Configure BGP to bypass locks, version 3, without VPS
- Tutorial
Why all this is done in principle and how it is arranged logically - described in the first and second articles.
After publishing them, I received a few questions from people who use a VPN with resources that do not belong to them (for example, purchasing a commercial VPN service). These people before, I advised to start a VPS to deploy a BGP service or in some other way get access to the server on Linux.
But from today for them (and for everyone else) there is a more convenient option - on the free antifilter.download service , it is possible to automatically configure a BGP session with your router.
To use it, you only need to have:
fixed routable IP address (so-called "white". It can be allocated dynamically, but must always be the same);UPD. It does not matter, see below.- BGP-enabled router (in the article, traditionally, the example is based on RouterOS of Mikrotik routers);
- already configured VPN tunnel from this router.
Default in the text of the article
- the name of the tunnel interface on the router is gre-tunnel1
- Your autonomous system number is 64512 (choose yourself according to RFC6996 - from the range 64512-65534 inclusive).
- the external IP address of your router is 81.117.103.94
The sequence of actions if you want to manage the service and you have a fixed routable IP address
Do once
go from your network (this is important) to the antifilter.download website , scroll to the BGP section, click "Activate BGP Management".
Make two
check that the site shows exactly our IP, enter the selected number of its autonomous system, mark the checkboxes, which routes to give, confirm the captcha, click "Create peering". After that, the site will show that settings exist for your address. Time of application of the settings in the service - no more than 5 minutes.
Make three
go to your Mikrotik router and set up BGP peering with the service on it:
/routing bgp instance set default as=64512 ignore-as-path-len=yes router-id=81.117.103.94
/routing bgp peer add hold-time=4m in-filter=bgp_in keepalive-time=1m multihop=yes name=antifilter remote-address=192.3.134.152 remote-as=65432 ttl=default
/routing filter add action=accept chain=bgp_in comment="Set nexthop to VPN" set-in-nexthop-direct=gre-tunnel1Do not forget to change the default AS, IP and interface name to yours. In the above commands, three substitutions must be made - no more and no less.
... and everything works
If more than 5 minutes have passed from the moment you clicked "Create Peering" and you have configured everything correctly, everything is working for you.
If you want to change the list of prefixes that are downloaded to your side - this is done by deleting the settings on the web page and creating them again, good — from the settings there is one number and three checkboxes.
The prefixes from the service are marked with the appropriate community, so if you want to build more complex processing rules, everything is in your hands.
I strongly recommend not connecting a list of single IPs — even the top SOHO routers from Mikrotik are not very good from it, and the averages, for example hAP lite, behave extremely unpredictably.
UPD. The sequence of actions if you do not have a fixed IP or you are satisfied with the default settings
Do once
go to your Mikrotik router and set up BGP peering with the service on it:
/routing bgp instance set default as=64999 ignore-as-path-len=yes router-id=81.117.103.94
/routing bgp peer add hold-time=4m in-filter=bgp_in keepalive-time=1m multihop=yes name=antifilter remote-address=192.3.134.152 remote-as=65432 ttl=default
/routing filter add action=accept chain=bgp_in comment="Set nexthop to VPN" set-in-nexthop-direct=gre-tunnel1Do not forget to change the default router-id and interface name to yours. In the above commands, two substitutions must be made - no more and no less. As a router-id, in principle, you can write any thirty-two-bit number in the format of an IP address, but in order not to cause special effects if you match, I would recommend using your current external IP address. If it changes, it will not be necessary to change it.
The AS number in this case is fixed, 64999 , as well as the set of advertised prefixes (ipsum + subnet), if this is too much for someone, you can always filter by community or by other means with advertisements.
... and everything works
If after activating the settings on your router more than 5 minutes have passed and you have configured everything correctly, everything is working for you.
When changing the IP address, the session will be restored approximately within 5 minutes.
Conclusion
Yes, I understand that already "the pot, do not cook", and I hope that for me the topic of bypassing locks is closed.
For questions in the comments, traditionally, I will answer, I will help with the setting.