likesboc Posted September 15, 2022 Share Posted September 15, 2022 I just realised that the VPN tunnel i'm using is down. I am connected to it through the built in Settings/VPN Manager tool. I was certain that Dockers that are connected through this tunnel (called wg0) are offline, when the tunnel is offline. They are not, i'm a bit in shock. Is this working as intended? What is supposed to happen when the tunnel is down? The dockers just fallback to the regular connection revealing my adress? Quote Link to comment
ljm42 Posted September 16, 2022 Share Posted September 16, 2022 Are we talking about the new "VPN tunneled access for docker" feature described here? https://forums.unraid.net/topic/84316-wireguard-vpn-tunneled-access-to-a-commercial-vpn-provider/ If so, then I would expect the Docker containers which are configured to use the VPN tunnel to lose network access when the VPN tunnel drops. To test it, setup the tunnel and containers as described at the url above. Then disconnect the tunnel and confirm the containers lose access. Note that Docker containers which are not configured to use the tunnel will not be affected when the tunnel drops. If you are able to reproduce a problem, please provide the exact steps to do so. Quote Link to comment
likesboc Posted September 17, 2022 Author Share Posted September 17, 2022 On 9/16/2022 at 5:15 AM, ljm42 said: To test it, setup the tunnel and containers as described at the url above. Then disconnect the tunnel and confirm the containers lose access. If you are able to reproduce a problem, please provide the exact steps to do so. Hi, yes i am talking about the new Unraid built in VPN Feature. When i disconnect the tunnel manully the dockers also lose internet access, so this works. My issue was caused by a reboot i think. I had to turn of the whole system and when i turned it back on again i forgot to enable the VPN tunnel. I think this is an error though because the dockers are configured to use the tunnel "wg0" but when i don't turn it on after a reboot, the dockers can go online anyways, ignoring their setting to use "wg0" exclusively. I feel the dockers should remain offline as long the tunnel is offline, even (or especially when) i forget turning it on. Quote Link to comment
ljm42 Posted September 18, 2022 Share Posted September 18, 2022 Interesting, we'll need to do some testing to see if we can reproduce this. But in the meantime if the Docker containers are set to autostart I'd recommend setting the VPN tunnel to autostart too. Quote Link to comment
likesboc Posted September 18, 2022 Author Share Posted September 18, 2022 12 hours ago, ljm42 said: Interesting, we'll need to do some testing to see if we can reproduce this. But in the meantime if the Docker containers are set to autostart I'd recommend setting the VPN tunnel to autostart too. I'm (relatively) certain i had autostart for the tunnel on, after i had rebooted the system it was off though. Thank you for looking into it, i feel it's important that this works in all scenarios. Quote Link to comment
ljm42 Posted September 20, 2022 Share Posted September 20, 2022 So our implementation does include a kill switch, meaning if the WireGuard tunnel drops then any Docker containers using that tunnel will lose access to the Internet. However, that only works if the WireGuard tunnel was started first. If the Docker containers are started *before* the WireGuard tunnel is started, then they can access the Internet over the default network. As a quick fix I have added a warning here: https://forums.unraid.net/topic/84316-wireguard-vpn-tunneled-access-to-a-commercial-vpn-provider/ but we are looking into what options we have for preventing this situation. Thanks for reporting it. BTW, if your WireGuard tunnel was set to autostart but it didn't, the issue is likely that your network did not initialize in the expected amount of time (i.e. the DHCP server was too slow). Unraid 6.11.0 has code to work around this, but in the meantime you can speed up your network initialization by statically assigning an IP address rather than using DHCP. Quote Link to comment
likesboc Posted September 24, 2022 Author Share Posted September 24, 2022 (edited) On 9/20/2022 at 2:09 AM, ljm42 said: If the Docker containers are started *before* the WireGuard tunnel is started, then they can access the Internet over the default network. BTW, if your WireGuard tunnel was set to autostart but it didn't, the issue is likely that your network did not initialize in the expected amount of time (i.e. the DHCP server was too slow). Unraid 6.11.0 has code to work around this, but in the meantime you can speed up your network initialization by statically assigning an IP address rather than using DHCP. Hey, thanks for looking into this. I understand the feature has to be activated before working, however, the docker containers are configured to use the vpn tunnel exclusively (wg0 in my case). I don't see a reason why the container should fallback to the default network unless configured that way. If wg0 isn't there, it should not be able to connect regardless of the state of the tunnel. At least that is my logic In my configuration there is no DHCP involved, the network is configures statically an i'm am not using autostart on containers. Thanks! Cheers Edited September 24, 2022 by likesboc Quote Link to comment
Solution ljm42 Posted September 24, 2022 Solution Share Posted September 24, 2022 I agree it is odd, but apparently Docker is able to find a way to start the container even when the tunnel it is configured to use has not been started. We are looking into our options. For now, you'll want to take care not to start the container until the tunnel has been started. Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.