Posted: Fri Jul 20, 2018 6:34 pm
by metron6
Hello all,

I want to create a VPN cloud Mt router, connected to our Local Mt router, so other Mikrotik routers and individual devices can connect and join the network.
You can see in the picture what i want to do.. My question is, what type of VPN to use ?
I have now some laptops with l2tp vpn, but when they are in some hotels, etc., they cant connect..
I configured a Mikrotik router to connect, but when the customer took it to his local network, it was not working.. Probably his ISP was firewalling vpns..

what's your opinion on this.. Except site2site connections with Mt Routers, i have customers with mobile phones, tablets, laptops, etc..


Posted: Fri Jul 20, 2018 6:52 pm
by Paternot
The bullet prof option (connection wise) is OpenVpn. It transverses NAT and double NAT without problems. You can pile any number of clients behind a single NATed IP, and it will work . It has clients to Windows, Linux, Android, MacOS and (I think) IoS.

But it is not without problems.

1) Mikrotik doesn't do hardware acceleration. So, the CPU usage is higher.
2) Mikrotik implementation is TCP only. This gives You a slower speed than would be achievable with a UDP solution.
3) Mikrotik implementation doesn't have compression, so it's more bandwidth usage than with compression.
4) The only way to use IPv6 inside an OpenVpn tunnel is using the TAP interface, and attaching it to a bridge. But this is a layer 2 interface, so you don't get client isolation.

The efficient option would be IPsec. You can use it pure or encapsulate something in it. L2TP/IPsec is quite popular. It is UDP, fast, has hardware acceleration and works very well.

But it is not without problems.

1) The setup is more complex
2) Doesn't play very well with single NAT, and double NAT is out of the question.
3) You can't just pile how many clients You want, behind a single NATed IP.
4) Sometimes it gets blocked by firewalls. This can be a problem for your road warriors.

There are some other options. I'm sure someone will help with them here.

Posted: Fri Jul 20, 2018 7:23 pm
by AlainCasault
One thing to point out also is if the hotel or other site you're at when launching the vpn has the same ip addresses as you, that would cause problems. That might explain why it would not work on occasions.

Posted: Fri Jul 20, 2018 7:32 pm
by metron6
Some providers, here in Greece, are not allowing pptp connections.. This started to happen a month ago..
I had many customer's routers connected to my CHR router and suddenly connections..
I changed to l2tp, but i don't know for how long they will allow it..

As far as i understood, Openvpn is one-way solution and if Mt adds udp and compression, it will be the only solution :)

thank you all for the support..