…
The fact that you get a timeout rather than packet too large and cannot be fragmented when you exceed the PMTU of the link in one direction indicates that either the path MTU discovery is broken and the notification does not make it to you (routing or firewall on some node on the path may cause this) or that some node on the path has incorrect MTU setting, as in “higher MTU is configured on the outgoing interface than the connected transport device can actually handle”. So no backward notification is generated but the packets exceeding the actual MTU of the transport device do not get through.
The fact that the maximum size of the ICMP echo packet differs per direction is OK per se because the echo responses do not inherit the do-not-fragment flag from the echo requests and the routing between the nodes need not be symmetric, i.e. the foreward and backward paths may be totally unrelated. But it is still strange that the responses “somehow” pass because the MTU notification issue should affect them as well.
As for mtu, mru, amd mrru settings, while they do their job with L2TP (and maybe PPTP, I don’t use it so I can’t say), my experience is that SSTP uses its own logic and does not need them to be set - rather than fragmenting the transport packets like L2TP/IPsec does, it splits the payload ones even if no mrru is configured.
The mangle rule is necessary for both directions because each endpoint of a TCP session announces its own MSS to the other one. But you can put both rules on the same router, just one of them with in-interface=sstp-in and the other one with out-interface=sstp-in.
The bad news is that it won’t help much with the throughput. What hardware models are your routers?
…