How to connect remote users via VPN right?

Less able to do the garden from a VPN with Mikrotik +, l2tp/pptp, to a lesser extent, openVPN.
VPN is placed on home PCs colleagues to access resources of the enterprise. 99% of home PCs colleagues vinda varying degrees, from XP to 10. Resources, which are connected individually for each different: RDP, network balls, web resources. Not sure of some points that set up:
-
In particular understand what it means in theory the "remote desktop gateway", but I don't understand in practice. That is, as I understand it, if a less advanced user, he can put a configure remote desktop gateway on the computer and drive traffic through the office gateway(Mikrotik). This should not be. How to hack this?
-
The second point. When you connect to a VPN on the side microtia I virawala allow specific users on specific resources that they need, narrow rules. On the side of the same remote user to access resources was possible, we have to finish the route either in windowas the routing table (route add), if l2tp/pptp. Or, if this is OpenVPN is OpenVPN client and the config -*.ovpn route add. I'm not sure that it should be SO. The idea is that when you connect to a VPN, the VPN user needs the machine to access the essential resources of the enterprise, without appending routes on the client side by hand. The idea Mikrotik have to pull the routing rules on the VPN client, and I have a feeling that doing a crutch.
April 19th 20 at 12:09
2 answers
April 19th 20 at 12:11
Routes on the vpn client is a headache for admins mikrotik. He normally can't do, because it does not have a full-fledged dhcp settings in the vpn. On some forums they write that I was able to configure forwarding external dhcp to vpn users but there crutches( not sure working ).
The routes on the client side( win ) can be set to some number of ways.
In win 10 there is a special parameter in the vpn connection for this purpose, put through power shell( you can create a connection immediately with this parameter the script ).

In win 7 and can either be set( but it hands, the user is not to master ) trigger to connect to a vpn, which will do an add route.
Still have cmak, this is a package from microsoft to create pre-configured connections in the form of an installer. He just knows, but the thing is very buggy on the output is, plus you need administrator rights, every time you connect.

And another more or less normal way is class routing, for example, when the vpn the tunnel-address on the network 10.x.x.x windows itself will register the route to this connection is on subnet 10.0.0.0/8.
The latter is the most convenient if you have a network 10.x.x.x.

Well, or openvpn, with ready-made configuration file for the client.

But personally I don't like openvpn. This extra soft and pings on it are often much worse.

For win clients the best sstp, more versatile l2tp/ipSec.
Poke a finger, please, glitches CMAK.

PS network of the form 172.16.0.0/16 will also work. - Arlene commented on April 19th 20 at 12:14
@Arlene, problems with re-creating the connection with the same name. Flies the server address after installation, sometimes only on first run, sometimes at all. The need for administrator rights every time you connect. - Tina37 commented on April 19th 20 at 12:17
@Tina37,
problem with re-creating the connection with the same name.

Well, as it is not a problem.

Flies the server address after installation, sometimes only on first run, sometimes at all.

You are doing something wrong, if faced with such a problem.

The need for administrator rights every time you connect.

Only if you run the script that require elevated privileges - for example, the prescription of routes. Actually, how else? - Arlene commented on April 19th 20 at 12:20
April 19th 20 at 12:13
Likes, dislikes openvpn.
The advantages of openvpn:
After connection of the blade restores on their own.
You can transfer the routes to the clients.
Cons all the rest:
After the connection blade does not regenerate on their own.
It is impossible to transmit routes to clients.
You can pass routes to customers

From ovpn server on microtu - not.

After the connection blade does not regenerate on their own.

And the Borg and not know.

By cons ovpn on the basis of microte: does not support udp. - Arlene commented on April 19th 20 at 12:16
@Arleneand cons windows RDP to say ?
connects via TCP but ... video terminal drives UDP

there is no disadvantage that the TCP connection don't listen to anyone anyway when you need UDP chases.
and server is possible, but only one network, many networks through openvpn client - Kurt76 commented on April 19th 20 at 12:19
@Kurt76, no nonsense talk, tcp tunnel encapsulates all traffic in tcp.
Ranting from the server to openvpn on mikrotik not passed( not sure if in a different implementation anyway ), they are written in the client settings. - Tina37 commented on April 19th 20 at 12:22
@Arlene, 7beta supports udp ovpn. But auth by certificates no. - Tina37 commented on April 19th 20 at 12:25
@Tina37,
( I'm not sure that in a different implementation anyway )

In natural (non-GMO™) ovpn routes can be uploaded from server option push, as well as many other parameters. - Arlene commented on April 19th 20 at 12:28

Find more questions by tags MikrotikVPN