Hi everyone,

i've successfully created an L2TP server with the following setup:

root@OpenWrt:~# cat /etc/ipsec.conf

config setup

conn myvpn
    auto=add
    authby=secret
    type=transport
    left=%any
    leftsubnet=0.0.0.0/0
    leftprotoport=17/1701
    right=%any
    rightprotoport=17/%any
    rekey=no
    keyingtries=5

root@OpenWrt:~# cat /etc/xl2tpd/xl2tpd.conf

[global]
port = 1701
auth file = /etc/xl2tpd/xl2tp-secrets
access control = no

[lns default]
exclusive = yes
ip range = 10.0.1.2-10.0.1.100
hidden bit = no
local ip = 10.0.1.1
length bit = yes
require chap = yes
refuse pap = yes
name = vpn
ppp debug = yes
require authentication = yes
pppoptfile = /etc/ppp/options.xl2tpd

root@OpenWrt:~# cat /etc/ppp/options.xl2tpd

auth
noccp
#debug
dump
logfd 2
#logfile /var/log/xl2tpd.log
idle 1800
mtu 1280
mru 1280
proxyarp
ms-dns 8.8.8.8
lcp-echo-failure 12
lcp-echo-interval 5
#require-mschap-v2
nomppe

root@OpenWrt:/# cat /etc/rc.local

ifup vpn0
for vpn in /proc/sys/net/ipv4/conf/*; do echo 0 > $vpn/accept_redirects; echo 0 > $vpn/send_redirects; done
iptables --table nat --append POSTROUTING --jump MASQUERADE
exit 0

Everithing works if I connect directly using the L2TP/IPSEC client of my mac but if i use another OpenWrt router as a VPN gateway for other clients only half of the websites work.
Searching around I found that the probable issue is wrong handling of ICMP packets that route responses back to the VPN Gateway instead that to the clients

Anyone knows how to solve this?

Thanks

(Last edited by nicco on 29 Jul 2017, 23:17)

Enabling "MSS clamping" might fix the problem.

How can i do so?

Changing the MTU to another value? if so what do you suggest?

Thanks

I was thinking of "MSS clamping" in the web GUI.

The uci option is called mtu_fix in the firewall zones. It's usually enabled in the wan zone when you use masquerading. But may be needed with VPN as well I guess.

https://wiki.openwrt.org/doc/uci/firewall

Solved by using:

mtu 1500
mru 1500

in /etc/ppp/options.xl2tpd