jameson_uk Posted June 6, 2021 Share Posted June 6, 2021 I have in the past had OpenVPN setup to access my LAN remotely and that worked OK but I have been looking at using WireGuard but I can't quite figure out the best way to set this up. My network is setup across three VLANs with some of the docker containers running on Unraid assigned macvlan addresses on the different VLANs. I want to have some fine grain control over what can be accessed over the VPN but I am not sure where the routing takes place in this setup. I have tried various settings and I am able to access the Unraid server frontend but I can't seem to figure out to access things and lock this down to specific IP / ports. In reality I mainly want to give access to some servers on VLAN 2 but the Unraid box doesn't actually have an address on this VLAN (the docler containers are running as macvlan as I only have one NIC) but it would be nice if I was also able to access some boxes on VLAN 1 Currently this is setup as "Remote Access to LAN" and I have setup a static route for the VPN network to the Unraid server IP and this gives me access to everything on one VLAN but I can't seem to get anything else to work. Anyone got anything similar working? Quote Link to comment
Fredrick Posted August 29, 2022 Share Posted August 29, 2022 Hey did you ever solve this? I want to have my wireguard peer access another VLAN than my unRAID, but I can't seem to get it set up. Hoping i can avoid setting up a different VPN Quote Link to comment
venicenerd Posted November 3, 2022 Share Posted November 3, 2022 On 8/29/2022 at 8:46 AM, Fredrick said: Hey did you ever solve this? I want to have my wireguard peer access another VLAN than my unRAID, but I can't seem to get it set up. Hoping i can avoid setting up a different VPN Hey @Fredrick did you ever figure this out? I'm having the same issue. I set up Wireguard and can access anything on the network the server is on but I can access any of my devices on my other networks even though the unraid server itself can ping them. Quote Link to comment
Hoopster Posted November 3, 2022 Share Posted November 3, 2022 (edited) 34 minutes ago, venicenerd said: Wireguard and can access anything on the network the server is on but I can access any of my devices on my other networks even though the unraid server itself can ping them. Did you setup a static route between WireGuard and IP address of unRAID server? IIRC, I had to do this to access Docker containers I had assigned to my VLAN (br0.3). My static route looks like this (destination network is the WireGuard LAN and Next Hop is my unRAID server IP address: Here is a tutorial I put together of everything I did to make all my host/bridge and custom network containers on a VLAN accessible via WireGuard. Perhaps something there may be of use to you. NOTE: some things in my tutorial may be outdated now as I believe Docker can now be configured for access to the host network. That did not matter in my case as I had a separate VLAN for docker containers. Edited November 4, 2022 by Hoopster Quote Link to comment
venicenerd Posted November 4, 2022 Share Posted November 4, 2022 23 minutes ago, Hoopster said: Did you setup a static route between WireGuard and IP address of unRAID server? IIRC, I had to do this to access Docker containers I had assigned to my VLAN (br0.3). My static route looks like this (destination network is the WireGuard LAN and Next Hop is my unRAID server IP address: Here is a tutorial I put together of everything I did to make all my host/bridge and custom network containers on a VLAN accessible via WireGuard. Perhaps something there may be of use to you. WOW! That fixed it! I also set “Local Server Uses NAT” to “No” in the Wireguard VPN settings. I don't understand why this fixed it, though. I previously had Wireguard installed in Docker on a raspberry pi and I never had to set up a static route on my router to be able to access all networks. Not sure if you have any more time but I would love to understand what the static route did to make this work and why it wasn't needed for my previous setup. Thank you!!! Quote Link to comment
Hoopster Posted November 4, 2022 Share Posted November 4, 2022 (edited) 15 minutes ago, venicenerd said: I don't understand why this fixed it, though. From the first post in the WireGuard Quickstart: Complex Networks The instructions above should work out of the box for simple networks. With "Use NAT" defaulted to Yes, all network traffic on Unraid uses Unraid's IP, and that works fine if you have a simple setup. However, if you have Dockers with custom IPs or VMs with strict networking requirements, you'll need to make a few changes: In the WireGuard tunnel config, set "Use NAT" to No In your router, add a static route that lets your network access the WireGuard "Local tunnel network pool" through the IP address of your Unraid system. For instance, for the default pool of 10.253.0.0/24 you should add this static route: Network: 10.253.0.0/24 (aka 10.253.0.0 with subnet 255.255.255.0) Gateway: <IP address of your Unraid system> If you use pfSense, you may also need to check the box for "Static route filtering - bypass firewall rules for traffic on the same interface". See this. If you have Dockers with custom IPs then on the Docker settings page, set "Host access to custom networks" to "Enabled". see this: https://forums.unraid.net/topic/84229-dynamix-wireguard-vpn/page/8/?tab=comments#comment-808801 Edited November 4, 2022 by Hoopster Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.