Hi, I wanted VPN connections to my router to drop after 15min idle and when this didn’t happen, noticed that all traffic in the remote PC was being routed through VPN. Hence no idle.
Can I use Bridge Port Priority or Path Cost so the remote PC keeps using it’s usual connection, and only occasionally uses the VPN to connect to other PC-s behind my router. Remote PC is Windows 10 and I am using Windows (built-in) VPN provider. If not. how is the way to do it ?
Below should help you, replace IP / Prefixes as per your environment
You can turn off taking over your entire connection by going to the properties of the VPN, Networking tab, Internet Protocol (TCP/IP) properties, Advanced, untick Use default gateway on remote network. This may or may not leave a route to 192.168.123.0/24 depending on the VPN server's setup. If it doesn't, you'll have to manually add the route each time, although you could put it in a batch file.
In order to manually add the route, run (as administrator):
route -p add 192.168.0.12 mask 255.255.255.255 10.100.100.254
This example will make a persistent (it's not necessary to run the command after a reboot) route to the IP 192.168.0.12 through the VPN gateway 10.100.100.254.
https://superuser.com/questions/12022/how-can-i-make-the-windows-vpn-route-selective-traffic-by-destination-network
Hi, I had already found the Use default gateway on remote network, but i can do this in the PC I am testing the VPN. I can not ask every user to do it, they aren’t that flexible.
Is there a way to set it on the VPN configuration on Mikrotik ?
Nope. Windows send a DHCPINFORM message to request a route list after establishing any type of VPN connection, but RouterOS only responds it for bare IKEv2. And changing the configuration on the PC client is a problem, it doesn’t make any difference what particular change you would ask the users to do (disable addition of default route and add persistent routes, or install a certificate and change the VPN connection type to IKEv2).
So if you cannot use domain policies or RDP to change the settings at user PCs without involving them, you can only use firewall rules and scripts to track the destination addresses, and tear down their connections if they don’t access anything in the HQ subnets for 15 minutes.
I find these answers unsatisfactory and I will report to the highest forum authorities.
Jokes aside, I have worked with Cisco VPN on the client side and issues like this never came about. I had access to their local network and was automatically disconnected after 30min idle. My WAN was routed normally so my other connections weren’t reset every time I connected or disconnected VPN.
Well, with both the old Cisco VPN (the IPsec one) and AnyConnect, the user has to install a client application, so also there the PC user must do something “extraordinary” unless you can use remote administration.
The client application accepts a list of destination subnets from the server, and it is a decision of the server administrator whether to redirect all traffic via the tunnel or only push routes to the enterprise subnets to the client.
Mikrotik has no own VPN application, but the embedded VPN client in Windows does support IKEv2, so if you make the users create certificate requests and send them to you, you can sign these requests and send the resulting certificates back to the clients and let them import them. The configuration of the Windows client is almost the same for both L2TP/IPsec and IKEv2 except for the certificate.
With IKEv2, you’ll be able to push routes of your choice to the clients, but even in that case, you’ll still have to track their inactivity and eventually tear down the connections using firewall rules and scripts, such functionality is not readily available at Mikrotik for none of the VPN protocols supported.