@kennerblick - I think you and I are going to be spending a lot of time together on here
#1 LT2P/IPSEC works... for now (VPN provider dependent)
This was also one of the main reasons I switched over to Mikrotik - with the ability to split traffic using the routing/connection marking and the mangle rules (which no other router seems to do) I successfully setup an LT2P w/IPSEC connection to my provider (https://www.hideipvpn.com/
) taking advantage of the hardware acceleration of IPSEC in the Mikrotik. Here are the threads that lead me to the answer in the end (basically Sindy knows everything!!);
In my case it was a little complex - I wanted 99% of the local clients to route all their traffic out of the VPN provider gateway, over the L2TP/IPSEC interface, but for certain devices that demand an inbound DST-NAT (externally addressable media servers etc) or are using their IP geo-location to control services (e.g. live TV streamin based on 'home' location) , I wanted those to follow the regular local ISP route.
My config works, incl. hardware acceleration of the IPSEC for the L2TP interface, so PM if you like and I'm happy to share my config with you directly. If the provider is committed to the L2TP config, you'll be fine - but not sure for how long..
#2 Most of the VPN providers seems to be downgrading or reducing their L2TP support
Even HideIPVPN seems to treat their L2TP as an after thought - my L2TP session drops sometimes every couple of days, and then again sometimes a couple of times in a single day - getting support on it is pretty much 'looks ok at our end', and detailed logging of the client at this end just shows the connection drops randomly. I read on a similar thread that NordVPN is shuttering their L2TP servers to a fraction of their thousands of servers
Most of the VPN providers incl. HideIPVPN are pushing people to SSTP/Softether becuase its more easily available on clients like iPhones, Android and Windoze. However because its a TCP/SSL transport , its very flexible and navigates routers/firewalls easily but has a high overhead and makes things like VOIP and high throughput services tricky without experience some kind of jitter or buffering. The same is true of the OpenVPN implementation on RouterOS at the moment (its TCP only , currently no support for UDP) which carries the same session overhead.
So then when you look at whats left as a combination, most vendors also offer IPSEC as part of an IKEv2/IPSEC connection - which I'm currently struggling to setup in this thread here.
It seems a lot of the vendors offer it, but not a single one of the seems to know how to setup a remote client to use it. Everyone seems to categorize it as a site-2-site VPN, and having a Mikrotik client connecting to a 3rd party server isnt generally discussed.
So....Having picked through all the various options both at the RouterOS side and the VPN vendors (expressVPN, HideIPvpn, NordVPN etc etc), it seems like the best 'generally supported' option would be to have an OpenVPN UDP connection available in RouterOS and use that as the default gateway (unless you want to split some traffic like I do in my config).
Still unlikely to be as fast as the native L2TP/IPSEC, but for now I think this is our best long term option for now..
Unless of course, anyone has another opinion / experience on the matter.