As JIO, Airtel,VIL have all implemented stricter blocking of adult and piracy sites even on HTTPS, it has gotten really annoying for users to turn on VPN just to unblock these sites. One of the purposes of VPN is to circumvent cesnorship but in most cases it also adds latency and reduces speeds significantly (there are exceptions ofc where VPNs can improve speeds if the ISP has bad routing). This makes VPN less than ideal for general use.
There are DPI Circumvention tools like GoodByeDPI and GreenTunnel (this has a pretty GUI) which we can use on individual devices or if we have a Linux based router, the entire network:
github.com
github.com
github.com
github.com
However, its really hard to install any of these on Mikrotik.
In this 'guide' I will show how to route specific websites through a PPTP VPN on MikroTik using packet marks.
Notes:
1. This doesn't improve our privacy in anyway, the only traffic that will be going through the VPN will be the sites specified
2. PPTP isn't a secure protocol anymore but it has very less performance overhead and is very easy to setup on MikroTik
Steps:
1. Get a 'free' PPTP VPN login using a site such as Free VPN • 100% Free PPTP and OpenVPN Service or Free VPN - Free Anonymous OpenVPN Service . Do note that these sites may log our connection attempts and change their passwords every one to two weeks. Alternatively, we can either pay for a VPN with PPTP support such as PIA, IPVanish or ExpressVPN. Some providers like NordVPN has stopped supporting PPTP unfortunately. We can also setup our own VPN on a VPS like DigitalOcean or Vultur or AWS using simple scripts like bedefaced/vpn-install
2. On MikroTik Winbox go to Interfaces>Click on the blue '+' sign>PPTP Client
3. Enter the PPTP Details that we got on the first step, do not add default route as for some reason we can't add connection mark to it. In my case I'm using IPVanish VPN Singapore server as these have no censorship whatsoever and have lowest latency of any server (other than India).
That is it!. Now to confirm if the sites in address list is routed through VPN, you can simply run a traceroute to the blocked IP/domain. Now the traffic to a blocked site I put in the address list earlier, leetx.to is going through my VPN.
You can simply disable the Mangle marking rule we created in 5th step to disable this selective routing.
Funnily enough, ping is lower to leetx with VPN on
There are DPI Circumvention tools like GoodByeDPI and GreenTunnel (this has a pretty GUI) which we can use on individual devices or if we have a Linux based router, the entire network:
GitHub - ValdikSS/GoodbyeDPI: GoodbyeDPI — Deep Packet Inspection circumvention utility (for Windows)
GoodbyeDPI — Deep Packet Inspection circumvention utility (for Windows) - ValdikSS/GoodbyeDPI
github.com
GitHub - SadeghHayeri/GreenTunnel: GreenTunnel is an anti-censorship utility designed to bypass the DPI system that is put in place by various ISPs to block access to certain websites.
GreenTunnel is an anti-censorship utility designed to bypass the DPI system that is put in place by various ISPs to block access to certain websites. - SadeghHayeri/GreenTunnel
github.com
GitHub - bol-van/zapret: DPI bypass multi platform
DPI bypass multi platform. Contribute to bol-van/zapret development by creating an account on GitHub.
github.com
GitHub - krlvm/PowerTunnel: Powerful and extensible proxy server with anti-censorship functionality
Powerful and extensible proxy server with anti-censorship functionality - krlvm/PowerTunnel
github.com
However, its really hard to install any of these on Mikrotik.
In this 'guide' I will show how to route specific websites through a PPTP VPN on MikroTik using packet marks.
Notes:
1. This doesn't improve our privacy in anyway, the only traffic that will be going through the VPN will be the sites specified
2. PPTP isn't a secure protocol anymore but it has very less performance overhead and is very easy to setup on MikroTik
Steps:
1. Get a 'free' PPTP VPN login using a site such as Free VPN • 100% Free PPTP and OpenVPN Service or Free VPN - Free Anonymous OpenVPN Service . Do note that these sites may log our connection attempts and change their passwords every one to two weeks. Alternatively, we can either pay for a VPN with PPTP support such as PIA, IPVanish or ExpressVPN. Some providers like NordVPN has stopped supporting PPTP unfortunately. We can also setup our own VPN on a VPS like DigitalOcean or Vultur or AWS using simple scripts like bedefaced/vpn-install
2. On MikroTik Winbox go to Interfaces>Click on the blue '+' sign>PPTP Client
3. Enter the PPTP Details that we got on the first step, do not add default route as for some reason we can't add connection mark to it. In my case I'm using IPVanish VPN Singapore server as these have no censorship whatsoever and have lowest latency of any server (other than India).
- If we use VPNBook or FreeVPN, we will use the PPTP Server provided on their website.
- If we used the script I mentioned earlier to create our own PPTP VPN Server, we will see the PPTP Username and Password when the script completes
- You can confirm if the PPTP link is working by looking at the bottom right of the PPTP Client window, it should say 'Connected'.
- If we use domain names, RouterOS will dynamically add the IP addresses of these domains using DNS and change it accordingly whenever an update happens. In my case I want leetx.to go through my VPN.
- We can also add a range of IP Addresses to go using CIDR notations such as /24 or /16 or /12. For example if we want Cloudflare sites to go through we can add the IP Ranges of Cloudflare such as 104.28.80.0/20 , IP prefixes can be obtained using BGPView.io or bgp.he.net by inputting ASN . https://bgp.he.net/AS13335#_prefixes
- Be sure to use the same name for all the addresses as it makes grouping and routing them together much easier.
- You can use the 'Copy' button to add many sites easily or use the command line
- On Winbox, go to IP>Firewall>Mangle>Click on the blue '+' sign on top left of the Firewall window
- Go to 'Advanced' tab and on 'Dst Address List', click on the drop down and select the name we gave to the address list in the 4th step, in my case 'blocked-sites'.
- Go to 'Action' tab, change 'Action' from 'accept' to 'mark routing' and make sure uncheck 'Passthrough' at the bottom of the window.
- In 'New Routing Mask' type in easy to remember name, in my case I entered 'pptp-vpn'
- Go to IP>Routes>Click on blue '+' sign on top left
- In the 'Gateway' select 'pptp-out1' or the name we gave to the PPTP interface in the first step
- Change the 'Routing Mask' to the one we made in 5th step, in my case its 'pptp-vpn'.
- Go to IP>Firewall in Winbox
- Go to the 'NAT' tab and click on blue '+' sign on top left of the window.
- Set 'Out Interface' to 'pptp-out1' or the name we gave to the PPTP Client in the first step
- Go to 'Action' tab and set action to 'Masquerade' using drop down
That is it!. Now to confirm if the sites in address list is routed through VPN, you can simply run a traceroute to the blocked IP/domain. Now the traffic to a blocked site I put in the address list earlier, leetx.to is going through my VPN.
You can simply disable the Mangle marking rule we created in 5th step to disable this selective routing.
Funnily enough, ping is lower to leetx with VPN on
Attachments
Last edited: