Community discussions

MikroTik App
 
janda
just joined
Topic Author
Posts: 10
Joined: Mon Jan 11, 2021 4:42 pm

VPN internet routing

Tue Apr 06, 2021 4:30 pm

i have configured and running l2tp-ipsec server on microtik, but dont wants to route all internet trafic throught VPN. Just want to acces to local LAN.

how i can do this?
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: VPN internet routing

Tue Apr 06, 2021 4:58 pm

What kind of client are we talking about? Windows, Android, iOS, MacOS...?
 
janda
just joined
Topic Author
Posts: 10
Joined: Mon Jan 11, 2021 4:42 pm

Re: VPN internet routing

Tue Apr 06, 2021 5:19 pm

Windows 10 - i found a way named split tunneling by disabling "use the default gateway of the remote network" on VPN connection, but i am not sure if this is the correct way

Android 10,11 - not found that option under integrated VPN client (Samsung)
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: VPN internet routing

Tue Apr 06, 2021 6:45 pm

Windows 10 - i found a way named split tunneling by disabling "use the default gateway of the remote network" on VPN connection, but i am not sure if this is the correct way
It is, provided that the LAN consists of a single subnet and you assign addresses from the same subnet to the L2TP client (doing so requires use of the arp=proxy-arp workaround); if this is not the case, you can use Powershell to add routes when the particular VPN connection becomes active, or you can use the usual command line to add "persistent" routes with the VPN interface as IF (and 0.0.0.0 as a gateway IP).

Android 10,11 - not found that option under integrated VPN client (Samsung)
I don't think there is any.


For both cases, IKEv2 could be a better solution, as it allows to push a route list to Windows clients and to compatible Android clients. The list is configured in the split-include parameter of mode-config, and Windows receive it via DHCPINFORM whereas Android uses the native IKEv2 mechanism of policy narrowing. I'm not sure whether the embedded Android client supports multiple subnets; Strongswan, which I have to use on my Android 9, doesn't.
 
janda
just joined
Topic Author
Posts: 10
Joined: Mon Jan 11, 2021 4:42 pm

Re: VPN internet routing

Tue Apr 06, 2021 8:45 pm

The clients can be on different subnets 192.168.40.0/24 or 192.168.20.0/24 etc.. 192.168.0.0/24 as it can connect from different hotspots
so i need to add this on Windows client side?
Add-VpnConnectionRoute -ConnectionName "VPNconnectionname" -DestinationPrefix 192.168.40.0/24 -PassThru

2nd option is little bit hard on me, you mean setup microtik vpn server with self certifikates like this: https://www.youtube.com/watch?v=fQokeBcrjdc
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: VPN internet routing

Tue Apr 06, 2021 9:18 pm

The clients can be on different subnets 192.168.40.0/24 or 192.168.20.0/24 etc.. 192.168.0.0/24 as it can connect from different hotspots
so i need to add this on Windows client side?
Add-VpnConnectionRoute -ConnectionName "VPNconnectionname" -DestinationPrefix 192.168.40.0/24 -PassThru
I'm not sure how hotspots are related...? It is a problem if the LAN subnet on the L2TP server end overlaps with the subnet to which the client is connected locally, but there is no way how the server could learn the local network configuration of the client. So I don't get much what you have in mind. But otherwise yes, I had in mind the Add-VpnConnectionRoute command.

you mean setup microtik vpn server with self certifikates like this: https://www.youtube.com/watch?v=fQokeBcrjdc
It is pointless to refer to videos as no one will spend time to watch them, but yes, I have in mind IKEv2 with certificates. Certificates are apparently not necessary for the native VPN client of Android, but Windows only support certificate authentication for IKEv2.

Who is online

Users browsing this forum: Google [Bot], ItchyAnkle and 84 guests