Understanding VPN - can't access remote resources

rodriesp · August 3, 2018, 7:34pm

Hi people,
I am trying to setup a VPN (chose SSTP) for accesing my office LAN resources remotely. Basically SMB shares.
My office LAN is a 192.168.0.0/24
I “succesfully” setup a SSTP server, using a pool for VPN (192.168.1.0/24)
The PPP profile I use:
name=“myprof” local-address=192.168.1.10 remote-address=sstp_pool use-mpls=default use-compression=default use-encryption=yes only-one=default change-tcp-mss=yes use-upnp=default address-list=“” dns-server=192.168.1.10 on-up=“” on-down=“”
PPP secret:
add local-address=192.168.1.10 name=user profile=SSTP_prof remote-address=192.168.1.100 service=sstp (not showing pass)

I can connect without any problem with the VPN (setup the input rule on firewall), but first of all I see that I cannot access the internet via the VPN, although I can access all resources on 192.168.1.0/24.

Anyway, accessing internet THROUGH the VPN is something that I am not interested, but would like to understand why it is not working. If you think it could be firewall I can export my rules.

I want to disable in Windows the checkbox “Use default gateway on remote network”, when I do that, VPN connects, but cannot access any remote resources anymore.
Checked routes in Windows and only I could see is that traffic with dest 192.168.1.0 goes via 192.168.1.10.
Tried adding another route manually, all traffic with dest 192.168.0.0/24 to be routed via 192.168.1.10 (the local address of the MikroTik on VPN side) and there it works again!
Thought that when clicking on the checkbox of “Use default GW…” this route may be added, but checked it and I only get the first route I mentioned.

What is happening when I disable that freaking checkbox???

Waiting for your comments..!!

samsung172 · August 4, 2018, 1:43pm

You somehow need to route trough our vpn, to your desired site(s) . Maybe 0.0.0.0/0 - maybe just a pool like 192.168.0.0/16 - or something like that. Windows will not know your routes automaticly. Its possible to add a route option in l2tp.

Sob · August 5, 2018, 3:18pm

Internet not working through VPN is probably because of firewall. Windows use VPN as default gateway by default, so that should not be it. On router, it could be either a filter in chain=forward preventing traffic going from VPN clients to WAN, or srcnat not applied to connections from VPN clients.

For what you actually want, Windows offer either default route, class-based route or nothing. First and last you don’t want and class-based means that for 192.168.x.x you’ll get just route to /24, so no good for you. There’s currently no automatic way how to solve it. If you have Windows 10, you can add routes to given VPN connections using:

Add-VpnConnectionRoute -ConnectionName "<connection name>" -DestinationPrefix <remote subnet>/<mask> -PassThru

For older versions, the only way is to add persistent route, but you can’t tie it to specific connection (which might not be a problem, if you don’t have any other conflicting VPN).