MT+SSTP VPN (VPN subnet + LAN all together?)

jaceqp123 · February 17, 2020, 7:00pm

Hi there.
Some remote users need LAN access using VPN (sstp in this case). All road warriors using Windows built-in VPN client (win7/win10).
Everything works if both LAN and VPN pools are in the same subnet. So far I’m unable to merge different subnets - only working solution is manual route add on each windows client.
Let’s say VPN client gets 192.168.66.199 IP - then, something like this in Windows command line:

route ADD 192.168.0.0 MASK 255.255.255.0 192.168.66.199

does the trick, but that won’t solve the issue long term (not to mention it’s a pain in ******* to set it up each time for every VPN client). Also not sure if additional route entry stays after OS reboot.

Some basic setup as follows:
WAN IP (eth1)- irrelevant
MT LAN IP (eth6) - 192.168.0.254
LAN (hq) pool - 192.168.0.2-200
VPN pool - 192.168.66.100-199

Since (hq) LAN subnet is way to common it would be nice to set VPN pool on a different subnet avoiding road warrior’s same local and remote subnets.
Changing (hq’s) LAN subnet is not an option too since there’s lot of local IP custom setups on it already.

PS. Proxy-ARP on MT’s LAN interface already set.

CZFan · February 17, 2020, 8:02pm

Not sure if you noticed, but this is Mikrotik forum, not Microsoft / Windows.

Anyway, the way you have added the route it will not survive a restart, you have to use the “persistent” switch.

Best way will be to enable using the default gateway on remote network when you configure the VPN client.

jaceqp123 · February 18, 2020, 8:23am

That’s what I’d like to avoid. Might be wrong but using remote gateway forces internet traffic to go through VPN not local i-net connection.

CZFan · February 21, 2020, 10:54pm

There is a way to bind a route to the VPN interface, late here now, had my sleeping pill already, so maybe try google, if you don’t come right, come back here

jaceqp123 · March 27, 2020, 2:01pm

If you’re awake already post your solution please…

However I’ve found a bit messy workaround on this. Topic came out as an issue with different and SAME subnets on a VPN path…
If “hq’s” LAN operates on a common IP addresses (like 192.168.1.x; 192.168.0.x 10.0.0.x etc). you might end up having some of outside VPN users being within same subnet already on their LAN environment.
Same active IP’s might appear in both LANs at the same time - so obviously that might cause routing issues.
Since adding additional IP’s to MT’s interfaces is not a big issue nor adding additional subnets that made me thinking. Why not to create additional parallel subnet (with kind of ‘unique’ IPs) for MT and other ‘hq’ LAN devices (at least PC’s or servers).
Adding additional IP on a network adapter is same easy on pc’s/servers (at least with DHCP off).

So what I did is that I created additional subnet IPs for MT, LAN servers/pc’s. Next - set up MT VPN server with new subnet IP pool - boom works like a charm.
That might fix 80-90% of my VPN issues with common subnet ‘popping’ on the way. Downside is that many devices (like most network printers for example) are unable to handle more than one IP - so keep it in mind…

Zacharias · March 27, 2020, 5:11pm

What certificates did you use for the VPN Clients ?