[SOLVED] Cannot access or ping hassio node using Unifi L2TP VPN

Hello all,

I am switching from domoticz to homeassisant and really like most of its advanced features
However I seem to hit one issue which I tried to figure out for a while now

I have an ubiquiti USG router which I use to create a VPN for my laptop (when I’m at work) to connect to my home network.
This VPN works well, I can access all devices in my home network (I have other raspberry’s running as well)

However I cannot access my homeassistant installation, which is installed on hass.io on a rpi3
I tried the IP adress for the frontend and for ssh, both don’t seem to work. I can’t even ping the IP adress
(to clarify, this works perfectly fine from home, just not when I use the VPN)

When I connect to another raspberry using ssh (as a stepping stone), I can ping and ssh to the hassio node just fine. I also tried to set-up a reverse proxy as a workaround on this raspberry, pointing to my hassio node, but the interface asks for a password (and setting a password in the configuration.yaml still doesn’t seem to work)

some technical information:

-my home network runs on 10.0.1.0/24, USG is the router at 10.0.1.1 and hassio is set to 10.0.1.119 (fixed ip)
-the unifi router (unifi USG) provides ‘Remote user VPN (l2tp)’ service, which works for all nodes except hass.io
-the VPN network is on 172.17.100.1/24, using 172.17.100.1 and 10.0.1.1 as name servers
-the laptop runs on Linux Mint 18.3 (but I doubt that matters)

I can’t wrap my head around the fact that I can’t even ping the hassio node using the plain IP adress, but the VPN work fine on all other nodes in my home network

I just want to let you guys know that I found the issue

It was caused by my VPN network, which uses 172.17.100.x as stated above.
Note that this was based on the official documentation found here:

This conflicts with the default Docker network used by hassio, which creates a default network on 172.17.0.x

changing the VPN network from 172.17.100.x to 172.1.100 fixed the issue

So if you’re using Unifi L2TP VPN on an USG and you can’t connect to hosts with the default docker0 network interface, changing the default network for the VPN is the easiest fix

Damn, nice post. I had exactly the same problem!

You could also just change the docker0 subnet from a Class-B, /16 CIDR block - to a Class-C, /24 CIDR block… All but a select few on this planet are going to need more than 65,000 hosts on a single subnet, and even fewer again crazy enough to actually utilise a 65k host broadcast domain.

I notice Ubiquiti seems to have updated their documentation in the link provided, utilising 172.20.100.0 now, so as not to encounter potential issues such as this docker clash. Personally i think docker should also step away from using the entire /16 block by default. Anyone who needs more than a /24 subnet, is capable of finding and making the necessary changes without seeking assistance IMO.