March 16, 20215 yr I've been trying to run most services on Unraid for ease of backup and to centralize everything. The ones that are causing me some grief are AdGuardHome for DNS and WireGuard for VPN. I love the WireGuard plugin for Unraid and it is my preference to run this. If I run AdGuardHome on a Rpi4, everythings works great, but then I need to keep the Pi4 running and maintained (not that big a deal really). If I spin up an AdGuardHome docker container, I need to run with a custom IP on br0 so that it can have free access to DNS type ports. When using a custom IP, WireGuard peers cannot access it. I've seen some complicated posts about setting up static routes on my router, or running docker containers in a VLAN. I can do this since I have a Unifi setup but the instructions aren't working for me. The other option is to run AdGuard in a VM on the unraid server. What is everyone's thought on this?
April 2, 20215 yr I've had exactly the same problem, and after hours of looking scouring the Internet for answers I finally found a solution that works for me. In the section 'Complex Networks' in the top post of the link above it is described what settings to use when using a custom IP for a Docker container. Basically, you have to ensure these three things: In the WireGuard tunnel config (Settings > VPN Manager), make sure that Local server uses NAT is set to No (this setting can be found by toggling Advanced in the top right corner) Add a static route in your router from the WireGuard Local tunnel network pool to the IP of your Unraid server (the default pool for WireGuard on Unraid is 10.253.0.0/24) For me the router settings look like this: In your Docker settings (Settings > Docker), make sure that Host access to custom networks is set to Enabled After restarting the WireGuard tunnel with these settings I was finally able to connect to Adguard Home using its local IP address through the WireGuard tunnel. Good luck, hopefully it will work for you too!
April 2, 20215 yr Author Thanks. I actually got it worked by moving my docker containers to a separate VLAN. I have unifi network gear so this was pretty easy.
November 16, 20214 yr I've been using Wireguard lately. Now trying to add AdGuard home and it's having issues working at all. 1. Br0 custom port in AdGuard does not work at all and fails... if i adjust the Docker settings to allow custom ports then it brings down wireguard and my remote access 2. When i use Host for the AdGuard Docker, I can get it to start. but in the settings for the initial AdGuard setup it is having problems with "binding" toi port 80 and 53, saying they are already in use. I'm sure that has to do with WireGuard, correct? 3. I don't think I can use any other ports than 80 and 53 because my router won't allow that DHCP/DNS setup? 4. When I disable NAT in the VPN Settings in Unraid it just makes wireguard vpn not work at all. (I'm trying to do this remotely since I'm away now for a bit) Any ideas? Edited November 16, 20214 yr by Kenny111
February 8, 20224 yr Thank you demc19! I just signed up here to thank you for providing the steps for the problem that was bugging me the whole afternoon. Your solution worked perfectly for me!
August 23, 2025Aug 23 I spent an enormous time troubleshooting this as well. I found the Unraid documentation (VPN | Unraid Docs) to be helpful, but lacking in one key area. I did disable NAT in wireguard, enabled host access to custom networks in docker, and added a static route in my router, but I was left with access to only my LAN, and no access to the broader internet in wireguard's "Remote tunneled access" mode.I inspected my file at /boot/config/wireguard/wg0.conf and the PostUp and PostDown commands looked like this:```PostUp=logger -t wireguard -- 'Tunnel WireGuard-wg0 started'; /usr/local/emhttp/webGui/scripts/update_servicesPostDown=logger -t wireguard -- 'Tunnel WireGuard-wg0 stopped'; /usr/local/emhttp/webGui/scripts/update_servicesPostUp=ip -4 route flush table 200PostUp=ip -4 route add default via 10.253.0.1 dev wg0 table 200PostUp=ip -4 route add 192.168.68.0/22 via 192.168.68.1 dev br0 table 200PostDown=ip -4 route flush table 200PostDown=ip -4 route add unreachable default table 200PostDown=ip -4 route add 192.168.68.0/22 via 192.168.68.1 dev br0 table 200```I edited them to look like this (adding two lines and replacingbr0 with shim-br0 and it works great! shim-br0 is created when "host access to custom networks" in Docker is turned on. We need to tell wireguard to send outbound internet traffic through shim-br0 instead of br0.```PostUp=logger -t wireguard -- 'Tunnel WireGuard-wg0 started'; /usr/local/emhttp/webGui/scripts/update_servicesPostDown=logger -t wireguard -- 'Tunnel WireGuard-wg0 stopped'; /usr/local/emhttp/webGui/scripts/update_services# Add these two linesPostUp = iptables -t nat -A POSTROUTING -s 10.253.0.0/24 -o shim-br0 -j MASQUERADEPostDown = iptables -t nat -D POSTROUTING -s 10.253.0.0/24 -o shim-br0 -j MASQUERADEPostUp=ip -4 route flush table 200PostUp=ip -4 route add default via 10.253.0.1 dev wg0 table 200PostUp=ip -4 route add 192.168.68.0/22 via 192.168.68.1 dev shim-br0 table 200PostDown=ip -4 route flush table 200PostDown=ip -4 route add unreachable default table 200PostDown=ip -4 route add 192.168.68.0/22 via 192.168.68.1 dev shim-br0 table 200```Now my client connected via wireguard remote tunneled access can reach the internet!
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.