Unblocking specific *blocked* domains on MikroTik using PPTP VPN

As JIO, Airtel,VIL have all implemented stricter blocking of adult and piracy sites even on HTTPS, it has gotten really annoying for users to turn on VPN just to unblock these sites. One of the purposes of VPN is to circumvent cesnorship but in most cases it also adds latency and reduces speeds significantly (there are exceptions ofc where VPNs can improve speeds if the ISP has bad routing). This makes VPN less than ideal for general use.

There are DPI Circumvention tools like GoodByeDPI and GreenTunnel (this has a pretty GUI) which we can use on individual devices or if we have a Linux based router, the entire network:


However, its really hard to install any of these on Mikrotik.

In this 'guide' I will show how to route specific websites through a PPTP VPN on MikroTik using packet marks.

Notes:
1. This doesn't improve our privacy in anyway, the only traffic that will be going through the VPN will be the sites specified
2. PPTP isn't a secure protocol anymore but it has very less performance overhead and is very easy to setup on MikroTik

Steps:
1. Get a 'free' PPTP VPN login using a site such as Free VPN • 100% Free PPTP and OpenVPN Service or Free VPN - Free Anonymous OpenVPN Service . Do note that these sites may log our connection attempts and change their passwords every one to two weeks. Alternatively, we can either pay for a VPN with PPTP support such as PIA, IPVanish or ExpressVPN. Some providers like NordVPN has stopped supporting PPTP unfortunately. We can also setup our own VPN on a VPS like DigitalOcean or Vultur or AWS using simple scripts like bedefaced/vpn-install
2. On MikroTik Winbox go to Interfaces>Click on the blue '+' sign>PPTP Client
1.PNG

3. Enter the PPTP Details that we got on the first step, do not add default route as for some reason we can't add connection mark to it. In my case I'm using IPVanish VPN Singapore server as these have no censorship whatsoever and have lowest latency of any server (other than India).
3.png

  • If we use VPNBook or FreeVPN, we will use the PPTP Server provided on their website.
  • If we used the script I mentioned earlier to create our own PPTP VPN Server, we will see the PPTP Username and Password when the script completes
  • You can confirm if the PPTP link is working by looking at the bottom right of the PPTP Client window, it should say 'Connected'.
4. Go to IP>Firewall>Address Lists on Winbox, in the name enter an easy to remember name, in my case I named it 'blocked-sites' , in the 'Address' field type in the domains/IPs we want to go through the VPN.
2.png
14.png

  • If we use domain names, RouterOS will dynamically add the IP addresses of these domains using DNS and change it accordingly whenever an update happens. In my case I want leetx.to go through my VPN.
  • We can also add a range of IP Addresses to go using CIDR notations such as /24 or /16 or /12. For example if we want Cloudflare sites to go through we can add the IP Ranges of Cloudflare such as 104.28.80.0/20 , IP prefixes can be obtained using BGPView.io or bgp.he.net by inputting ASN . https://bgp.he.net/AS13335#_prefixes
  • Be sure to use the same name for all the addresses as it makes grouping and routing them together much easier.
  • You can use the 'Copy' button to add many sites easily or use the command line
5. Now we will 'mark' the packets that we want to go through VPN using Mangle rules, specifically we mark the packets originating from the address lists we made earlier. To do this,
4.png
5.png
6.png
7.png

  • On Winbox, go to IP>Firewall>Mangle>Click on the blue '+' sign on top left of the Firewall window
  • Go to 'Advanced' tab and on 'Dst Address List', click on the drop down and select the name we gave to the address list in the 4th step, in my case 'blocked-sites'.
  • Go to 'Action' tab, change 'Action' from 'accept' to 'mark routing' and make sure uncheck 'Passthrough' at the bottom of the window.
  • In 'New Routing Mask' type in easy to remember name, in my case I entered 'pptp-vpn'
6. In this step, we will route the the packets 'Marked' earlier with routing mask through our VPN. To do this,
pla.png

  • Go to IP>Routes>Click on blue '+' sign on top left
  • In the 'Gateway' select 'pptp-out1' or the name we gave to the PPTP interface in the first step
  • Change the 'Routing Mask' to the one we made in 5th step, in my case its 'pptp-vpn'.
7. Finally, we will create a Masquerade rule for our VPN, so that clients on the NAT can reach them. To do this
11.png


9.png
10.png


  • Go to IP>Firewall in Winbox
  • Go to the 'NAT' tab and click on blue '+' sign on top left of the window.
  • Set 'Out Interface' to 'pptp-out1' or the name we gave to the PPTP Client in the first step
  • Go to 'Action' tab and set action to 'Masquerade' using drop down

That is it!. Now to confirm if the sites in address list is routed through VPN, you can simply run a traceroute to the blocked IP/domain. Now the traffic to a blocked site I put in the address list earlier, leetx.to is going through my VPN.
12.png

You can simply disable the Mangle marking rule we created in 5th step to disable this selective routing.
16.png

13.png


Funnily enough, ping is lower to leetx with VPN on
 

Attachments (DOWNLOAD AT YOUR OWN RISK)

  • 14.png
    14.png
    19.7 KB · Views: 232
Last edited: