Why all this is done in principle and how it is arranged logically - described in the first and second articles.
After publishing them, I received a few questions from people who use a VPN with resources that do not belong to them (for example, purchasing a commercial VPN service). These people before, I advised to start a VPS to deploy a BGP service or in some other way get access to the server on Linux.
But from today for them (and for everyone else) there is a more convenient option - on the free antifilter.download service , it is possible to automatically configure a BGP session with your router.
To use it, you only need to have:
fixed routable IP address (so-called "white". It can be allocated dynamically, but must always be the same); UPD. It does not matter, see below.- a router with BGP support (in the article, traditionally, an example is built on the basis of RouterOS of Mikrotik routers);
- already configured VPN tunnel from this router.
Default in the text of the article
- the name of the tunnel interface on the router is gre-tunnel1
- Your autonomous system number is 64512 (choose yourself according to RFC6996 - from the range 64512-65534 inclusive).
- the external IP address of your router is 81.117.103.94
The sequence of actions if you want to manage the service and you have a fixed routable IP address
Do once
go from your network (this is important) to the site antifilter.download , scroll to the BGP section, click "Activate BGP management".
Make two
check that the site shows exactly our IP, enter the selected number of its autonomous system, check the checkboxes, which routes to give, confirm the captcha, click "Create peering". After that, the site will show that settings exist for your address. The time for applying the settings in the service is no more than 5 minutes.
Make three
go to your Mikrotik router and set up BGP peering with the service on it:
/routing bgp instance set default as=64512 ignore-as-path-len=yes router-id=81.117.103.94 /routing bgp peer add hold-time=4m in-filter=bgp_in keepalive-time=1m multihop=yes name=antifilter remote-address=192.3.134.152 remote-as=65432 ttl=default /routing filter add action=accept chain=bgp_in comment="Set nexthop to VPN" set-in-nexthop-direct=gre-tunnel1
Do not forget to change the default AS, IP and interface name to yours. In the above commands, three substitutions must be made - no more and no less.
... and everything works
If more than 5 minutes have passed from the moment you clicked "Create Peering" and you have configured everything correctly, everything is working for you.
If you want to change the list of prefixes that are downloaded to your side - this is done by deleting the settings on the web page and creating them again, good — from the settings there is one number and three checkboxes.
Prefixes from the service are marked by the corresponding community, so if you want to build more complex processing rules, everything is in your hands.
I strongly do not recommend connecting a list of single IPs — even the top SOHO routers from Mikrotik are not very good from it, and the averages, for example hAP lite, behave extremely unpredictably.
UPD. The sequence of actions if you do not have a fixed IP or you are satisfied with the default settings
Do once
go to your Mikrotik router and set up BGP peering with the service on it:
/routing bgp instance set default as=64999 ignore-as-path-len=yes router-id=81.117.103.94 /routing bgp peer add hold-time=4m in-filter=bgp_in keepalive-time=1m multihop=yes name=antifilter remote-address=192.3.134.152 remote-as=65432 ttl=default /routing filter add action=accept chain=bgp_in comment="Set nexthop to VPN" set-in-nexthop-direct=gre-tunnel1
Do not forget to change the default router-id and interface name to yours. In the above commands, two substitutions must be made - no more and no less. As a router-id, in principle, you can write any thirty-two-bit number in the format of an IP address, but in order not to cause special effects if you match, I would recommend using your current external IP address. If it changes, it will not be necessary to change it.
The AS number in this case is fixed, 64999 , as well as the set of advertised prefixes (ipsum + subnet), if this is too much for someone, you can always filter by the community or by other means when manipulating with announcements.
... and everything works
If after activating the settings on your router more than 5 minutes have passed and you have configured everything correctly, everything is working for you.
If you change the IP address, the session will be restored approximately within 5 minutes.
Conclusion
Yes, I understand that already "the pot, do not cook," and I hope that for me the topic of bypassing locks is closed.
For questions in the comments, traditionally, I will answer, I will help with the setting.