Sorry for the stupid title, but it’s actually very accurate. 
And sorry for the length, but I need to get it out.
I want to set up Road Warrior type VPN for small company, with very simple requirements. RouterOS as server, clients with Windows (>= Windows 7). I’d like something nice, modern and secure, preferably something with certificates (they just feel so good ). Router has static public addresses, both IPv4 and IPv6, but just IPv4 is enough for now.
RouterOS recently added IKEv2, and at first sight it looks like good choice. Sample config works perfectly. But there are some troubles on Windows side, specifically with their idea of tunnelling everything through the tunnel by default. I don’t want that. I can turn it off, but then I can’t access remote network, because I have one 192.168.x.0/24 for VPN clients and another 192.168.y.0/24 for remote network. And as the manual warns, split-include option doesn’t work. Oh well, I suppose users could add the route to the other network manually, but it’s not user friendly at all. Or I could switch to 10.x.x.x addresses and Windows client would add route to 10.0.0.0/8. I don’t need or want whole /8, but it could work.
Next step, I need users. Just two for start, “boss” and “janitor”. Obviously, each needs to have access to different resources in remote LAN. They each have own certificate, so it should be easy to tell one from another and give them different addresses, right? But… erm… please tell me that I’m stupid, but I can’t find a way how to do it. I tried to add peers with different remote-certificate, or even with different server certificate and another CA for both client and server, but neither works, only one peer config seems to be active (which reminds me of this thread). I see used certificate name in “/ip pool used”, so in theory I could have a script going through that and add client’s address to address list based on certificate name. I tried to do it just for fun, but for some reason I can’t iterate through the items. Is it perhaps because unlike other collections, “/ip pool used print” doesn’t return numbers? But hey, I’m not scripting guy, so it may be my fault. But even it it worked, it would be horrible solution even by my standards (and I’m usually for all kinds of hacks), so no thanks.
Oh and one more, even though it uses certificates, it’s machine certificates in Windows, so that doesn’t look exactly right either. It might not be a real problem, because client computers usually have only one user account anyway, but still… Ok, so current IKEv2 is not for me.
So what else? PPTP is out, obviously. SSTP or L2TP/IPSec solve the problem with different kinds of users, because I can assign addresses based on username, and then work with them. SSTP can’t use client certificates. The option is there, but it’s only when client is another RouterOS. With L2TP/IPSec I’m not sure, in theory the IPSec part could, but I have a feeling that there might be the same problem with different peers. I guess one common certificate for all could work too, even though I’d rather if they each had their own. And if I’d forget about certificates, both still have the same problem with routes.
So in the end, is MikroTik’s half-assed implementation of OpenVPN the best option? With it, I can treat different users differently, it has certificates, and I can put required routes in client’s config files (it would be better if I could push them from server, but oh well, better than everything else I’ve seen so far). Once more, please tell me that I’m stupid and I missed something obvious. Or do I want too much? Aren’t my requirements just basic, humble ones? They don’t seem like anything extra to me.