My daughter just moved into an apartment with free WiFi and Ethernet hookup. There is absolutely no client isolation on the network so it is a security nightmare. I plan on buying a hAP Lite to put in her apartment and connect her Ethernet to the WAN (ether1) port of the hAP and set it up as a VPN client to my home Mikrotik router. I already have an L2TP/IPsec server running on mine that I use with my Android phone when away from home. I set up the server using this tutorial: https://manuth.life/l2tpipsec-vpn-server-mikrotik-routeros/
Is the best way to just add an L2TP client interface on her router to “dial” into my server? I have looked at some documentation on “site to site” setups but since her connection will be double NATed I don’t think that’s possible.
You don’t have to NAT her local connections to prevent double NAT, just use normal routing.
As far as site to site VPN goes, you will need access to the uplink router (apartment providers router) to configure port forwarding as the site to site will terminate on her router, I doubt that will be possible so the client “dial up” solution will be the best
Thanks for confirming what I thought about the site-site setup. I’m not quite sure I understand what you mean by “just use normal routing” to prevent double NAT. As I understand it, I can either connect the apartment ethernet port to one of the hAP’s LAN ports, no DHCP server, in which case it just becomes an AP, or, I can connect to the hAP’s WAN port, provide DHCP to her devices (wireless laptop, phone, & wireless Roku TV) in which case I would have to NAT her local connections right?
Apologies, yes, to prevent the Double NAT, you will need access to the upstream router again, for adding routes to her internal subnet. So in this case, yes you will have to make use of NAT in order to ensure routing between upstream and her local subnet