I recently configured a few hub and spoke VPN projects consisting 100% of MAX Routers and PepVPN. One of the project requirements was also remote access so we implemented the somewhat new L2TP/IPSec functionality. This worked great, but I have a concern. I noticed when I connect via L2TP Windows client to the hub, I could hit the hub LAN and the spoke LANs. While I do want the ability to hit the spoke LANs, I noticed the way this was accomplished is via a default route assigned to the VPN adapter at Windows. This is worrisome as when connected, ALL internet traffic now goes to the hub and out its cellular connection which could easily drive up a small SCADA data plan and lead to big $$$ bill for overages.
I thought perhaps I could simply advise customers “When connected L2TP, consider limiting your internet use as all internet traffic will go across tunnel and out cellular. WARNING: this could lead to excessive data plan charges.” in the hopes users will be careful about their internet activity while connected L2TP. After further consideration, this isn’t realistic as many users have backup software like Dropbox, Crashplan, Mozy, Carbonite, etc. running 24/7 and this traffic also will instantly move to the tunnel and out cellular when connected L2TP. It is a bit of a burden to ask the user to identify all these applications, shut them down, etc.
So I ask, is there a way to:
- Offer a split tunneling option so user can choose to ensure a default route is NOT applied to the VPN adapter, and all internet traffic goes directly out as normal vs across the tunnel? I understand some consider this a security risk but I think this choice is often made available and left to the administrator to decide what is best for their application.
- Assuming split tunnel can be done, there is the issue of making sure the remote user gets all routes pushed (not only the Hub LAN, but also the Spoke LANs); perhaps a choice for the admin to configure which routes the hub is aware of should be pushed to users? Or even just push all routes hub knows, just not default route?
If this is not possible with L2TP, I strongly urge consideration of adding OpenVPN to Peplink products as discussed in another feature request thread. OpenVPN is more than capable of providing all these options discussed above and offers a ton of extra features. Not to mention Android keeps going back and forth in breaking L2TP support
Thanks for your consideration!