Hello everyone! This is something that has been on my to-do list for a while now, but I just found some time to make it happen. Whether you are a person who values privacy highly or just want to hide your public IP address from services, this is for you.

The reason I wanted to do this is that I have my network divided into several subnets using VLANs. For example, I have one for IoT devices and one for guests. They have different rules for what they can access in my network.

IoT are really specific because is full for cloud devices (and you really don’t know with whom they are in contact and where they are sending information).

Wireguard

I decided to use wireguard because is easy to install and setup on various devices. I chose ProtonVPN (as I have subscribed for it). Guide for setting-up with mikrotik devices is here How to setup Proton VPN on MikroTik routers using WireGuard YYou can follow it there, I just put a summary here:

1. Create Wireguard interface & peer

1
2
3
4
5
6

/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard-inet private-key=”your private key”
/ip address
add address=10.2.0.2/30 interface=wireguard-inet network=10.2.0.0
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=x.x.x.x endpoint-port=xxxxx interface=wireguard-inet persistent-keepalive=25s public-key="your public key"

2. Enable masquerade

1
2

/ip firewall nat
add action=masquerade chain=srcnat out-interface=wireguard-inet src-address=192.168.88.0/24

3. And redirect trafic trough Wireguard

1
2
3

/ip route
add disabled=no distance=1 dst-address=0.0.0.0/1 gateway=10.2.0.1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=128.0.0.0/1 gateway=10.2.0.1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10

Also redirect the Wireguard IP address through the main provider’s gateway.

1
2

/ip route
add disabled=no dst-address=x.x.x.x/32 gateway=[/ip dhcp-client get [find interface=ether1] gateway] routing-table=main suppress-hw-offload=no

The problem: VLANs

The above instructions work fine, but there is a problem with my setup. I wanted to redirect only certain VLANs through VPN. I wanted the main network to access the internet without VPN, while my IoT devices communicate through VPN to hide my public IP address.

Here are some configuration changes I made for my setup.

1. The solution: Create new routing table

This routing table will hold rules for VPN routing

1
2

/routing/table
add name="proton" fib

2. Update rules for proton table

To do this add routing-table=proton to the rules. The script will looks like this

1
2
3

/ip route
add disabled=no distance=1 dst-address=0.0.0.0/1 gateway=10.2.0.1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10 routing-table=proton
add disabled=no distance=1 dst-address=128.0.0.0/1 gateway=10.2.0.1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10 routing-table=proton

And also update the rule that tells where to route the Wireguard IP address.

1
2

/ip route
add disabled=no dst-address=x.x.x.x/32 gateway=[/ip dhcp-client get [find interface=ether1] gateway] routing-table=main suppress-hw-offload=no routing-table=proton

If you now check your route list, you should have 3 rules in the Proton routing table, among others from the main table.

3. Tell the router where it have to route your VLAN

You can do this by creating a new rule in the firewall mangle. For example

1
2
3

/ip/firewall/mangle
add chain=prerouting action=mark-routing new-routing-mark=proton passthrough=yes 
in-interface=VLAN-xxx-IoT log=no log-prefix=""

The end

Also, don’t forget to change any firewall rules you have (if you have any) for your VLANs. You probably (like me) allow access to the internet through the main interface (in most cases ether1), but since you marked the connection with proton table, the VLAN interface will be able to go out through that interface because there is no default rule on that interface in proton table. You need to change it to the wireguard interface of your proton VPN.