VyOS L2TP Problem (and Fix!)

For the impatient:

Symptom: L2TP connection on Windows 10 computers is connecting, but Internet speed is slow and connections to various resources (file servers, intranet sites, etc.) disconnect or drop frequently.

Fix: limit maximum transmission unit size (MTU) on VPN connection with:

set vpn l2tp mtu 1000

For less impatient:

We recently built out a L2TP VPN server for a new client using VyOS. The client uses a mixture of Windows 10 and OS X computers to connect to their office.

There were a few hiccups initially as users were transitioned over to the new VPN and these were ironed out quickly.

A few days ago we began receiving reports that Windows 10 users were having difficulty connecting to HTTPS websites and were frequently being disconnected from internal file servers and intranet sites. No issues were being reported by users running OS X.

Our investigation began where it always does, Google. There were other people reporting problems with Windows 10 and L2TP.

Some articles reported that L2TP stopped working after a Windows Update, some suggested disabling IPv6, yet another recommended adding a key to the Windows Registry. We looked into all of these things and none of them worked reliably.

We did a trace route on and off the VPN. Both worked and the trace route command when connected to the VPN was much slower.

Why did it work before and not now? Why did trace route work, but significantly slower. Why were HTTP website working and HTTPS sites not?

Finally, a light bulb went off in our heads. Maybe the add overhead of the VPN is causing packets to fragment. We added a configuration to the VPN server to limit the MTU to 1000, committed the change and "magically" everything started working.

The actual command in VyOS is:

set vpn l2tp mtu <value>

Where <value> is a suitable value. We recommend 1000 as many Internet connections are limited to an MTU size of 1500 and 1000 provides enough head room for any additional headers added by a VPN.