I need to access many computers with VNC and RDP at a company's remote site. I will do this only when they have a problem. (One or two times weekly.) I had this idea of buying a cheaper MikroTik router and use l2tp-client and ipsec for this. I cannot change their internal network, but I could install my own router. This router would function as a gateway between my network and theirs, connecting to my main router in the office. This is only for making my life easier, and I do not want to invest too much. I have noticed that RouterBOARD hAP Lite comes with L4 license, but without hardware IPSEC support.

I have some questions:

* Can I use l2tp-client and ipsec on RouterBOARD hAP Lite ?
* What will be the speed of that connection (roughly)? ( I did not see this on the product specification's page.)

I think at least 10Mbit would be enough to do what I need.

" at a company's remote site", or sites ?

I have same situation, with multiple sites, 1-2 pc per site.

What I did is l2tp client on windows, all clients connect to my vpn and then connecting through internal network to them.

For one or two clients per site, it would probably be better to setup windows l2tp client for each one of them. For 50 clients per site, a dedicated VPN is much better.

This site currently has 5 client computers. I'm not sure what would be better...

It is not just setting up the L2TP connection on Windows. It is also adding a script in task scheduler that will auto-reconnect the L2TP server.

* Can I use l2tp-client and ipsec on RouterBOARD hAP Lite ?

Yes

* What will be the speed of that connection (roughly)? ( I did not see this on the product specification's page.)
I think at least 10Mbit would be enough to do what I need.

Right now I am downloading a huge file at 16 Mbit/s payload speed on a 20 Mbit/s line using bare IKEv2 with AES-256-CBC encryption using a mAP, which has the same CPU architecture and clock like hAP lite. Download of a huge file is the most favourable case (the highest bit rate to packet rate ratio), but there is still some margin above to your required 10 Mbit/s, and maybe the actual limit is my 20 Mbit/s download.

L2TP will add some extra overhead, on the other hand if I remember correctly, the limit of the Windows embedded client is AES-128, so the encryption/decryption will be a bit less CPU intensive. But nevertheless, I'd recommend you to consider using bare IKEv2, RouterOS allows to push routes to the Windows client via DHCPINFORM, which it doesn't support with L2TP.

I have one hap mini (basically the same hardware as hap lite) which holds two GRE+IPsec AES-256-CBC tunnels with OSPF running over them and L2TP/IPsec server for on the road connectivity.
Happen to use it only for dude monitoring and emergency winbox access.
Just tested it with bandwidth test through one of the GRE+IPsec tunnels:

- it can do 5Mbit in any direction, both udp and tcp without getting anywhere close to 100% cpu.
- at 10Mbit tcp/send it maxes out the CPU and winbox connection drops.
- for udp it maxes out around 20Mbit both directions but stays responsive.

That results should not be taken as is, because, honestly, this is anything but a proper test:
First, bandwidth test/server is a "cpu-hungry" operation itself, so it should be performed through the devices, not on them.
Second, that is not the real life traffic pattern. I'd say in real life it should be worse.
But that's the only way I can test it now.
And it is more or less consistent with what sindy's test concludes.
So I guess that should give you a rough estimate of what to expect.

But that's the only way I can test it now.

Thank you for taking the effort! So this is on the edge: it might work, but in some cases it can be slow. (I can go down with the bitrates for VNC)

If you want to stay at safe side, use hAP ac². It costs 3.5 times more, but you won't have to think about encryption speed.

L2TP will add some extra overhead, on the other hand if I remember correctly, the limit of the Windows embedded client is AES-128, so the encryption/decryption will be a bit less CPU intensive. But nevertheless, I'd recommend you to consider using bare IKEv2, RouterOS allows to push routes to the Windows client via DHCPINFORM, which it doesn't support with L2TP.

Some time has passed since my last comment to this thread. I'm now using HAP AC2 devices at 4 sites. There are also "on the road" Windows 10 clients. I need to add some more sites soon, and it is becoming tiresome to always manually add routes to the clients. I think I really need to switch from L2TP to IKEv2 and use DHCPINFORM to push routes dynamically.

But I don't know how to do this. There are so many VPN protocols, and I'm not sure which one is "bare IKEv2" and how to set it up. Is there a good tutorial for this?

Thank you.

Bare IKEv2 is not an official name - I use that to emphasize that it is not "some-tunneling-protocol over IPsec", but the tunneling is provided by IPsec alone. This currently means that no virtual interface is created, and instead of routing the traffic for the remote peer to such a tunnel interface, it is being elected for delivery to the remote peer by means of a "traffic selector", which is a tuple of source address and destination address, and in specific case also protocol and source and destination port of that protocol are taken into account. But some "normal" route for it must exist, otherwise it couldn't reach the traffic selectors matching stage of packet handling.

I think that the example on the Wiki for Windows client with IKEv2 has it all, so try that approach and if you fail, come back with the configuration export, not with a reference to the manual - if things don't work, the mistake is in nearly all cases in what has actually been configured, not in the manual.