L2tp vpn problem

levani2009 · July 19, 2021, 7:48am

Hello, i have l2tp vpn server in mikrotik RB951Ui, after connection vpn clients uses vpn server internet source, and can i change this, that vpn user do not use vpn server internet source

tangent · July 19, 2021, 9:22am

Your question is quite vague, but I think I’ve worked out what you’re trying to ask.

The problem is that your VPN is configured to set itself as the default route for the client computer so all traffic goes through the VPN. This is sometimes exactly what one wants, but what you appear to want instead is only for some traffic to go through the VPN, letting everything else use the old default route to the local Internet connection.

The solution may be as simple as “add-default-route=no,” but your client VPN configuration can play into this.

Once you do this, you may then need to add a more restrictive static route, like 192.168.88.0/24 pointing back to the VPN connection so connections to only those addresses go through the VPN. How you do this depends on details of how the VPN is set up. If the IP address of the client comes from a DHCP server running on the MT router, setting a classless route is one way to solve this.

If that doesn’t work for you, we need more details about how you’ve set the VPN up. Send the “/export” info stripped of sensitive info, what VPN client you’re using, configuration details for that client, and so forth.

levani2009 · July 19, 2021, 7:34pm

Thank you,

set *0 dns-server=8.8.8.8
add dns-server=192.168.0.4,8.8.8.8 local-address=192.168.90.1 name=VPN_PROFILE
remote-address=vpn-pool
add dns-server=192.168.0.4,8.8.8.8 local-address=192.168.90.1 name=
"VPN_NO INTERNET ACCESS " remote-address=vpn-pool

/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,3des lifetime=0s pfs-group=none
/ip ipsec peer
add address=0.0.0.0/0 dh-group=modp2048 enc-algorithm=aes-256,aes-128,3des exchange-mode=main-l2tp generate-policy=port-override port=4567 secret=xxxxxxxx

Can you give me some tutorial.
i wont to cerate new l2tp IPsec vpn server.

tangent · July 19, 2021, 11:07pm

I lost my place in that document and thought the “add-default-route” parameter was on the server side, but it’s on the client side.

What this means is that unless you’re using a RouterOS box as the VPN client, that setting won’t help you. However, other clients will likely have similar settings. What client are you using?

levani2009 · July 20, 2021, 5:36am

My task is to connect VPN server (mikrotik vpn server), i have mikrotik rb only one side, server side, and need that clients should not use mikrotik rb gateway

karlisi · July 20, 2021, 6:18am

You can’t. I guess clients are Windows, and Windows VPN connection by default uses VPN server as default gateway. Either instruct your clients to disable remote gateway in VPN settings, or make a script to do this (perhaps someone can help with this) and send it to clients.

levani2009 · July 24, 2021, 12:50pm

I did it, thank very much all you,

uncheck : Use default gateway on remote network
and
route -p ADD network address MASK 255.255.255.0 serveripaddress