Allowing UniFi L2TP VPN traffic to Site-to-Site VPN network

I have a site-to-site VPN setup between a UDM Pro and a SonicWall TZ400. The traffic between both local networks is working just fine. I also have an L2TP VPN setup on the UDM Pro for users of this office when they are working from home. Traffic from the VPN to the local network is also just fine.

HOWEVER, my issue is that I need the L2TP clients to be allowed to access resources on the remote site-to-site VPN network. This traffic is not allowed and I cannot figure out why. I have enabled the Site-To-Site VPN checkbox on the L2TP network. That has had no affect. I also attempted to create a firewall rule and created network groups for the L2TP network and site to site network but unless I did not configure that correctly, that also did not work.

Ubiquiti support didn’t seem to have any solid answers. If anybody has any helpful input, that would be great.

I have been dealing with this for longer than I care to admit.

Hello! Thanks for posting on r/Ubiquiti!

This subreddit is here to provide unofficial technical support to people who use or want to dive into the world of Ubiquiti products. If you haven’t already been descriptive in your post, please take the time to edit it and add as many useful details as you can.

Please read and understand the rules in the sidebar, as posts and comments that violate them will be removed. Please put all off topic posts in the weekly off topic thread that is stickied to the top of the subreddit.

If you see people spreading misinformation, trying to mislead others, or other inappropriate behavior, please report it!

I am a bot, and this action was performed automatically. Please contact the moderators of this subreddit if you have any questions or concerns.

The way I’ve always done this (remote-access VPN clients getting access to the whole site-to-site topology) was to renumber the IP address range of the VPN/L2TP clients to be contiguous to the existing subnet(s) (so if your LAN IP/subnet is 192.168.0.1/24, assign the range starting at 192.168.1.1 ) , after that for the security association for the site-to-sites give it the whole CIDR subnet that includes both ranges (192.168.0.0/23). That will include 192.168.0.1-255 and 192.168.1.1-255. You may need to add NAT exclusions for the L2TP->S2S subnets, I haven’t used Ubiquiti in years so I don’t recall the exact configuration steps, but in essence that’s the concept I’ve used. Basically a S2S that contains a supernet which includes local interfaces subnets as well as VPN IP ranges.

All good. I figured out that UID wireguard uses the 10.100.0.0/24 subnet. Once I added this as once of the authorized remote subnets (inside the site to site vpn settings). It all worked. No need to set up static routing.

I have a similar setup to you, with three details changed:

I have a site-to-site OpenVPN setup between a UDM Pro and a Dream Router. The traffic between both local networks is working just fine. I also have a UID VPN setup on the UDM Pro for users of this office when they are working from home. Traffic from the VPN to the local network is also just fine.

But I had the same problem as you - all the traffic on the Dream Router side worked, all the traffic on the UDMP side worked, and the traffic between the two worked - but VPN users signing into the UDMP couldn’t access devices on the Dream Router.

The fix, 10 months after your post:

1. Log into the UDMP Network app
2. Hit Settings, then Traffic Management
3. Create a new Static Route
4. Name: “Allow VPN users access to distant site”
5. Device Type: Switch
6. Destination Network: the network and subnet mask on the Dream Router, which is the far side from the UDMP
7. Type: Interface
8. Interface:

Traffic immediately routed from VPN users to the far-side of the Site-to-Site VPN.

Thanks for the input. I would agree because this is how I have it setup on the SonicWall side. But UniFi doesn’t let you do that. It gives an error that it is overlapping with the default network.

Appreciate the info. We have worked around the issue but I am tempted to go in and see if modifying these settings will help.

I have the same issue - but using a USG-Pro-4 rather than UDM Pro. able to do all this except changing the Device Type to Switch. it keeps it as Static.

Sadly this didnt work for me.

Is this still working for you? I just tried but not having any luck. Very similar setup to you. UID Wireguard trying to connect to a IPSec Site-To-Site. I’m not seeing the “Device Type” option.

u/mdpi now 9 months after your post, I have come across the same exact situation and again cannot get it to work. I’m curious about your fix because I cannot find those options in the UDM Pro. Your fields are not the same as what I see. Are you able to elaborate on this?

Yeah that’s dumb (but kinda on brand for UBNT tbh). Maybe you could try having the first S2S only for the LAN subnet, and then add a second S2S just for the VPN client subnet.

I don’t know if UID is WireGuard under the hood since I set this up in the very recent 2.x days. I’m on 3.x now but I just tried it and it worked.

Unfortunately we shut this place down months ago so I can’t walk you through the configuration. Sorry!

I don’t believe that’s possible. It’s initiated from the WAN IP address of the UDM, not a specific LAN. I would think a firewall rule to allow S2S to L2TP traffic would do it but I haven’t been able to get that to work. Unless it is not configured correctly.

I have the same issue. Did you get any other response for this or did you use another firewall cause I am thinking UI is sucking at this point.

I have the same issue. I do not have the answer but this is the testing I have done. I’m also waiting for a response from Unifi support and will post if I get a reply.

This works:

PC connected to UDM PRO on 10.100.62.129/25 — UDM PRO -------(site to site VPN) ------- remote server 10.100.60.2

The PC on the UDM PRO is connected to a network 10.100.62.129/25. It has an IP address 10.100.62.188 and it can access the server 10.100.60.2 (The remote end of the site to site vpn expects traffic to come from 10.100.62.129/25)

Like everyone else with this issue, I want to do this:

Remote user ------ (L2TP VPN)----- UDM PRO -------(site to site VPN) ------- remote server 10.253.60.2

but it does not work

Here are some test I did to try and narrow down the issue (In summary I put the remote user on the same subnet as the local user one after the other - Local user has access to site to site, remote user does not.

From local PC on 10.100.62.188, tracert 10.100.60.2

it goes to the local subnet gateway (10.100.62.129) and then to the remote server

Pause the site to site vpn

From local PC on 10.100.62.188, tracert 10.100.60.2

it goes to the local subnet gateway (10.100.62.129), then 10.0.0.1, then to the UDM PRO’s ISP’s Carrier Grade NAT 100.65.30.254, then 10.0.4.1 then times out

Conclusion removing the site to site vpn stops the connection to the remote server - no surprise

Restart the the site to site vpn

Remove the local network/subnet 10.100.62.129/25 from the UDM PRO and assign this subnet to the L2TP VPN Server

Connect remote user to the L2TP VPN

remote user is given IP address 10.100.62.130 (all traffic passed through the L2TP VPN)

but, the remote user cannot access 10.100.60.2 server

From the remote user I run the command tracert 10.100.60.2

it goes to 10.255.255.0, then 10.0.0.1, then to the UDM PRO’s ISP’s Carrier Grade NAT 100.65.30.254, then 10.0.4.1 then times out

This is a similar trace to when the site to site was paused in test 2 above except it does not pass through the VPN Server gateway 10.100.62.129 (it goes first to 10.255.255.0 instead)

I’m not sure where to go from here. It feels like the network created by the VPN Server is different in some way to regular UDM PRO Network.

I hope one of us makes some progress.

what worked? did you resolve this?

Same for me.

Anyone has the L2TP connected PC ↔ UDM Pro <-S2S-> remote site working ?

Just replied to the post, try that. Not L2TP but I’d be interested in knowing if it works for you.