OpenVPN: connectivity problems when hiding site behind vpn

[mimo]

I need some help from the network experts. I'm trying to create this scenario:

- 2 OPNsense installations (site1 and site2)
- both connected to the internet
- clients on site2 LAN should use the internet connection of site1 for all traffic, not only HTTP(S)
- the servers to which the clients connect should not be able to detect that site2 even exists

This is what I've done so far:

- create a site2site tunnel using this guide: https://docs.opnsense.org/manual/how-tos/sslvpn_instance_s2s.html
- set "Redirect gateway" to "default" on site1 vpn config
- create "IN: allow any to any" firewall rules on site1 OpenVPN, site2 OpenVPN and site2 LAN
- create "OUT: block any destination except site1 public IP" rule on site2 WAN (to prevent accidently revealing site2 public IP)
- enable outbound NAT (hybrid mode) for any source on site1 WAN

Result:

- clients can access most web pages
- ifconfig.me shows public IP of site1

Problem:

- cannot log into Microsoft account
- login form shows up during first try
- when trying to submit the username, the connection drops
- the whole domain login.live.com is no longer accessible, including the login form that was successfully loaded before
- other domains are still accessible
- restarting all systems does not solve the problem (login form still not accessible)
- resetting the browser or using a private window makes the login form accessible again
=> looks like a ban from Microsoft side

Additional note:

- using the web proxy of site1 allows clients to successfully log into the Microsoft account using site1 public IP

Questions:

- How can Microsoft still detect the VPN configuration?
- How can I further debug the problem?

[mimo]

I think there might be some issue with NAT. That is at least the part I don't really understand.

Is there any difference between my site1 OpenVPN <=> WAN config and the default LAN <=> WAN config of OPNsense (or simple consumer routers)? Do I need anything else than "Outbound NAT" to completely hide the local topology?

[mimo]

I was finally able to resolve the issue. It was related to MTU. site2 WAN is a DS-Lite tunnel and does not support the default MTU of 1,500.

Some more helpful observations:

- switching OpenVPN from UDP to TCP caused connection reset every few minutes
- moving site2 to a different WAN fixed the issue

I still wonder why "Override MTU" is enabled by default... Is there any advantage in ignoring the ISP config without explicitly setting your own? I mean, other auto-configuration options like DHCP are also enabled by default on the WAN interface...