What @Simon_Arnold3 means by “they have to be different VLAN” is that they have to be separate L2 broadcast domains and L3 networks. Basically the UniFi/USG stuff puts all the VPN clients in their own “VLAN” which is separate from the other local networks (Corporate, Guest, etc).
Roon uses a mix of UDP: 9003 for discovery of devices running Roon and mDNS for talking to certain endpoints (AppleTV for example).