VPN

How to set up Ubuntu server so that clients from LAN can connect to L2TP VPN on the Internet?

There is a local network of the organization, everyone goes to the Internet through a gateway under Ubuntu Server.
In iptables, there are a couple of direct port forwardings and here is such a thing, thanks to which everything works for everyone in LAN:

/sbin/iptables -A POSTROUTING -o ${EXTERNAL_NIC} -j SNAT --to-source ${EXTERNAL_IP} --table nat

Well, I thought everything was working.
Now it took from several local Win computers to connect to a server on the Internet via VPN.
The IP of the server is not known in advance, it can change. There is no access to it, access to client computers is also limited. L2TP and standard screw tools are used.
When connected, "Checking username and password" hangs for a long time and eventually falls off with error 800.
When connected via (backup) mobile Internet on an iron router, everything works for everyone. But the task is to make connections through the main channel.
I understand that I need to register something in iptables, but I don’t understand what exactly.
On the Internet, they mainly write about how to set up your own l2tp server and there is almost no information on how to forward connections to someone else's. It seems that something needs to be done with protocols 50 and 51, but what?
UPD. Slightly edited full rule output. Substituted variables instead of real values ​​to make it clearer where is what.

# sudo iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N ufw-after-forward
-N ufw-after-input
-N ufw-after-logging-forward
-N ufw-after-logging-input
-N ufw-after-logging-output
-N ufw-after-output
-N ufw-before-forward
-N ufw-before-input
-N ufw-before-logging-forward
-N ufw-before-logging-input
-N ufw-before-logging-output
-N ufw-before-output
-N ufw-reject-forward
-N ufw-reject-input
-N ufw-reject-output
-N ufw-track-forward
-N ufw-track-input
-N ufw-track-output
-A INPUT -j ufw-before-logging-input
-A INPUT -j ufw-before-input
-A INPUT -j ufw-after-input
-A INPUT -j ufw-after-logging-input
-A INPUT -j ufw-reject-input
-A INPUT -j ufw-track-input
-A INPUT -s ${SIP_PROVEDER}/32 -i ${EXTERNAL_NIC} -p tcp -m tcp --dport 5060:5070 -j ACCEPT
-A INPUT -s ${SIP_PROVEDER}/32 -i ${EXTERNAL_NIC} -p udp -m udp --dport 5060:5070 -j ACCEPT
-A INPUT -s ${SIP_PROVEDER}/32 -i ${EXTERNAL_NIC} -p tcp -m tcp --dport 10000:20000 -j ACCEPT
-A INPUT -s ${SIP_PROVEDER}/32 -i ${EXTERNAL_NIC} -p udp -m udp --dport 10000:20000 -j ACCEPT
-A INPUT -i ${EXTERNAL_NIC} -p tcp -m tcp --dport 5060:5070 -j DROP
-A INPUT -i ${EXTERNAL_NIC} -p udp -m udp --dport 5060:5070 -j DROP
-A INPUT -i ${EXTERNAL_NIC} -p tcp -m tcp --dport 10000:20000 -j DROP
-A INPUT -i ${EXTERNAL_NIC} -p udp -m udp --dport 10000:20000 -j DROP
-A FORWARD -j ufw-before-logging-forward
-A FORWARD -j ufw-before-forward
-A FORWARD -j ufw-after-forward
-A FORWARD -j ufw-after-logging-forward
-A FORWARD -j ufw-reject-forward
-A FORWARD -j ufw-track-forward
-A OUTPUT -j ufw-before-logging-output
-A OUTPUT -j ufw-before-output
-A OUTPUT -j ufw-after-output
-A OUTPUT -j ufw-after-logging-output
-A OUTPUT -j ufw-reject-output
-A OUTPUT -j ufw-track-output

# sudo iptables -t nat -S
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-A PREROUTING -i ${EXTERNAL_NIC} -p tcp -m tcp --dport 34567 -j DNAT --to-destination ${INTERNAL_DVR_RECORDER}:34567
-A PREROUTING -s ${SIP_PROVEDER}/32 -i ${EXTERNAL_NIC} -p tcp -m tcp --dport 5060:5070 -j DNAT --to-destination ${INTERNAL_SIP_SERVER}
-A PREROUTING -s ${SIP_PROVEDER}/32 -i ${EXTERNAL_NIC} -p udp -m udp --dport 5060:5070 -j DNAT --to-destination ${INTERNAL_SIP_SERVER}
-A PREROUTING -s ${SIP_PROVEDER}/32 -i ${EXTERNAL_NIC} -p tcp -m tcp --dport 10000:20000 -j DNAT --to-destination ${INTERNAL_SIP_SERVER}
-A PREROUTING -s ${SIP_PROVEDER}/32 -i ${EXTERNAL_NIC} -p udp -m udp --dport 10000:20000 -j DNAT --to-destination ${INTERNAL_SIP_SERVER}
-A POSTROUTING -o ${EXTERNAL_NIC} -j SNAT --to-source ${EXTERNAL_IP}