i have configured and running l2tp-ipsec server on microtik, but dont wants to route all internet trafic throught VPN. Just want to acces to local LAN.
how i can do this?
What kind of client are we talking about? Windows, Android, iOS, MacOS…?
Windows 10 - i found a way named split tunneling by disabling “use the default gateway of the remote network” on VPN connection, but i am not sure if this is the correct way
Android 10,11 - not found that option under integrated VPN client (Samsung)
It is, provided that the LAN consists of a single subnet and you assign addresses from the same subnet to the L2TP client (doing so requires use of the arp=proxy-arp workaround); if this is not the case, you can use Powershell to add routes when the particular VPN connection becomes active, or you can use the usual command line to add “persistent” routes with the VPN interface as IF (and 0.0.0.0 as a gateway IP).
I don’t think there is any.
For both cases, IKEv2 could be a better solution, as it allows to push a route list to Windows clients and to compatible Android clients. The list is configured in the split-include parameter of mode-config, and Windows receive it via DHCPINFORM whereas Android uses the native IKEv2 mechanism of policy narrowing. I’m not sure whether the embedded Android client supports multiple subnets; Strongswan, which I have to use on my Android 9, doesn’t.
The clients can be on different subnets 192.168.40.0/24 or 192.168.20.0/24 etc.. 192.168.0.0/24 as it can connect from different hotspots
so i need to add this on Windows client side?
Add-VpnConnectionRoute -ConnectionName “VPNconnectionname” -DestinationPrefix 192.168.40.0/24 -PassThru
2nd option is little bit hard on me, you mean setup microtik vpn server with self certifikates like this: https://www.youtube.com/watch?v=fQokeBcrjdc
I’m not sure how hotspots are related…? It is a problem if the LAN subnet on the L2TP server end overlaps with the subnet to which the client is connected locally, but there is no way how the server could learn the local network configuration of the client. So I don’t get much what you have in mind. But otherwise yes, I had in mind the Add-VpnConnectionRoute command.
It is pointless to refer to videos as no one will spend time to watch them, but yes, I have in mind IKEv2 with certificates. Certificates are apparently not necessary for the native VPN client of Android, but Windows only support certificate authentication for IKEv2.