OpenVPN TLS Handshake Fail Only on a Single Network

Hey folks, this is my first post here and I’m excited to be a part of the community!

I’m having a problem connecting from the internal network of my ISP’s combo router/modem to my OpenVPN server hosted on a virtualized pfSense via UDP only. I can reach, and connect to my OpenVPN server from any external network, as well as all networks over TCP.

My setup is as follows: I have my ISP’s Actiontech T3200M combo router/modem with port 1 bridged to a Proxmox machine with a pfSense VM. Proxmox itself does not have an internet connection, but the pfSense firewall gets a WAN IP, different from that of the T3200M’s WAN IP:

I haven’t found much info online about my problem, but I think there’s some sort of NAT issue going on. A packet capture on pfSense shows data going from the client device → ISP modem → ISP ONT → back into the pfSense firewall (and vice versa)

Here’s a screenshot showing the OpenVPN logs when I try to connect via UDP (PID: 32170), as well as TCP (PID: 49991) from a device on the ISP modem’s network:

Here’s what the state table looks like on pfSEnse when attempting to connect to the server via UDP:

Finally, here’s the client side log when attempting to connect via UDP from a device connected to the ISP’s network

⏎[Aug 8, 2022, 15:26:56] Connecting to [xxxxxxxxxxxxxxxx]:1298 (50.x.x.x) via UDPv4
⏎[Aug 8, 2022, 15:26:56] EVENT: CONNECTING ⏎[Aug 8, 2022, 15:26:56] Tunnel Options:V4,dev-type tun,link-mtu 1569,tun-mtu 1500,proto UDPv4,keydir 1,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-client
⏎[Aug 8, 2022, 15:26:56] Creds: UsernameEmpty/PasswordEmpty
⏎[Aug 8, 2022, 15:26:56] Peer Info:
IV_VER=3.git::d3f8b18b
IV_PLAT=mac
IV_NCP=2
IV_TCPNL=1
IV_PROTO=30
IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:AES-256-CBC
IV_AUTO_SESS=1
IV_GUI_VER=OCmacOS_3.3.5-4310
IV_SSO=webauth,openurl,crtext

⏎[Aug 8, 2022, 15:27:36] Session invalidated: KEEPALIVE_TIMEOUT
⏎[Aug 8, 2022, 15:27:36] Client terminated, restarting in 2000 ms...
⏎[Aug 8, 2022, 15:27:38] EVENT: RECONNECTING ⏎[Aug 8, 2022, 15:27:38] EVENT: RESOLVE ⏎[Aug 8, 2022, 15:27:38] Contacting 50.x.x.x:1298 via UDP
⏎[Aug 8, 2022, 15:27:38] EVENT: WAIT ⏎[Aug 8, 2022, 15:27:38] UnixCommandAgent: transmitting bypass route to /var/run/agent_ovpnconnect.sock
{
	"host" : "50.x.x.x”,
	"ipv6" : false,
	"pid" : 1477
}

⏎[Aug 8, 2022, 15:27:38] Connecting to [xxxxxxxxxxxxxxxx]:1298 (50.x.x.x) via UDPv4
⏎[Aug 8, 2022, 15:27:38] EVENT: CONNECTING ⏎[Aug 8, 2022, 15:27:38] Tunnel Options:V4,dev-type tun,link-mtu 1569,tun-mtu 1500,proto UDPv4,keydir 1,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-client
⏎[Aug 8, 2022, 15:27:38] Creds: UsernameEmpty/PasswordEmpty
⏎[Aug 8, 2022, 15:27:38] Peer Info:
IV_VER=3.git::d3f8b18b
IV_PLAT=mac
IV_NCP=2
IV_TCPNL=1
IV_PROTO=30
IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:AES-256-CBC
IV_AUTO_SESS=1
IV_GUI_VER=OCmacOS_3.3.5-4310
IV_SSO=webauth,openurl,crtext

⏎[Aug 8, 2022, 15:27:55] EVENT: CONNECTION_TIMEOUT  BYTES_IN : 132
 BYTES_OUT : 20002
 PACKETS_IN : 2
 PACKETS_OUT : 60
 KEEPALIVE_TIMEOUT : 1
 CONNECTION_TIMEOUT : 1
 N_RECONNECT : 1
⏎[Aug 8, 2022, 15:27:55] EVENT: DISCONNECTED ⏎[Aug 8, 2022, 15:28:25] Raw stats on disconnect:
 BYTES_IN : 132
 BYTES_OUT : 20002
 PACKETS_IN : 2
 PACKETS_OUT : 60
 KEEPALIVE_TIMEOUT : 1
 CONNECTION_TIMEOUT : 1
 N_RECONNECT : 1

⏎[Aug 8, 2022, 15:28:25] Performance stats on disconnect:
  CPU usage (microseconds): 112607368
  Network bytes per CPU second: 178
  Tunnel bytes per CPU second: 0
⏎

Any help is greatly appreciated

TIA!