I’m not overly knowledgeable about advanced networking but I figured I’d share this since I couldn’t find anything online about it at the time.
We run a Microsoft Remote Access Server (RAS) for our VPN server. We provide L2TP primarily for users.
Due to a limitation in the Windows VPN client our RAS server has two network interfaces, one directly on the internet with a public IP (VLAN1) and one internally with a private IP (VLAN2).
The private IP relays VPN users DHCP/DNS requests to our internal DHCP and DNS servers.
RAS handles the authentication instead of RADIUS and we have our internal routes published via RIP to the RAS server so they can be provided to VPN clients when they connect.
I believe this is a fairly common design.
On the network end, our original design involved spanning VLAN1 and 2 all the way from our edge into our data center so the VM could pretty much sit directly on them. This worked fine.
As part of a major network redesign we performed we changed the VLAN spanning design over to using a VXLAN from our edge into our data center.
After making this change we ran into the strangest VPN issues. Users could connect and ping anything they wanted, do DNS lookups and browse most HTTP websites. HTTPS websites would partially load or fail to load and network share (SMB) access would partially work (you could get to the DFS root but not down to an actual file server).
After many hours of troubleshooting we determined our problem.
The MTU of most devices is configured to default to 1500 bytes. When we started tunneling the traffic through a VXLAN the tunneling added 52 bytes to the packet size making the total packet size 1552 bytes which is just over what most network cards are expecting. This caused large packets to drop (loading a HTTPS website, connecting to a share) but small packets (pings, some HTTP websites) to work fine.
I believe the final solution from our network team was to enable Jumbo packets from end to end of the VXLAN tunnel so it could transmit slightly larger than normal packets.
If you have any specific questions I can relay them to our Network Team and try to get you an answer. No promises :)