November 20, 20241 yr I’m trying to get a secure connection between the docker containers on my unraid server and the wider internet via Proton VPN setup. I’ve got the wireguard tunnel configured using the VPN tunnelled access for docker settings and if I connect a browser container to it, when I use the browser to check my IP, it comes up as the host city of my VPN. Yay! I then go to dnsleaktest and get DNS results in my city rather than in the host city of my VPN. I’ve set the Peer DNS server to the IP of the ProtonVPN DNS, turned off DNS over HTTPS in the firefox container and double checked I’m not passing an address like 1.1.1.1 or something and I’m not… Any help getting this configured would be really appreciated!
November 21, 20241 yr To address the DNS leak issue when using ProtonVPN and WireGuard with Docker containers on Unraid, we need to ensure that all DNS traffic is routed securely through the VPN. Here’s how to tackle it: Steps to Resolve WireGuard DNS Leaks Ensure WireGuard Peer DNS Configuration Make sure your WireGuard configuration explicitly specifies the ProtonVPN DNS server for the tunnel. Go to the Settings for your WireGuard tunnel in Unraid. Edit the Peer DNS Server field: Use ProtonVPN's DNS, typically 10.8.8.1 or as specified in your ProtonVPN configuration. Save and restart the WireGuard tunnel. Force DNS Traffic Through the VPN By default, DNS traffic might not be routed through the VPN tunnel, causing leaks. Use these steps to fix routing: Modify Docker Container Routes: Ensure the WireGuard tunnel is set as the default gateway for Docker containers connected to the VPN. To do this, you may need to configure ip route manually for your Docker containers. Add a route to force all traffic (including DNS) through the tunnel: ip route add default dev wg0 table main *Can be added to Web UI netowrk at bottm... This sounds more llike a iproute issue... Replace wg0 with your WireGuard tunnel interface name. Check Container DNS Settings: cat /etc/resolv.conf If it doesn’t show the ProtonVPN DNS, force it by adding the --dns flag to your Docker container: Extra parmet advance togle.. docker run --dns 10.8.8.1 ... Adjust Unraid’s Default Gateway: Navigate to Settings > Network Settings in Unraid. Ensure that Unraid itself is not leaking DNS by directing DNS traffic to the WireGuard tunnel: Set the DNS server to 10.8.8.1 or the DNS IP specified by ProtonVPN. ADVANCE SHOULD NOT NEED... Iptabels... Use iptables to Enforce VPN Usage Set up iptables rules to block any traffic that bypasses the WireGuard tunnel. SSH into your Unraid server. iptables -A FORWARD -i wg0 -j ACCEPT iptables -A FORWARD -o wg0 -j ACCEPT iptables -A OUTPUT ! -o wg0 -m owner --uid-owner $(id -u nobody) -j DROP Replace wg0 with the WireGuard interface name. This ensures that any traffic from Docker containers (nobody user) must use the VPN tunnel. Verify DNS Traffic Once changes are applied: Reconnect your browser container to the WireGuard network. Check DNS resolution inside the container: nslookup google.com Test DNS leaks: Use dnsleaktest.com or similar to ensure all results point to your VPN host city.
November 23, 20241 yr Author Thanks for this, I really appreciate it! So I’m working through the instructions you’ve listed and I’m trying to determine how to apply them. I’ve essentially reset everything as best as I’m able to ensure I’m not being tripped up by old mistakes. I’m trying to add the routing to the table in the network settings, but it doesn’t seem to apply properly? I’ve tried applying it via the terminal and whilst I can get it to show up, it disappeared after a reboot? I wondered if it was related to the preserve user defined networks option in the docker configuration? I tried forcing the DNS with the add additional parameters in the config of my firefox container, but it didn’t seem to work. Am I going to have to set some of this stuff up in a script which runs at boot or something to apply these configurations properly? I don’t feel confident that I know what I’m doing well enough to mess with IP tables at this point.
November 23, 20241 yr Preserver user defined is more a docker template if it called bond0 when your not using bonding... I would still recommend enabling host access to custom network (which allows the docker to talk to your lan. and preserver as you would change or make edit and sometimes the temples can remove things when they don'et preserver. Unraid setting vpn manger for wireguard: some routes are set to allowed ip option under the peer:
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.