VPN Issues with UDM Pro

anthony.ingersoll2 · January 1, 2025, 1:55am

Before I get to the issue, I would like to take the time and wish everyone a Blessed and Prosperous New Year. Now to the issue:

I currently have the UDM Pro setup along with multitudes of various networking devices. Most of them are Unifi switches and various clients. On the UDM Pro, I have a VPN Server setup using OpenVPN. I have no issue with connecting to the UDM Pro and once I am connected, I can use RDP to connect to the Server Desktops (Windows) and the Client Desktops. So there is no issue there.

Where the issue lies is when I try to access my NAS drives (I have four different NAS devices), I cannot access them through the VPN. I have checked the various settings and im probably over looking something. Here is my configuration:

LAN: 192.168.2.xx with a subnet of 255.255.255.0
VPN: 192.168.4.xx with a subnet of 255.255.255.0

I have ICMP Blocked going out to the net and I also have ICMP blocked coming in to the network. I have the UDM Pro just drop the packets. I know there are others who say I should not do this for various reasons, but I have it blocked as an added layer of security.

It does not make sense that I can remote into my windows servers and vnc into my Apple desktops with no issue, but if I want to access the NAS devices, it won’t work.

Any tips, info, or links to point me in the right direction would be most helpful.

LTS_Tom · January 1, 2025, 11:33am

Are you accessing them via IP or DNS? Can you ping those NAS devices?

anthony.ingersoll2 · January 1, 2025, 7:48pm

They all have static IPv4 addresses assigned. I double checked the configuration on that and here is what it has:

IPv4: 192.168.2.xxx
Gateway: 192.168.2.1
DNS: (External DNS Filters) (Adguard Home on Debian)
SUBNET: 255.255.255.0 (On both networks VPN and Internal)

xerxes · January 2, 2025, 11:39pm

for me such a thing has always turned out to either
(a) a firewall issue (local or on the router / pfsense), or
(b) a routing issue

The most devious one I encountered several times is when docker decides to use a network address for some of its interfaces where this is also one of your internal network addresses. Then you effectively can reach the machine, but the return path goes to the local docker interface, and thus you never see the response packets. You can check this by looking at the local routes on the NAS devices.

I’d recommend checking the local route tables on the NAS and if that looks ok, wiresharking along the network path that the packets should travel. This way you will see where your packets or the response is lost. The ssh feature of wireshark is very handy for this, just ensure you have a keyauth for root on the pfsense.

LTS_Tom · January 3, 2025, 10:48am

Yes, the default docker range in TrueNAS overlapped with my network range and would not route until I changed it.