VPN over VPN - beginner's question

rxmd · March 13, 2018, 4:28am

Here is what’s probably a silly question. I want to open a VPN connection. The Mikrotik client box in question is in a location in Kazakhstan where connection to the local ISP is a bit odd. The box is first assigned an IP address in a closed network dynamically, then it opens a L2TP tunnel to the ISP for authentication. So on the Mikrotik the uplink to the local ISP looks like this (and there is an extra script that updates the IP address of the L2TP tunnel endpoint regularly in case the connection goes down):

/interface l2tp-client
add add-default-route=yes connect-to=80.241.35.34 default-route-distance=0 disabled=no \
    max-mru=1420 max-mtu=1420 name=Beeline-L2TP password=password \
    profile=Beeline user=username

Now I want to open a real VPN connection, so I do something like this (for testing purposes I use the values for a PPTP connection to VPNbook from their public website):

/interface pptp-client
add add-default-route=yes connect-to=us1.vpnbook.com disabled=no name=pptp-vpn \
    password=eaye74d user=vpnbook

The interface comes up just fine, but it sits idle and no traffic gets routed over it, everything still goes over the underlying L2TP tunnel. Shouldn’t the add-default-route=yes parameter take care of that? What am I missing?

Anumrak · March 13, 2018, 1:48pm

After both connections, print here your routing table.

rxmd · March 16, 2018, 3:49pm

Here it is. Sorry that it took me a while.

[admin@MikroTik] > /ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADS  0.0.0.0/0                          Beeline-L2TP              0
 1  DS  0.0.0.0/0                          pptp-vpn                  1
 2 ADS  5.34.34.5/32                       10.18.147.1               2
 3 ADS  10.0.0.0/8                         10.18.147.1               2
 4 ADC  10.0.0.0/24        10.0.0.1        bridge1                   0
 5 ADC  10.18.147.0/24     10.18.147.13    ether1-gateway            0
 6 ADS  37.99.99.37/32                     10.18.147.1               2
 7 ADS  77.74.64.0/21                      10.18.147.1               2
 8 A S  ;;; L2TP server subnet
        77.74.65.0/24                      10.18.147.1               1
 9 A S  ;;; L2TP server subnet
        80.241.35.0/24                     10.18.147.1               1
10 ADS  80.241.35.34/32                    10.18.147.1               0
11 ADS  87.247.0.130/32                    10.18.147.1               2
12 ADS  87.247.0.133/32                    10.18.147.1               2
13 ADC  127.0.2.1/32       77.94.15.34     Beeline-L2TP              0
14 ADC  172.16.36.1/32     172.16.37.31    pptp-vpn                  0
15 ADS  176.222.190.144/28                 10.18.147.1               2
16  DS  198.7.62.204/32                    198.7.62.204              0
[admin@MikroTik] >

Anumrak · March 19, 2018, 10:25am

As you can see, 0.0.0.0/0 go through L2TP, because of a distance. 0 is better than 1. You need put in pptp client “add default gateway” or make static routing to resourses in net which you want to be reachable via pptp client. That’s it.

rxmd · March 20, 2018, 10:13am

Thanks! I’ll try that. Sorry for the beginners’ question, I’m new to fiddling with routing tables.