Troubleshooting VPN Connection Issues on Mobile Networks: MTU and Protocol Optimization Guide

Picture this: I recently implemented a VPN solution for secure remote access, everything was working smoothly on regular broadband connections, when I encountered an interesting issue with VPN connectivity on 5G networks. The VPN would fail completely when connecting over 5G, but work perfectly on 4G from the same provider. As someone who loves diving deep into technical challenges, I was both intrigued and excited to solve this mystery.

The situation seemed hopeless at first. After all, how could we fix something that appeared to be an ISP-level problem? The common assumption was that we’d need to wait for network providers to address whatever was causing this selective VPN failure. But sometimes, the most interesting solutions come from questioning these assumptions.

Table of contents

The Initial Symptoms

What made this problem particularly fascinating was its selective nature:

• SSH connections to infrastructure would fail
• Certain websites were inaccessible when VPN was active
• These issues only occurred over 5G networks, while 4G worked fine

Each of these symptoms pointed to a deeper mystery. Why would a VPN connection fail only on 5G, but work perfectly on 4G from the same provider?

Understanding TCP vs UDP: The Pizza Delivery Story

Before diving into the investigation, let’s understand TCP and UDP through a simple pizza delivery analogy:

Imagine you’re ordering pizzas for a party. TCP is like a careful pizza delivery service that:

• Confirms your order before starting (handshake)
• Calls you if they can’t find your address (error checking)
• Makes sure all pizzas arrive in order (sequence control)
• Asks for confirmation that you received each pizza (acknowledgment)
• If a pizza gets lost, they’ll send another one (retransmission)

UDP, on the other hand, is like a no-frills delivery service that:

• Just throws pizzas at your door
• Doesn’t care if you received them
• Won’t resend lost pizzas
• But hey, it’s super fast!

This is why TCP is more reliable but slower, while UDP is faster but less reliable.

The Investigation Journey

Phase 1: Network Protocol Analysis

The first breakthrough came from questioning our basic assumptions about network protocols. Like detectives following a trail of breadcrumbs, we discovered:

1. The problem occurred on 5G networks
2. Switching to 4G immediately resolved the issues
3. Existing connections remained stable when switching from 4G to 5G, but new connections would fail
4. The issue didn’t occur on 4G networks

This pattern was our first real clue - something about the 5G network’s handling of new connections was different.

Phase 2: Deep Packet Inspection

Armed with Wireshark, we began dissecting the traffic like digital surgeons. What we found was enlightening:

1. UDP VPN (Default Protocol):

• Over 4G: Clean SSH handshakes, 6-second connection establishment
• Over 5G: Failed SYN-ACK handshakes, connection timeouts

2. TCP VPN:

• Over 5G: Successful but slow (12-20 seconds) connections
• Over 4G: Normal performance

The Technical Breakthrough

The eureka moment came when analyzing MTU (Maximum Transmission Unit) sizes. Think of MTU like a postal service’s package size limit - if you try to send packages that are too large, they either need to be broken down into smaller pieces (fragmentation) or they’ll be rejected entirely.

We discovered:

1. Broadband networks happily handled 1500-byte packets (the standard size)
2. 5G networks needed smaller packets due to VPN encryption overhead
3. TCP VPN worked (albeit slowly) because it automatically breaks large packets into smaller ones
4. UDP VPN failed because it has no built-in mechanism to break down large packets

The Solution

The fix was beautifully simple: Reduce the UDP VPN package size (MTU) from 1500 to 1350 bytes:

sudo ip link set <vpn_interface> mtu 1350

To make this solution more robust, we created a script to automatically determine the optimal MTU for any network.

Technical Implications

This journey taught us several crucial lessons about modern network architecture:

1. Protocol Considerations:

   • UDP VPN is generally faster but less adaptable
   • TCP VPN is more resilient but introduces latency
   • MTU optimization is crucial for UDP VPN performance

2. Network Stack Behavior:

   • Mobile networks often require smaller packet sizes than fixed broadband
   • VPN encryption adds overhead that must be considered in MTU calculations
   • Automatic fragmentation isn’t available in UDP, requiring manual tuning

3. IPv6 Considerations:

   • Modern VPNs may have IPv6 constraints
   • In dual-stack networks, IPv6 traffic bypasses VPN
   • This can lead to DNS leaks unless properly configured

Lessons Learned

1. Always test VPN solutions across different network types
2. Don’t assume broadband-optimized configurations will work on mobile networks
3. Monitor both TCP and UDP performance for VPN connections
4. Consider MTU optimization as a first troubleshooting step for VPN issues

The next time you encounter VPN issues on mobile networks, remember: sometimes the most daunting problems have surprisingly simple solutions. It wasn’t about waiting for the ISP to fix something - it was about understanding and adapting to the network’s characteristics.

Common Symptoms and Related Issues

If you’re experiencing similar problems, you might notice these symptoms that could indicate MTU-related VPN issues:

1. Web Browsing Problems:

   • Some websites load partially or not at all
   • Images fail to load while text loads fine
   • HTTPS websites time out more frequently than HTTP sites

2. Application-Specific Issues:

   • Video conferencing apps disconnect frequently
   • File transfers start but never complete
   • Online gaming experiences frequent disconnections
   • Email clients can receive but not send messages

3. Network Behavior Patterns:

   • VPN connects but no traffic flows through
   • Small file transfers work, but larger ones fail
   • Connection works initially then becomes unstable
   • Issues appear worse on specific mobile carriers

4. Device-Specific Symptoms:

   • Problems affect some devices but not others
   • Issues occur after OS updates
   • VPN works on Wi-Fi but not on mobile data
   • Different VPN apps show varying levels of stability

These symptoms often lead users down different troubleshooting paths, but they could all potentially be resolved through MTU optimization. If you recognize any of these patterns, consider trying the MTU adjustment solution described above.