Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Unraid Wireguard tunneled access while having Host access to custom networks enabled

Featured Replies

Ive been tinkering around to get tunneled remote access to my Unraidserver while having some Docker-Container exposed to my home network that my Server also needs to access.

It seemed to be a 2/3-Affair.
Either tunneled access and Docker running while having no access from the Host to the Container
No tunneled access to the Server while having the Container accessible from the Host 
or 
Docker-Container and Host were able to communicate but your tunneled access is limited to the unraid system itself.

Here is my solution to that Problem.

First, the "standard" tunnel access. No further steps on that.
1.thumb.PNG.dc02cd4dc1936ded9a2a463e3a963ab3.PNG

This just guarantees access via the tunnel in case the Array/Docker-Server didnt start at all. !IMPORTANT!

Secondly. We gonna add another tunneled access to the Server. The recommended options are fine.
2.thumb.PNG.679186dc811f0dd78e7acc873d1b8485.PNG

Now we need to manually edit the wg*.conf, in my case wg1 and change the adapter from br0 to shim-br0.

3.thumb.PNG.457c92914b3c534b75c5bfcedb34b476.PNG


And thats it. Now you always got 1 tunneled access to the Server incl. all Docker-Container and access to the internet. The tunnel, that got modified to the shim-br0 network is the one that has all access while Docker is running. The wg0 interface is in this example is the "oh shit, something is wrong" connection.


Update for 6.12.4:
If youre running the macvtap network you need to modify the file to look like this, the need for a second tunnel does not exist anymore.

 

PostUp=logger -t wireguard 'Tunnel WireGuard-wg4 started';/usr/local/emhttp/webGui/scripts/update_services
PostUp=iptables -t nat -A POSTROUTING -s 10.253.4.0/24 -o eth0 -j MASQUERADE;ip6tables -t nat -A POSTROUTING -s fc00:253:4:0::/64 -o eth0 -j MASQUERADE
PostUp=iptables -t nat -A POSTROUTING -s 10.253.4.0/24 -o vhost0 -j MASQUERADE;ip6tables -t nat -A POSTROUTING -s fc00:253:4:0::/64 -o vhost0 -j MASQUERADE
PostDown=logger -t wireguard 'Tunnel WireGuard-wg4 stopped';/usr/local/emhttp/webGui/scripts/update_services
PostDown=iptables -t nat -D POSTROUTING -s 10.253.4.0/24 -o eth0 -j MASQUERADE;ip6tables -t nat -D POSTROUTING -s fc00:253:4:0::/64 -o eth0 -j MASQUERADE
PostDown=iptables -t nat -D POSTROUTING -s 10.253.4.0/24 -o vhost0 -j MASQUERADE;ip6tables -t nat -D POSTROUTING -s fc00:253:4:0::/64 -o vhost0 -j MASQUERADE


With 6.12.10 the macvtap option doesnt need any change anymore since it sets the rules on its own now.

Edited by Mainfrezzer
Added info for 6.12.10

  • 5 months later...

This is a gem of a remedy for those who want to have their cake and eat it. 

Hoping the devs can help route this tunnel via the new virtual interface if the setting 'host and docker networks communication' is enabled. 

This is very handy for DNS server containers, which should probably go via the host or in a macvlan or ipvlan network on the same host subnet.

If you want to have HTTPS routed via your reverse proxy from within your LAN network and back out to the custom network, you will need host and custom network to communicate. 

This also allows the host to resolve the DNS server on the Br0.

 

 

Edited by floepie05

  • 1 month later...

Hi y all I am facing the same issue, but i can't access my router, nor internet i can just access my home server.
And i can't seem to find a patch after editing the conf files they get overwritten
Thanks for your help!

  • Author
58 minutes ago, Ravinala said:

Hi y all I am facing the same issue, but i can't access my router, nor internet i can just access my home server.
And i can't seem to find a patch after editing the conf files they get overwritten
Thanks for your help!

Which Unraid version are you runing? And what "protocol" are you using, IPVlan or Macvtap?

The whole Shebang is not needed anymore with 6.12.10 and the macvtap interface, since it sets the vhost0 correctly and it just work out of the box.

I havent tested ipvlan since, well, my router cant handle it. But since ipvlan still uses the old method (having 2 tunnel just in case), you have to do it manually. Dont use the VPN Manager to make changes, because they alway overwrite the file. Stop the tunnel, navigate to the flashdrive, edit the file with the "Dynamix File Manager", save it, switch back to the vpn manager and just start the tunnel without saving anything.

 Hi. I am on 6.12.10  But I realised network is set to ipvlan.   Should I switch it ?  As  of nowI have a temporary fix, did a semi tunnel and I did a static route from my router ton unraid. I could access LAN but not Internet. So you would suggest to switch to mcvlan and having custom host enabled should not pose any problem?  Kind regards         

  • Author

Dont switch to macvlan, that will just crash your server.

Macvtap works differently and is enabled by disabling the bridge in the network settings.

Its up to you if you want to switch. Both works absolutely fine and the guide from the original post still is correct in setting things up with ipvlan.

Setup the first, "Emergency tunnel" which always works when the array is offline (That you can do completely over the vpn manager interface)

then setup a second one "Normal tunnel" which only works when the array is running. (Apart from the initial setup, never save changes in the vpn manager in there, only manually with the file manager plugin, since it removes the shim- from the interface)

Edited by Mainfrezzer

Thanks for your help in thr matter, bit what would be the issue to going to MacVtap. I could honestly try.  I think the issue I did was save a config which overwrite my edits.   I might try again later.  I might try to enable MacvTap tomorrow and see and then otherwise I will do the guide again.  But do you add the peer after editing or before ?

Edited by Ravinala
fixee

  • Author

I would say create the peer before you do the manual change. I actually have no clue if adding a peer will change the file like a save does, because, im sure as hell aint giving anyone remote access to my server(and home) apart from myself

  • 7 months later...

Does this work with docker containers that have custom ipvlan network with custom ip address? Containers like pi-hole which runs a dedicated IP on my main network subnet.

  • Author

 

1 hour ago, UnraidUser_2020 said:

Does this work with docker containers that have custom ipvlan network with custom ip address? Containers like pi-hole which runs a dedicated IP on my main network subnet.

I assume you mean that you can reach your pi-hole from your vpn client? Absolutely, if you have the "Host access to custom networks" enabled. The wireguard file for that tunnel just needs to be changed from the default br0 to the shim-br0 as mentioned in the first post.

I tried enabling host access to custom networks and confirmed i have shim-bro in the config file. And i still cant access the custom ip docker containers nor the internet. Also im running Pi-Hole in a container on unraid so when i manually change the dns entry on my iphone to 1.1.1.1 i can get to internet and unraid server / some containers but cant access the custom ipvlan containers still.

It looks like every time i add a new peer to try different config that shim-br0 gets reset...

  • Author
1 minute ago, UnraidUser_2020 said:

It looks like every time i add a new peer to try different config that shim-br0 gets reset...

yep. everytime you do something in the gui, it resets to the "default". You would have to create your clients etc beforehand and then stop the tunnel, edit the file to the shim network, start the tunnel.

  • 2 months later...

OK this is great. Hope in a future implementation it is fixed to be properly set automatically.

(any admin feedback?)

 

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.