In this guide we will look at how to bypass local/regional ISP blocks on access to content that is no longer available to us – with the help of Wireguard.
Consider two options.
The first one with installation of the client on your device, for example your phone. Convenient if you move around a lot, but you need access to so-called “forbidden content”.
The second one is if you are a happy owner of a Mikrotik router and there are a lot of devices at home on which you can’t put a VPN-client.
Both can work separately or together.
For either option, you will need your own vpn server through which you will go out into the world, bypassing your ISP.
Where do I get it?
Over several years, the best value for money solution remains Hetzner
On the plus side:
Server cost from 3.5 euros per month at 1Gb/sec speed. Traffic is counted only in one direction. And this traffic is given 20Tb per month, which is enough with a large, large reserve.
If you register through my link – immediately get 20 euros to your account, after passing KYC, and immediately can use them to rent a server, without any preconditions. I.e. just by clicking on the reff.link you get a server for a few months for free.
Payment on the server is hourly. I.e. if you need a server for 2 hours – you pay for 2 hours of server work. Then, if you do not need – delete the server – and the money remains on your account.
From the minuses:
At the moment it is not officially possible to register and pay for a server with RF documents.
However.
Registration, payment and further work are not connected in any way. What do I mean?
Registration – you can simply buy registration on the web. There are a lot of resources that sell just ready-made registrations. (I can not advise specifically, because I do not have such a problem).
Let’s say you’ve got some kind of Vietnamese account. That’s fine. Next.
Payment.
(once again I remind you that on the ref.link to pay you will not have to pay for several months)
RF cards are not accepted for payment. But, nothing prevents any other person in the world to pay for hosting for you. At least once, or on a permanent basis.
How to pay the person who paid for you? The easiest way is crypto. Plain and simple. The final cost of hosting will increase a little, but it may still be lower than what you will find on the Web, where they accept Russian cards.
If you don’t like Hezner, look for a host that accepts your cards. Outside the country, of course.
After you have decided on the hosting – choose an OC. We can use Ubuntu, all hosts have it, or Debian, if you are more accustomed to this OC.
Installation of the OC itself, we omit (perhaps formalize a separate guide later)
So we got to the server console. rise up to root, if you are logged in from a simple user.
Black screen – white letters – beauty 🙂
Install Wireguard.
There are a great many installation scripts on the web. They do approximately the same thing. You can search for one yourself, or use one that is ready-made:
cd /root wget https://git.io/wireguard -O wireguard-install.sh
Run the script with the following command and answer a few questions.
bash /root/wireguard-install.sh
Port – can be left as default. You can change it. Only then it should be taken into account when configuring the microt.
Name – arbitrary name.
When choosing a DNS, I recommend choosing AdGuard. Let me explain why. This DNS is from the Adblock team, which supplies a product – a banner and ad cutter that many of you probably use on your PCs and laptops. But happy owners of TVs that can not install this plugin are forced to watch annoying ads when watching the same YouTube. By selecting this DNS you will cut off ads already at the level of requests. This is such an additional bonus. If you don’t like it, you can always change the DNS servers in the configuration file.
While creating a user, the script generates a QR code as well. I.e. if you install vpn on your phone, all you need to do is just scan this code with your phone and your device will be set up automatically.
At the end of the script we will create 2 files:
/root/galayda.conf – are the settings of a specific local user. The file can be downloaded to a local PC and imported into the client. And from this file we will take the settings for our microtik.
/etc/wireguard/wg0.conf – these are global settings on the server.
With the server side, everything.
Here are the contents of the file /root/galayda.conf to make it visually clear what is taken from where and what is inserted where:
Let’s go directly to the configuration of the microtik.
(you can download this file and just import it into the microtik, but we’ll take the long route without going around the bugs and pitfalls).
Click on “Wireguard” followed by “+”.
In the opened window fill in one single field – namely “Privat Key” Do not change the ports, if you suddenly used a non-standard port.
The Privat Key is taken from the configuration file above.
A key will appear in the “Public Key” field. It must match the key from the /etc/wireguard/wg0.conf file
Click “OK” – the client has been created
Go to the “Peers” tab, click on the “+”.
And fill in the following fields:
Public Key – here we take the key from the file/root/galayda.conf
Endpoint is the ip address of your server
Endpoint Port – If you left it as default, set it to 51820. If you changed it, set it to the one you changed.
Allowed Address – this is from which ip addresses you allow to use vpn. If from everywhere, then set 0.0.0.0.0/0
Preshared Key – from the same configuration file.
Keepalive – 00:00:25
Click on “Aplly.”
Ideally, you should see the data at the bottom under “Client Config”. But!
I was configuring people with microtes remotely and this field was not filled in, although the VPN was working properly. I don’t know if it’s a bug or a feature. If the data doesn’t appear, it doesn’t mean you made a mistake.
We will assume that this is a peculiarity of your particular microtome. Press “OK” and proceed to the next setting.
As we can see from the configuration file /root/galayda.conf our microt is allocated ip address 10.7.0.2/24
Let’s assign that address on the microtome itself.
IP – Addresses – press “+”.
Add the ip and subnet and select the wireguard interface (in my example it is wireguard3, in yours it will probably be wireguard1 Note that).
Go to IP-Routes
You should get an automatic route to your VPN server.
Open “New Terminal” and ping our vpn server by gray ip. If the ping is successful, we can go for a smoke. We have done the most important thing. Our microt and our VPN see each other.
Now for a lyrical digression.
So, we want that what does not go through the main provider is wrapped in the VPN, the rest goes to our provider. How it theoretically works. We create a table with addresses that our ISP doesn’t like. (I will tell you how to do it later) This table is stored inside the microtome itself. Next, on your TV or PC, you type in, for example, youtube.com. The microcontroller sees that this address is in our table and marks this packet. The packet goes further into the queue for sending. And at the moment of sending microt sees that there is a mark at which it is necessary to wrap this packet not on the default route, but on your VPN. That’s the general outline.
So we need a table with “bad” addresses, something that will label packets from this list and a rule that will send packets on the desired route.
Create a table:
IP-Firewall-Addresses List
In my example, the table is called “spotify”.
And write there one single domain for example 2ip.ru
Click “Ok” and see how in the table appeared not only the domain, but also microt itself cut its ip.
Mark the packets that will be sent to the addresses in our table.
IP-Firewall-Mangle “+”
The “General” tab
In the “Chain” field, select “prerouting”
Field Dst. Address List – “spotify”
The “Action” tab
In the Action field, select “mark routing”.
In the “New Routing Mark” field, enter an arbitrary name. In my example, this is mark_vpn
And here’s another “rake”! In some microtics you can write in this field, and in some microtics you can only select from what is available. And since there is only the main table, there is nothing to choose from. 🙁
I don’t know, maybe this setting was moved to another tab somewhere else, but I got around this problem by simply creating this table from the command line.
If you got it to write – great – click “Applay” and skip a few lines below.
Losers, on the other hand, go to New Terminal and execute such a command:
/routing table add disabled=no fib name=mark_vpn
Found where they hid this setting in version 7.
Go to “Routing,” “Tables.”
Click on the “+” and add the name of our table.
Eventually you will have a mark_vpn marker in the Action field that we can select.
Specify a route for these packets
Go to IP-Routes “+”
Create a new route. Note that the Gateway field is handwritten, not selected (you remember what you have at the end, most likely the number 1).
And in the “Routing Table” field, select the “mark_vpn” table.
Press “Applay.”
There’s just a little bit left.
Ip – Firewall -Nat “+”
Creating a rule
General tab
In the Chain field, select “srcnat”
In the Out Interface field, select the wireguard interface
Go to the Action tab and select the masquerade option
Press “Applay.”
We take this rule (with the mouse) and drag it to the first place.
And one more touch.
Go to Ip-Firewall-Filter rules.
And deactivate the following rule (if you don’t do this, everything will run, but will be wildly slowed down)
We’re all set with the settings. We can move on to testing
So, let’s remember that now we have one single address in the table that is sent to VPN – 2ip.ru For the tests we have enough.
Type in the browser first some service that will show our real ip.
For example https://www.yougetsignal.com/what-is-my-ip-address/
Now in the same browser type 2ip.ru and you should see the ip of our vpn server.
If everything went well here, then we go to the final step – filling the table with resources that our provider does not allow to visit. In case it is a separate site, which, as a rule, has one ip address, everything is simple.
IP-Firewall-Addresses List
Select the “spotify” table and add the domain of the resource, for example, rutracker.org
Click on “Apply.”
As we can see this site has a mirror on another ip and microtic has added both ip addresses to our table.
With such sites, everything is simple and straightforward. However, with resources such as YouTube, the matter is a bit more complicated. There can be hundreds of ip addresses.
So it’s not a specific domain that we’ll be contributing. More precisely, not only a specific domain but all subnets that belong to Google. Where do you get lists of networks? Search the Internet, of course. I’ll attach here a basic list that the users of my Telegram channel have collected. For which I thank them very much.
64.233.160.0/19 66.102.0.0/20 66.249.64.0/19 72.14.192.0/18 74.125.0.0/16 209.85.128.0/17 216.239.32.0/19 64.18.0.0/20 108.177.8.0/21 172.217.0.0/19 173.194.0.0/16 207.126.144.0/20 216.58.192.0/19
Subnets can be added as above, one by one.
Or with a single command through the terminal. Whatever is more convenient for you, do it.
/ip firewall address-list add address=64.233.160.0/19 list=spotify add address=66.102.0.0/20 list=spotify add address=66.249.64.0/19 list=spotify add address=72.14.192.0/18 list=spotify add address=74.125.0.0/16 list=spotify add address=209.85.128.0/17 list=spotify add address=216.239.32.0/19 list=spotify add address=64.18.0.0/20 list=spotify add address=108.177.8.0/21 list=spotify add address=172.217.0.0/19 list=spotify add address=173.194.0.0/16 list=spotify add address=207.126.144.0/20 list=spotify add address=216.58.192.0/19 list=spotify
Also here is the list of subnets owned by Meta (Facebook and Instagram)
31.13.0.0/16 45.64.0.0/16 57.141.0.0/16 57.144.0.0/16 66.220.0.0/16 69.171.0.0/16 69.63.0.0/16 74.119.0.0/16 102.132.0.0/16 103.4.0.0/16 129.134.0.0/16 147.75.0.0/16 157.240.0.0/16 163.70.0.0/16 163.77.0.0/16 173.252.0.0/16 179.60.0.0/16 185.60.0.0/16 185.89.0.0/16 204.15.0.0/16
The first option is mainly needed if your device leaves your home FiWi zone.
Or if you share a server, for example.
Download the Wireguard client from the official website. There are clients for all platforms.
Install the client you want and onward or scan the QR code if you have a camera. Or download the configuration file from the server (if you do not know how to download, you can with the help of this guide)
Here everything is banally simple – we install the client. Click “Add Tunnel” – select the downloaded configuration file. And click the “Connect” button
Now all traffic from your PC or phone is sent to the tunnel.
(Don’t forget to turn it off if your hoster’s traffic is severely limited)
That’s kind of it. I wish you a pleasant visit to “forbidden” resources.
P.S. Unfortunately, this method is not universal. There are providers that already cut the wireguard protocol. Therefore, the next guide will be written for the new protocol.
If you have any questions about the text of the article or just want to “piss off” the author – welcome to my Telegram channel
Well, and if for some reason you thought that the author of this opus is worthy of a cup of coffee, you can stimulate the writing of the following guidebook
Network: Tron (TRC20) Wallet address: TBvvHTTdJDmEhMeUnxCZiCcvzNqRxh8wQA