[After Upgrade] - Unable to Remote Tunnel Access out to Internet - Wireguard on 6.10-RC8

Thanks, one more request. Can you also post the wg configuration of the client side (with keys removed)

 

1 hour ago, bonienl said:

Thanks, one more request. Can you also post the wg configuration of the client side (with keys removed)

 

 

ClientConfig.conf is added. I redacted the keys and my actual IP address. 

I have tested your configuration (adjusted to my home network) and all works as expected. I can reach my home server and can browse the Internet.

 

Perhaps it is a DNS issue. Your client is configured to use DNS = 10.10.20.1 (your home router), change the DNS to a public service, like 8.8.8.8 and see if that works.

 

8 hours ago, bonienl said:

I have tested your configuration (adjusted to my home network) and all works as expected. I can reach my home server and can browse the Internet.

 

Perhaps it is a DNS issue. Your client is configured to use DNS = 10.10.20.1 (your home router), change the DNS to a public service, like 8.8.8.8 and see if that works.

 

 

I tried switching that and no luck. I actually looked at my other VPN configs and the other ones use 1.1.1.1 or 1.0.0.1. However, I did try Google's DNS and it still didn't work. Could there be something wrong with my routing settings within Network Settings? 

@bonienl After further troubleshooting what i determined that is the trigger in the docker section that allows me to access the internet or not is the setting "IPv4 custom network on interface br0 (optional)" if I enable this and start my docker I am unable to use my wireguard to access the internet from my VPN. However, If i disable this then Everything works as expected. Any Suggestions on where I should look? I really would like to have the setting enabled because i want to use dockers such as PiHole, etc. which require a custom IP assigned.

Thanks for testing.

I don’t know exactly why it doesn’t work for you.

Like you I have br0 used by docker, and no issues.

 

Are you able to ping different IP addresses, including the dns IP address from your client?
 

14 hours ago, bonienl said:

Thanks for testing.

I don’t know exactly why it doesn’t work for you.

Like you I have br0 used by docker, and no issues.

 

Are you able to ping different IP addresses, including the dns IP address from your client?
 

 

if you do the command: "wg-quick up wg0" or "wg-quick down wg0" what does the iptables command look like? For some reason when I do it, this doesn't look right to me and might be the cause of the issue. If it is wrong I don't know how it got like that or how to change it.

 

up output: iptables -t nat -A POSTROUTING -s 10.253.0.0/24 -o br0 -j MASQUERADE

down output: iptables -t nat -D POSTROUTING -s 10.253.0.0/24 -o br0 -j MASQUERADE

 

When I'm connected to VPN with IPv4 Custom network enabled I can access my unraid webgui, docker containers, static IP assigned dockers on br0. What I cannot access is my home router at (10.x.x.1) and the outside internet. If I try to ping I get nothing. I've tried different DNS's as well. like I also mentioned if IPv4 Custom network is disabled, Wireguard works perfectly fine.

 

Seems like the something is routing funny. I'm not an expert at network routing, but I did a lot of playing around. Its bugging the crud out of me 😕

 

 

Don't use the manual commands to activate the tunnel, but use the GUI instead.

In 6.10 additional logic is added and performed together with the WG commands.

 

The iptables entries you see are created to allow docker containers to make use of a WG tunnel, this is only used when the correct tunnel type is selected,, otherwise not used.

 

My guess is some routing issue exists in your set up.

You need to do some troubleshooting using 'ping' and 'traceroute' (tracert) to see at what point communication fails.

 

On 5/18/2022 at 2:42 AM, bonienl said:

Don't use the manual commands to activate the tunnel, but use the GUI instead.

In 6.10 additional logic is added and performed together with the WG commands.

 

The iptables entries you see are created to allow docker containers to make use of a WG tunnel, this is only used when the correct tunnel type is selected,, otherwise not used.

 

My guess is some routing issue exists in your set up.

You need to do some troubleshooting using 'ping' and 'traceroute' (tracert) to see at what point communication fails.

 

 

Did some more playing around with my network settings and unraid and somehow got it to work. Don't even know what I did. As far as I can remember I did this:

 

Went into network settings -> changed eth0 to using a static ip instead of using Automatic. Used my dedicated LAN address I already had reserved for the server within my router -> eth1 is jus sitting there not configured. No for everything and No ipv4 address assigned.

 

eth0 is set to bridging enabled 

 

Everything works except for one thing. It's not a HUGE deal but it would be nice if I could get it to work.

 

What Works:

• Able to navigate through my LAN
• Access the internet using my home IP address while on my cell network/etc.)
• Can access docker containers and containers that I had set with static IP addresses
• hit the unraid webgui

What doesn't work

• Unable to access my router to modify settings at 10.x.x.1

 

Any suggestions on how to get that last part working?

 

Note: I am now on 6.10. I know this says 6.10-RC8 but this is happening on the stable version that has since been released

Edited May 22, 2022 by Signian
Update info of what OS i'm on

On 5/21/2022 at 6:47 AM, Signian said:

 

Did some more playing around with my network settings and unraid and somehow got it to work. Don't even know what I did. As far as I can remember I did this:

 

Went into network settings -> changed eth0 to using a static ip instead of using Automatic. Used my dedicated LAN address I already had reserved for the server within my router -> eth1 is jus sitting there not configured. No for everything and No ipv4 address assigned.

 

eth0 is set to bridging enabled 

 

Everything works except for one thing. It's not a HUGE deal but it would be nice if I could get it to work.

 

What Works:

• Able to navigate through my LAN
• Access the internet using my home IP address while on my cell network/etc.)
• Can access docker containers and containers that I had set with static IP addresses
• hit the unraid webgui

What doesn't work

• Unable to access my router to modify settings at 10.x.x.1

 

Any suggestions on how to get that last part working?

 

Note: I am now on 6.10. I know this says 6.10-RC8 but this is happening on the stable version that has since been released

I had the same exact problem, only able to access to access the unraid ip in remote tunnel connection.  

 

When I set `enable docker` to No than all of a sudden I was able to ping google.com as you mentioned.

your solution works in the same exact way for me, I have changed eth0 to using a static ip, and now able to turn on docker and user internet.

What Works:

• Able to navigate through my LAN
• Access the internet using my home IP address while on my cell network/etc.)
• Can access docker containers and containers that I had set with static IP addresses
• hit the unraid webgui

What doesn't work

• Unable to access my router to modify settings at 192.x.x.1

Wanted to follow up on this as I fixed the issue and now everything is working as expected. While we are way past Unraid 6.10 this solution should still work on the latest version of Unraid. This will allow you to still have a Custom Docker Network while not breaking Wireguard.

 

Problem: Wireguard external network breaks when you enable "Host access to Custom networks". Disabling this will allow you to navigate LAN and External Internet from your home IP, however, if you have any containers like Pi-Hole, you'll notice when trying to connect to them over VPN, you will not be able to.

 

I believe you can set static routing via your router to fix the issue, however, there are some routers that don't have that feature. This is what I did to fix the access issue since my router unfortunately doesn't have static routing:

 

Requirement: Must have at least 2 NIC ports on your Server

 

1. Go into network settings -> Set Eth1 with the following settings

   a. Enable bonding -> No

   b. Enable Bridging -> No

   c. Network Protocol -> IPv4 + IPv6 (you could just do IPv4).

   d. Do not set an IP address assignment for IPv4 or IPv6

   e. Leave Desired MTU and Enable VLAN's as the defaults

2. Go to Settings -> Docker -> Set "Enable Docker" to "No" temporarily while you change the settings (Note: this will shut off all your dockers while you are making the changes).

3. Once disabled, ensure "Host access to Custom networks" type is set to "Disabled"

3. Uncheck IPv4 custom network on interface eth0 and check the box for eth1.

4. Set your subnet, gateway (ex: 192.168.1.0 / 192.168.1.1)

5. Once the settings have been applied, go ahead and Set "Enable Docker" to "Yes"

6. Go to the docker container with a custom network (ex: Pi-Hole: edit the configs to set the network type to "Custom: eth1" and set your Fixed IP address). 

7. Connect to your Wireguard VPN on a device not on your network and see if you can access internal and external network. You can also try connecting to your Dockers on custom networks and ensure you can load the apps console.

 

Hope this helps people!  

Edited February 5 by Signian
formatting