Mainfrezzer Posted December 22, 2022 Share Posted December 22, 2022 (edited) Ive been tinkering around to get tunneled remote access to my Unraidserver while having some Docker-Container exposed to my home network that my Server also needs to access. It seemed to be a 2/3-Affair. Either tunneled access and Docker running while having no access from the Host to the Container No tunneled access to the Server while having the Container accessible from the Host or Docker-Container and Host were able to communicate but your tunneled access is limited to the unraid system itself. Here is my solution to that Problem. First, the "standard" tunnel access. No further steps on that. This just guarantees access via the tunnel in case the Array/Docker-Server didnt start at all. !IMPORTANT! Secondly. We gonna add another tunneled access to the Server. The recommended options are fine. Now we need to manually edit the wg*.conf, in my case wg1 and change the adapter from br0 to shim-br0. And thats it. Now you always got 1 tunneled access to the Server incl. all Docker-Container and access to the internet. The tunnel, that got modified to the shim-br0 network is the one that has all access while Docker is running. The wg0 interface is in this example is the "oh shit, something is wrong" connection. Update for 6.12.4: If youre running the macvtap network you need to modify the file to look like this, the need for a second tunnel does not exist anymore. PostUp=logger -t wireguard 'Tunnel WireGuard-wg4 started';/usr/local/emhttp/webGui/scripts/update_services PostUp=iptables -t nat -A POSTROUTING -s 10.253.4.0/24 -o eth0 -j MASQUERADE;ip6tables -t nat -A POSTROUTING -s fc00:253:4:0::/64 -o eth0 -j MASQUERADE PostUp=iptables -t nat -A POSTROUTING -s 10.253.4.0/24 -o vhost0 -j MASQUERADE;ip6tables -t nat -A POSTROUTING -s fc00:253:4:0::/64 -o vhost0 -j MASQUERADE PostDown=logger -t wireguard 'Tunnel WireGuard-wg4 stopped';/usr/local/emhttp/webGui/scripts/update_services PostDown=iptables -t nat -D POSTROUTING -s 10.253.4.0/24 -o eth0 -j MASQUERADE;ip6tables -t nat -D POSTROUTING -s fc00:253:4:0::/64 -o eth0 -j MASQUERADE PostDown=iptables -t nat -D POSTROUTING -s 10.253.4.0/24 -o vhost0 -j MASQUERADE;ip6tables -t nat -D POSTROUTING -s fc00:253:4:0::/64 -o vhost0 -j MASQUERADE Edited September 27, 2023 by Mainfrezzer Added info for 6.12.4 changes 2 Quote Link to comment
floepie05 Posted March 19 Share Posted March 19 (edited) This is a gem of a remedy for those who want to have their cake and eat it. Hoping the devs can help route this tunnel via the new virtual interface if the setting 'host and docker networks communication' is enabled. This is very handy for DNS server containers, which should probably go via the host or in a macvlan or ipvlan network on the same host subnet. If you want to have HTTPS routed via your reverse proxy from within your LAN network and back out to the custom network, you will need host and custom network to communicate. This also allows the host to resolve the DNS server on the Br0. Edited March 19 by floepie05 Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.