I would like to create a private LAN using my MikroTik device which has all features of a normal LAN, including having DHCP server and broadcast traffic transmission, with ability to connect both from my internal networks and from remote locations via secure channel (like VPN connection). Clients are expected to have a separate IP address (virtual interface) to that network in addition to their primary network. Clients run a variety of OSes, including Windows, Linux, Android, iOs.

My initial attempt was to use L2TP server on RouterOS. Every client would simply create a VPN connection and have encrypted L2TP/IPsec PSK connection from wherever they are and connect to server. L2TP server then assigns each client an address based on their Secrets and allows forward traffic between clients for interconnection. Things would seem to go fine. However, I soon realised (thanks to this forum), that L2TP is PPP technology, and every client is effectively inside /32 network with only 1 host. This eliminates broadcast traffic, which is essential for my use case. Also, there's no room for DHCP server, because it would make no sense for every single host.

I tried to use bridging on L2TP server for the sake of experiment. I created a bridge and assigned it to PPP Profile for L2TP server, but it didn't add dynamic L2TP interfaces of clients to that bridge. Then I tried Interface list and manually added it as a bridge port. Dynamic interfaces would be added to list, however no bridging would happen. I learned that's because VPN client of client OS operates on IP addresses only and knows nothing about bridging.

The last thing I tried is mangling broadcast traffic. I created several Firewall Mangle rules of this kind:
chain=prerouting action=route passthrough=yes route-dst=<client-vpn-addr> protocol=udp
dst-address-type=broadcast in-interface-list=MyVpnIfaces
...
For each client. This way every client would send UDP to 255.255.255.255, which would be forcingly transmitted to every other client. But strange thing happens with those rules. When I enable only single one of them, target client receives mangled packet. If I enable all of them, say 3, none will receive anything. All rules tick counters. Don't know if this is a feature or a bug.

I wonder if there's a better solution to my problem and would be glad to hear your thoughts, directions or any other useful information. My device has RouterOS v6.49.2

For broadcast traffic solution there is only one path that I am aware of.
ZEROTIER!

EoIP ?

You probably don't have enough knowledge to explain what you need.. I suggest you to design on paper your network, chances are you better understand yourself the solution.
Mikrotik are complex routers, can do a lot, but you need to know what you're doing

For broadcast traffic solution there is only one path that I am aware of.
ZEROTIER!

I'm aware of things like Tunngle, Hamachi, but would like to not rely on them and run network on my Mikrotik device, if it's possible.

EoIP ?

I doubt end devices have EoIP support. Looks like it would require end device to be connected to a configured Mikrotik device to join my network, which I would like to avoid.

You probably don't have enough knowledge to explain what you need.. I suggest you to design on paper your network, chances are you better understand yourself the solution.
Mikrotik are complex routers, can do a lot, but you need to know what you're doing

Sounds insulting. I agree I don't have lots of knowledge on using RouterOS and networks in general, but I think I did a good work explaining what I need. I also worked out my solution, which is almost suitable, but lacks ability to transmit broadcasts. So I think I know what I want, just don't know how to properly implement it.

Last post in this thread - zerotier It is designed as a transparent L2 switch entity which is exactly what you state!
You dont need to be attached to MT for any end device................
Zerotier can be loaded on a PC, on an IPHONe etc........
Gluck!