Update 'README.md'

6 months ago · 855765e206
1 changed files with 111 additions and 2 deletions
--- a/README.md
+++ b/README.md
@ -1,3 +1,112 @@
 # wpimocall
 Of course. This is a more advanced and interesting use case. You want to **dynamically identify traffic** going to WhatsApp and IMO and then **force only that traffic** through a VPN tunnel (likely for policy or security reasons).
 Whatsapp and IMO Voice Call
 This is achievable on MikroTik using a combination of **DNS hijacking**, **dynamic address lists**, and **policy-based routing**.
 The core idea is:
 1.  **Catch DNS requests** for key domains (`whatsapp.net`, `imo.im`, etc.).
 2.  **Resolve those domains** and **dynamically add** the resulting IP addresses to an address list.
 3.  **Create a routing rule** that sends any traffic destined for IPs in that address list through your VPN interface.
 This method is far superior to a static IP list because it automatically updates itself.
 ---
 ### Step-by-Step Configuration Guide
 #### Prerequisites:
 *   A working VPN connection (PPTP, L2TP, SSTP, or OpenVPN) set up on your MikroTik. Its interface is named `vpn-out1` in this example.
 *   Your main gateway (e.g., for direct internet traffic) has a route with a distance of `1`.
 #### Step 1: Create the Dynamic Address List
 We'll create a list to hold the IPs of the blocked services.
 ```bash
 /ip firewall address-list
 add list=vpn-services address=31.13.64.0/18 comment="Meta WhatsApp Range - EXAMPLE" disabled=no
 add list=vpn-services address=157.240.0.0/16 comment="Meta WhatsApp Range - EXAMPLE" disabled=no
 # We start with some known ranges but the script will populate it dynamically.
 ```
 #### Step 2: Hijack DNS Requests to Identify Domains
 We use the MikroTik as the DNS server for the network and use a script to catch requests for specific domains.
 **2.1. Set up the router as the DNS server** for your DHCP clients (if it isn't already):
 ```bash
 /ip dhcp-server network
 set [ find ] dns-server=192.168.88.1 # Replace with your router's LAN IP
 ```
 **2.2. Create a script to resolve domains and add them to the list:**
 Go to **System > Scripts** and create a new script called `resolve-vpn-domains`:
 ```bash
 :local domain [/ip dns cache all find where name ~ "whatsapp" or name ~ "imo\.im" or name ~ "wa\.me" and type="A" and expired=false]
 :foreach i in=$domain do={
    :local resolvedAddress [/ip dns cache all get $i address]
    :local resolvedName [/ip dns cache all get $i name]
    :if ([:len $resolvedAddress] > 0) do={
        /ip firewall address-list add list=vpn-services address=$resolvedAddress comment="$resolvedName" timeout=3h
    }
 }
 ```
 *This script runs every 3 hours, finds non-expired DNS cache entries for key domains, and adds their IPs to the `vpn-services` list with a 3-hour timeout.*
 **2.3. Schedule the script to run periodically:**
 Go to **System > Scheduler** and add a new task:
 *   **Name:** `update-vpn-ips`
 *   **Interval:** `03:00:00` (every 3 hours)
 *   **On Event:** `resolve-vpn-domains`
 #### Step 3: Create the Policy-Based Routing Rule
 This is the most important step. It tells the router what to do with the traffic going to the IPs in our dynamic list.
 **3.1. First, mark the connection** when a packet is destined for an IP in our `vpn-services` list. This mark will follow the entire connection.
 ```bash
 /ip firewall mangle
 add chain=prerouting action=mark-connection new-connection-mark=vpn_conn passthrough=yes dst-address-list=vpn-services comment="Mark Connections for VPN Services"
 ```
 **3.2. Then, mark the routing** for all packets that are part of that marked connection.
 ```bash
 /ip firewall mangle
 add chain=prerouting action=mark-routing new-routing-mark=vpn_route passthrough=yes connection-mark=vpn_conn comment="Mark Routing for VPN Route"
 ```
 **3.3. Finally, create a route** that uses the VPN interface for traffic with the `vpn_route` mark.
 ```bash
 /ip route
 add dst-address=0.0.0.0/0 gateway=vpn-out1 routing-mark=vpn_route check-gateway=ping comment="Route VPN-marked traffic through VPN"
 ```
 *   **dst-address=0.0.0.0/0:** This is the default route, but it only applies to packets with the `vpn_route` mark.
 *   **gateway=vpn-out1:** The name of your VPN interface.
 *   **check-gateway=ping:** This is crucial. It will disable this route if the VPN gateway becomes unreachable, preventing a black hole.
 ---
 ### Step 4: Verification and Monitoring
 **1. Check your dynamic address list to see if it's populating:**
 ```bash
 /ip firewall address-list print where list=vpn-services
 ```
 You should see entries with comments showing the domain name and a timeout counting down.
 **2. Check your connections to see the marking and routing in action:**
 ```bash
 /ip firewall connection print where connection-mark=vpn_conn
 ```
 **3. Check the routes:**
 ```bash
 /ip route print
 ```
 You should see your main route (distance=1, main table) and the special route for `vpn_route` (dynamic table).
 ### Important Considerations & Enhancements
 *   **Kill Switch:** The `check-gateway=ping` parameter acts as a basic kill switch. If the VPN drops, the route is disabled, and traffic won't leak out the main WAN. For a stronger kill switch, you would need more complex firewall rules to drop all traffic not going through the VPN.
 *   **Performance:** This method uses connection tracking and is very efficient on modern MikroTik hardware (hAP ac², RB4011, etc.).
 *   **Completeness:** This method is very good but not 100% perfect. Some services, especially IMO, might use hard-coded IPs or other Google domains that are harder to catch. The L7 method from the previous answer is more accurate for identification but is more CPU-intensive and can't be used for routing decisions as easily.
 *   **Multiple VPNs:** You can create different address lists and routing marks for different services to send them through different VPN tunnels.
 This solution provides a powerful, dynamic, and maintainable way to achieve your goal of selectively routing specific application traffic through a VPN.