"Remote tunneled access" wireguard clients lose access to anything but server upon docker start.

[iarp]

I've been banging my head against a wall here for days now only to figure this out just now.

 

If I disable docker from starting and restart my machine, wireguard clients set to Remote tunneled access can connect and the connection goes through the server just fine. However once i enable docker, the connection dies. We can still access the internal server itself but no LAN or WAN access.

 

Unraid 6.12.4

 

eth0 bonding/bridging = No. There is an eth1 but its unused.

storage-diagnostics-20230927-1014.zip

[Mainfrezzer]

You need to modify the wireguard config.

To look somewhat like this (fixed for your specific network and ip address needs)

PostUp=logger -t wireguard 'Tunnel WireGuard-wg4 started';/usr/local/emhttp/webGui/scripts/update_services
PostUp=iptables -t nat -A POSTROUTING -s 10.253.4.0/24 -o eth0 -j MASQUERADE;ip6tables -t nat -A POSTROUTING -s fc00:253:4:0::/64 -o eth0 -j MASQUERADE
PostUp=iptables -t nat -A POSTROUTING -s 10.253.4.0/24 -o vhost0 -j MASQUERADE;ip6tables -t nat -A POSTROUTING -s fc00:253:4:0::/64 -o vhost0 -j MASQUERADE
PostDown=logger -t wireguard 'Tunnel WireGuard-wg4 stopped';/usr/local/emhttp/webGui/scripts/update_services
PostDown=iptables -t nat -D POSTROUTING -s 10.253.4.0/24 -o eth0 -j MASQUERADE;ip6tables -t nat -D POSTROUTING -s fc00:253:4:0::/64 -o eth0 -j MASQUERADE
PostDown=iptables -t nat -D POSTROUTING -s 10.253.4.0/24 -o vhost0 -j MASQUERADE;ip6tables -t nat -D POSTROUTING -s fc00:253:4:0::/64 -o vhost0 -j MASQUERADE

 

Edited September 27, 2023 by Mainfrezzer

[iarp]

I ran the following, no luck.

 

iptables -t nat -A POSTROUTING -s 10.253.0.0/24 -o eth0 -j MASQUERADE

 

Just tried wg0 instead of eth0 as well.

Edited September 27, 2023 by iarp

[Mainfrezzer]

You have to modify the wireguard config on your usb stick. /config/wireguard and then whatever file it is. wg0.conf or wg1.conf i dont know. 

[iarp]

You're just modifying the iptables, which I can do in console.

[Mainfrezzer]

Sure. that works too, if you have that much spare time on your hands.

Anymahow, you need to only run the vhost0 line. eth0 is by default. You would have noticed if you opened the wgX.conf file.

[ljm42]

Sorry for the trouble. I'd like to raise visibility on this, but I am not clear what the proposed change is.

 

Starting with a non-working wgX.conf file, please go to the VPN Settings page in Unraid 6.12.4 and make a dummy change, then Apply. Does that fix the issue?

 

If not, please show a before/after snippet of the wgX.conf file to make it clear what the bad value is and what you are proposing that it be changed to.

 

Thanks!

[iarp]

Before reading below: I wrote the below information before coming to a realization just now. Re-reading the quickstart, Remote tunneled access does NOT seem to be granting LAN access. I'm wanting my clients access to LAN and internet tunneling, but none of the dropdown selections seem to offer this. If that is the case then I'll drop this post and the issue because then nothing is wrong by unraids standards.

 

----

After a bit more testing I've come to realize I cannot access the LAN using Remote Tunneled Access. The reason I couldn't access websites is because DNS wasn't passing through to 192.168.2.1. When i updated the client to 8.8.8.8 it worked for domain names. Still unable to access LAN.

 

As per MainFreezer's recommendation, adding the vhost0 to PostUp and PostDown allows LAN access.

 

PostUp=iptables -t nat -A POSTROUTING -s 10.253.2.0/24 -o vhost0 -j MASQUERADE
PostDown=iptables -t nat -D POSTROUTING -s 10.253.2.0/24 -o vhost0 -j MASQUERADE

 

This fixed everything previously because I was still using my routers dns which running the above allowed access to the LAN.

 

Aside from those two entries, I have not modified anything else.

[itimpi]

Does not the “Remote Access to LAN” option give you what you want?      The one caveat is that your Unraid server must be on a different subnet to your remote users if you want the DNS to work correctly.     Typically this means at least avoiding the 192.168.0.x and 192.168.1.x subnets for your local LAN as these are common defaults for many routers.

[iarp]

Re-reading the quickstart, Remote Access to LAN is just server and LAN. I want server, lan, wan.

 

[itimpi]

41 minutes ago, iarp said:

Re-reading the quickstart, Remote Access to LAN is just server and LAN. I want server, lan, wan.

 

Well it works for me!   

 

The important thing is that the DNS Server and gateway on your local LAN is used so you can get back out to the internet which is why the local LAN needs to be on a different subnet to the remote client.

[ljm42]

Thanks for reporting this issue @iarp and @Mainfrezzerfor the workaround. This will be fixed in the next release.