-Denmark fib
add name=use-WG-Finland fib
add name=use-WG-USA fib
add name=Use-WG-Germany fib

b. add dst=address=0.0.0.0/0 gwy=Wireguard-Denmark table=use-WG-Denmark
add dst=address=0.0.0.0/0 gwy=Wireguard-Finland table=use-WG-Finland
add dst=address=0.0.0.0/0 gwy=Wireguard-USA table=use-WG-USA
add dst=address=0.0.0.0/0 gwy=Wireguard-Germany table=use-WG-Germany


c. Routing rules.
add src-address=subnetA action=lookup table=use-WG-Denmark
add src-address=subnetB action=lookup table=use-WG-Finland
add src-address=subnetC action=lookup table=use-WG-USA
add src-address=subnetD action=lookup table=use-WG-Germany


+++++++++++++++++++
As stated need more info for routing rules. Which Subnet going out which wireguard tunnel.
You could have users select this on a WIFI basis, with SSIDs identifying the vlan/subnet and thus users decide.

In addition another consideration is subnet to subnet traffic. You should note that user will NOT be able to visit other subnets UNLESS you add additional rules allowing this PRIOR to the subnet being forced out the internet via wireguard.

Typically one uses a destination address
add dst-address=subnetA action=lookup-only-in-table table=main { all users in every other subnet wanting to go to subnet A, will be sent to main table and thus will reach subnet A }
 
wuhoatu
just joined
Posts: 8
Joined: Tue Nov 15, 2022 4:22 am

Re: hEX + Surfshark - getting different VPN connections on port 1,2,3 and 4.

Sun Nov 27, 2022 7:58 am

It seems that you have no routing table nor routing rule.
Okey, so what i'm trying to figure out is how to use this device, as a "easy connect to different vpn countries".
Did manage to enable dhcp server and when I connect PC to ether2/3/4/5 - check whatsmyip - and I can see that i'm using the VPN tunnel. I can ping google.com etc, but I cannot use web or netflix.

My config:
# nov/26/2022 22:36:40 by RouterOS 7.6#
# model = RB750Gr3

/interface bridge
add fast-forward=no name=BridgeLAN
/interface ethernet
set [ find default-name=ether1 ] name=ether1.ISP
/interface wireguard
add listen-port=13231 mtu=1420 name=Wireguard-Denmark
/interface list
add name=WAN
add name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=se
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=pool1.LAN ranges=192.168.50.2-192.168.50.100
/ip dhcp-server
add address-pool=pool1.LAN interface=BridgeLAN name=server1.LAN
/port
set 0 name=serial0
/interface bridge port
add bridge=BridgeLAN interface=ether2
add bridge=BridgeLAN interface=ether3
add bridge=BridgeLAN interface=ether4
add bridge=BridgeLAN interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add interface=ether1.ISP list=WAN
add list=LAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=195.26.6.39 endpoint-port=\
    51820 interface=Wireguard-Denmark public-key=\
    "oUFRc+2234gogDVWnJF4RAzr72P5afCzMVeQOgG92lY="
/ip address
add address=10.14.0.2/16 interface=Wireguard-Denmark network=10.14.0.0
add address=192.168.50.1/24 interface=BridgeLAN network=192.168.50.0
/ip dhcp-client
add interface=ether1.ISP
/ip dhcp-server network
add address=192.168.50.0/24 comment="LAN DHCP" gateway=192.168.50.1 netmask=\
    24
/ip dns
set allow-remote-requests=yes servers=162.252.172.57,149.154.159.92,8.8.8.8
/ip firewall address-list
add address=192.168.1.0/24 list=Surfshark
/ip firewall filter
add action=accept chain=output
add action=accept chain=input disabled=yes
add action=accept chain=forward
/ip firewall nat
add action=masquerade chain=srcnat log=yes out-interface=ether1.ISP
add action=masquerade chain=srcnat out-interface=Wireguard-Denmark
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=Wireguard-Denmark \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add disabled=no distance=1 dst-address=195.26.6.39/32 gateway=192.168.1.1 \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add disabled=yes distance=1 dst-address=192.168.1.0/24 gateway=\
    Wireguard-Denmark pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add disabled=yes distance=1 dst-address=192.168.0.10/32 gateway=\
    Wireguard-Denmark pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add disabled=yes distance=1 dst-address=192.168.1.0/24 gateway=192.168.1.1 \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Stockholm
So I don't think that your internet connection working via Surfshark.
I am now stuck with making Surfshark+WG working on my HexS.
Managed to configure surfshark and got the VPN connection working _on_ det hEX istelf.
 
stiga
just joined
Topic Author
Posts: 14
Joined: Sat Apr 10, 2021 4:19 am

Re: hEX + Surfshark - getting different VPN connections on port 1,2,3 and 4.

Sun Nov 27, 2022 1:36 pm

The device is behind a firewall, pfsense, already and gets an internal ip from the firewall/dhcp server.
The "allow all firewall" on the hEX is just to make sure that its not dropping anything.. but this I can adjust and tighten again, when I know it works :)
 
stiga
just joined
Topic Author
Posts: 14
Joined: Sat Apr 10, 2021 4:19 am

Re: hEX + Surfshark - getting different VPN connections on port 1,2,3 and 4.

Sun Dec 04, 2022 1:01 pm

Okey, I will try to setup the device all over again. Really want this to work.
Its easy to the the surfshark software on a pc, but would be nice to have it working on the device - so I could just connect to see netflix from another country :)
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 14520
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: hEX + Surfshark - getting different VPN connections on port 1,2,3 and 4.

Sun Dec 04, 2022 9:18 pm

Yup it should just work.
Post your latest config and I will have another look.
Lets start with one good wireguard connection, after that just buy more connections from the provider one for each country.

Who is online

Users browsing this forum: Semrush [Bot] and 34 guests