April 22, 20251 yr Hey, I'm trying to setup wireguard exit node on Unraid to get access to my Lan from remote: VPS (wireguard entry for remote clients) -> [Unraid -> Lan] I can establish connection to Unraid and even ping local unraid IP from wireguard, but can't access other machine on the lan (like my Raspberry PI or even Docker on unraid br0 network). My network is the following: 10.13.13.0/24 - WG 10.10.179.0/24 - LAN My Unraid config: [Interface] PrivateKey= Address=10.13.13.2 ListenPort=51820 MTU=1414 PostUp=logger -t wireguard -- 'Tunnel WireGuard-wg0 started';/usr/local/emhttp/webGui/scripts/update_services PostDown=logger -t wireguard -- 'Tunnel WireGuard-wg0 stopped';/usr/local/emhttp/webGui/scripts/update_services PostUp=ip -4 route flush table 200 PostUp=ip -4 route add default via 10.13.13.2 dev wg0 table 200 PostUp=ip -4 route add 10.10.179.0/24 via 10.10.179.1 dev br0 table 200 PostDown=ip -4 route flush table 200 PostDown=ip -4 route add unreachable default table 200 PostDown=ip -4 route add 10.10.179.0/24 via 10.10.179.1 dev br0 table 200 [Peer] PublicKey= PresharedKey= Endpoint=<VPS> AllowedIPs=10.13.13.0/24 PersistentKeepalive=30 My VPS wireguard config: [Interface] Address = 10.13.13.1 ListenPort = 51820 PrivateKey = PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth+ -j MASQUERADE PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth+ -j MASQUERADE [Peer] # unraid PublicKey = <> PresharedKey = <> AllowedIPs = 10.13.13.2/32, 10.10.179.0/24 So, VPS is not a problem, as I used to do run the same setup on my previous machine and it worked wonders. Here is traceroute from VPS: docker exec wireguard traceroute 10.10.179.222 traceroute to 10.10.179.222 (10.10.179.222), 30 hops max, 46 byte packets 1 10.10.179.222 (10.10.179.222) 32.155 ms 33.153 ms 34.911 ms docker exec wireguard traceroute 10.10.179.111 traceroute to 10.10.179.111 (10.10.179.111), 30 hops max, 46 byte packets 1 10.13.13.2 (10.13.13.2) 30.257 ms * 30.365 ms 2 Trace from Unraid : docker run --rm --net=host --privileged nicolaka/netshoot tcpdump -i wg0 icmp 17:23:25.232337 IP 10.13.13.1 > 10.10.179.156: ICMP echo request, id 13, seq 7958, length 64 17:23:25.264245 IP 10.13.13.1 > 10.10.179.111: ICMP echo request, id 17, seq 7801, length 64 17:23:25.328433 IP 10.13.13.1 > 10.10.179.25: ICMP echo request, id 12, seq 7967, length 64 17:23:25.680662 IP 10.13.13.1 > 10.10.179.25: ICMP echo request, id 15, seq 7810, length 64 17:23:25.872120 IP 10.13.13.1 > 10.10.179.111: ICMP echo request, id 10, seq 7977, length 64 17:23:26.096960 IP 10.13.13.1 > 10.10.179.111: ICMP echo request, id 14, seq 7925, length 64 17:23:26.178497 IP 10.13.13.2 > 10.13.13.1: ICMP host 10.10.179.11 unreachable, length 92 17:23:26.178600 IP 10.13.13.2 > 10.13.13.1: ICMP host 10.10.179.11 unreachable, length 92 17:23:26.178688 IP 10.13.13.2 > 10.13.13.1: ICMP host 10.10.179.11 unreachable, length 92 17:23:26.192874 IP 10.13.13.1 > 10.10.179.11: ICMP echo request, id 16, seq 7869, length 64 17:23:26.256181 IP 10.13.13.1 > 10.10.179.156: ICMP echo request, id 13, seq 7959, length 64 17:23:26.288759 IP 10.13.13.1 > 10.10.179.111: ICMP echo request, id 17, seq 7802, length 64 17:23:26.352742 IP 10.13.13.1 > 10.10.179.25: ICMP echo request, id 12, seq 7968, length 64 17:23:26.704375 IP 10.13.13.1 > 10.10.179.25: ICMP echo request, id 15, seq 7811, length 64 17:23:26.896409 IP 10.13.13.1 > 10.10.179.111: ICMP echo request, id 10, seq 7978, length 64 17:23:27.120236 IP 10.13.13.1 > 10.10.179.111: ICMP echo request, id 14, seq 7926, length 64 17:23:27.194156 IP 10.13.13.1 > 10.10.179.11: ICMP echo request, id 16, seq 7870, length 64 17:23:27.280249 IP 10.13.13.1 > 10.10.179.156: ICMP echo request, id 13, seq 7960, length 64 17:23:27.312450 IP 10.13.13.1 > 10.10.179.111: ICMP echo request, id 17, seq 7803, length 64 17:23:27.376523 IP 10.13.13.1 > 10.10.179.25: ICMP echo request, id 12, seq 7969, length 64 17:23:27.728145 IP 10.13.13.1 > 10.10.179.25: ICMP echo request, id 15, seq 7812, length 64 17:23:27.920087 IP 10.13.13.1 > 10.10.179.111: ICMP echo request, id 10, seq 7979, length 64 17:23:28.144053 IP 10.13.13.1 > 10.10.179.111: ICMP echo request, id 14, seq 7927, length 64 17:23:28.208105 IP 10.13.13.1 > 10.10.179.11: ICMP echo request, id 16, seq 7871, length 64 17:23:28.304883 IP 10.13.13.1 > 10.10.179.156: ICMP echo request, id 13, seq 7961, length 64 17:23:28.336279 IP 10.13.13.1 > 10.10.179.111: ICMP echo request, id 17, seq 7804, length 64 17:23:28.400237 IP 10.13.13.1 > 10.10.179.25: ICMP echo request, id 12, seq 7970, length 64 17:23:28.752468 IP 10.13.13.1 > 10.10.179.25: ICMP echo request, id 15, seq 7813, length 64 17:23:28.944679 IP 10.13.13.1 > 10.10.179.111: ICMP echo request, id 10, seq 7980, length 64 17:23:29.168269 IP 10.13.13.1 > 10.10.179.111: ICMP echo request, id 14, seq 7928, length 64 17:23:29.232642 IP 10.13.13.1 > 10.10.179.11: ICMP echo request, id 16, seq 7872, length 64 17:23:29.250396 IP 10.13.13.2 > 10.13.13.1: ICMP host 10.10.179.11 unreachable, length 92 17:23:29.250427 IP 10.13.13.2 > 10.13.13.1: ICMP host 10.10.179.11 unreachable, length 92 17:23:29.250446 IP 10.13.13.2 > 10.13.13.1: ICMP host 10.10.179.11 unreachable, length 92 17:23:29.250465 IP 10.13.13.2 > 10.13.13.1: ICMP host 10.10.179.11 unreachable, length 92 docker run --rm --net=host --privileged nicolaka/netshoot tcpdump -i br0 icmp 17:24:35.728178 IP 10.13.13.1 > 10.10.179.111: ICMP echo request, id 14, seq 7993, length 64 17:24:35.728207 IP 10.10.179.111 > 10.13.13.1: ICMP echo reply, id 14, seq 7993, length 64 17:24:35.888592 IP 10.13.13.1 > 10.10.179.156: ICMP echo request, id 13, seq 8027, length 64 17:24:35.920387 IP 10.13.13.1 > 10.10.179.111: ICMP echo request, id 17, seq 7870, length 64 17:24:35.920490 IP 10.10.179.111 > 10.13.13.1: ICMP echo reply, id 17, seq 7870, length 64 17:24:35.984128 IP 10.13.13.1 > 10.10.179.25: ICMP echo request, id 12, seq 8036, length 64 17:24:35.984174 IP 10.10.179.25 > 10.13.13.1: ICMP echo reply, id 12, seq 8036, length 64 17:24:36.336436 IP 10.13.13.1 > 10.10.179.25: ICMP echo request, id 15, seq 7879, length 64 17:24:36.336465 IP 10.10.179.25 > 10.13.13.1: ICMP echo reply, id 15, seq 7879, length 64 17:24:36.529386 IP 10.13.13.1 > 10.10.179.111: ICMP echo request, id 10, seq 8046, length 64 17:24:36.529404 IP 10.10.179.111 > 10.13.13.1: ICMP echo reply, id 10, seq 8046, length 64 17:24:36.752165 IP 10.13.13.1 > 10.10.179.111: ICMP echo request, id 14, seq 7994, length 64 17:24:36.752202 IP 10.10.179.111 > 10.13.13.1: ICMP echo reply, id 14, seq 7994, length 64 17:24:36.912232 IP 10.13.13.1 > 10.10.179.156: ICMP echo request, id 13, seq 8028, length 64 17:24:36.944051 IP 10.13.13.1 > 10.10.179.111: ICMP echo request, id 17, seq 7871, length 64 17:24:36.944079 IP 10.10.179.111 > 10.13.13.1: ICMP echo reply, id 17, seq 7871, length 64 17:24:37.008047 IP 10.13.13.1 > 10.10.179.25: ICMP echo request, id 12, seq 8037, length 64 17:24:37.008081 IP 10.10.179.25 > 10.13.13.1: ICMP echo reply, id 12, seq 8037, length 64 17:24:37.360607 IP 10.13.13.1 > 10.10.179.25: ICMP echo request, id 15, seq 7880, length 64 17:24:37.360708 IP 10.10.179.25 > 10.13.13.1: ICMP echo reply, id 15, seq 7880, length 64 17:24:37.389144 IP 10.10.179.111 > 10.13.13.1: ICMP 10.10.179.111 udp port 33459 unreachable, length 54 17:24:37.552523 IP 10.13.13.1 > 10.10.179.111: ICMP echo request, id 10, seq 8047, length 64 17:24:37.552623 IP 10.10.179.111 > 10.13.13.1: ICMP echo reply, id 10, seq 8047, length 64 17:24:37.776917 IP 10.13.13.1 > 10.10.179.111: ICMP echo request, id 14, seq 7995, length 64 17:24:37.776936 IP 10.10.179.111 > 10.13.13.1: ICMP echo reply, id 14, seq 7995, length 64 17:24:37.936096 IP 10.13.13.1 > 10.10.179.156: ICMP echo request, id 13, seq 8029, length 64 17:24:37.968242 IP 10.13.13.1 > 10.10.179.111: ICMP echo request, id 17, seq 7872, length 64 17:24:37.968268 IP 10.10.179.111 > 10.13.13.1: ICMP echo reply, id 17, seq 7872, length 64 17:24:38.032561 IP 10.13.13.1 > 10.10.179.25: ICMP echo request, id 12, seq 8038, length 64 17:24:38.032664 IP 10.10.179.25 > 10.13.13.1: ICMP echo reply, id 12, seq 8038, length 64 17:24:38.384570 IP 10.13.13.1 > 10.10.179.25: ICMP echo request, id 15, seq 7881, length 64 17:24:38.384663 IP 10.10.179.25 > 10.13.13.1: ICMP echo reply, id 15, seq 7881, length 64 17:24:38.576410 IP 10.13.13.1 > 10.10.179.111: ICMP echo request, id 10, seq 8048, length 64 17:24:38.576437 IP 10.10.179.111 > 10.13.13.1: ICMP echo reply, id 10, seq 8048, length 64 17:24:38.600594 IP 10.10.179.111 > 10.13.13.1: ICMP 10.10.179.111 udp port 33439 unreachable, length 54 17:24:38.800106 IP 10.13.13.1 > 10.10.179.111: ICMP echo request, id 14, seq 7996, length 64 17:24:38.800148 IP 10.10.179.111 > 10.13.13.1: ICMP echo reply, id 14, seq 7996, length 64 17:24:38.960515 IP 10.13.13.1 > 10.10.179.156: ICMP echo request, id 13, seq 8030, length 64 17:24:38.992442 IP 10.13.13.1 > 10.10.179.111: ICMP echo request, id 17, seq 7873, length 64 17:24:38.992490 IP 10.10.179.111 > 10.13.13.1: ICMP echo reply, id 17, seq 7873, length 64 17:24:39.056333 IP 10.13.13.1 > 10.10.179.25: ICMP echo request, id 12, seq 8039, length 64 17:24:39.056376 IP 10.10.179.25 > 10.13.13.1: ICMP echo reply, id 12, seq 8039, length 64 17:24:39.408442 IP 10.13.13.1 > 10.10.179.25: ICMP echo request, id 15, seq 7882, length 64 17:24:39.408480 IP 10.10.179.25 > 10.13.13.1: ICMP echo reply, id 15, seq 7882, length 64 17:24:39.628095 IP 10.13.13.1 > 10.10.179.111: ICMP echo request, id 10, seq 8049, length 64 17:24:39.628196 IP 10.10.179.111 > 10.13.13.1: ICMP echo reply, id 10, seq 8049, length 64 17:24:39.828300 IP 10.13.13.1 > 10.10.179.111: ICMP echo request, id 14, seq 7997, length 64 17:24:39.828332 IP 10.10.179.111 > 10.13.13.1: ICMP echo reply, id 14, seq 7997, length 64 17:24:39.985117 IP 10.13.13.1 > 10.10.179.156: ICMP echo request, id 13, seq 8031, length 64 17:24:40.016139 IP 10.13.13.1 > 10.10.179.111: ICMP echo request, id 17, seq 7874, length 64 17:24:40.016168 IP 10.10.179.111 > 10.13.13.1: ICMP echo reply, id 17, seq 7874, length 64
April 28, 20251 yr Community Expert Easier to do with tailscale and plugin using unraid tailscale advisting subnets... so here goes a crack at wireguard... AS my first concern is are you connected to the tunnel on another sytem and can you ping unraid / vps as a test... What's working: WireGuard tunnel itself is good (VPS ↔ Unraid handshake and ICMP pings) Routing from VPS to Unraid's LAN works partially (traceroute shows attempts) ICMP (ping) between VPS and some LAN devices responds (br0 captures show replies What's broken: Only ICMP (ping) seems to work, but no full TCP/UDP communication (e.g., no SSH, no HTTP) Unraid is responding on br0 but not routing properly for forwarding to LAN devices LAN devices (like your Raspberry Pi) don't know how to reply back to the WireGuard subnet 10.13.13.0/24 The Core Problem: (the issues of a tunnel is formed but not used...) Your Unraid server needs to NAT traffic coming from WireGuard clients (10.13.13.0/24) into the LAN (10.10.179.0/24). Right now, Unraid is routing but not masquerading packets. So LAN devices are trying to reply directly to 10.13.13.x — a network they don't know about. They should reply to Unraid, which then relays the reply back via WireGuard. Potential fix: You need a MASQUERADE rule (iptables NAT) on your Unraid server. Add this PostUp and PostDown to your Unraid WireGuard config: PostUp = iptables -t nat -A POSTROUTING -o br0 -s 10.13.13.0/24 -j MASQUERADE PostDown = iptables -t nat -D POSTROUTING -o br0 -s 10.13.13.0/24 -j MASQUERADE That will hide all traffic from 10.13.13.0/24 behind Unraid’s br0 LAN IP (e.g., 10.10.179.2 or whatever it is), so the LAN machines can reply properly. and update wireguard conf: [Interface] PrivateKey=... Address=10.13.13.2 ListenPort=51820 MTU=1414 PostUp=logger -t wireguard -- 'Tunnel WireGuard-wg0 started'; /usr/local/emhttp/webGui/scripts/update_services PostUp=ip -4 route flush table 200 PostUp=ip -4 route add default via 10.13.13.2 dev wg0 table 200 PostUp=ip -4 route add 10.10.179.0/24 via 10.10.179.1 dev br0 table 200 PostUp=iptables -t nat -A POSTROUTING -o br0 -s 10.13.13.0/24 -j MASQUERADE PostDown=logger -t wireguard -- 'Tunnel WireGuard-wg0 stopped'; /usr/local/emhttp/webGui/scripts/update_services PostDown=ip -4 route flush table 200 PostDown=ip -4 route add unreachable default table 200 PostDown=ip -4 route add 10.10.179.0/24 via 10.10.179.1 dev br0 table 200 PostDown=iptables -t nat -D POSTROUTING -o br0 -s 10.13.13.0/24 -j MASQUERADE Side Notes: You don't need to set policy routing (table 200) unless you want to only selectively route (which looks like what you're prepping for), but your main issue is missing NAT. ICMP pings work because many OSes are very tolerant about ICMP packets. But TCP/UDP (SSH, HTTP, etc) get dropped without proper NAT. The VPS config is good, no change needed. Secondary notewrothy Tip: If you want to access Unraid services (like Docker containers on br0) more cleanly, make sure Unraid's docker network is set up as custom: br0 mode, not in bridge mode. Otherwise, ports may not route properly.
May 7, 20251 yr Author On 4/28/2025 at 2:56 AM, bmartino1 said: so here goes a crack at wireguard... AS my first concern is are you connected to the tunnel on another sytem and can you ping unraid / vps as a test... I can ping Unraid ip easily, I can also reach out to other devices using br0 with different IP, BUT and only through traefik which is hosted on Unraid docker On 4/28/2025 at 2:56 AM, bmartino1 said: Your Unraid server needs to NAT traffic coming from WireGuard clients (10.13.13.0/24) into the LAN (10.10.179.0/24). Right now, Unraid is routing but not masquerading packets. So LAN devices are trying to reply directly to 10.13.13.x — a network they don't know about. They should reply to Unraid, which then relays the reply back via WireGuard. doesn't seem to be the case, enabling NAT didn't solve it. On 4/28/2025 at 2:56 AM, bmartino1 said: Potential fix: You need a MASQUERADE rule (iptables NAT) on your Unraid server. Add this PostUp and PostDown to your Unraid WireGuard config: no luck
May 7, 20251 yr Community Expert post a diag file I don't think you have the correct WireGuard config correct to the router nor a WireGuard config to connect through the tunnel... Your still fighting the tunnel being made but nothing going across it...(Or told to use and go across it...) tailscale easier.. Edited May 7, 20251 yr by bmartino1
May 8, 20251 yr Author On 5/7/2025 at 6:48 PM, bmartino1 said: post a diag file I don't think you have the correct WireGuard config correct to the router nor a WireGuard config to connect through the tunnel... I used exactly the same value you posted, it had the same situation though. PostUp=logger -t wireguard -- 'Tunnel WireGuard-wg0 started'; /usr/local/emhttp/webGui/scripts/update_services PostUp=ip -4 route flush table 200 PostUp=ip -4 route add default via 10.13.13.2 dev wg0 table 200 PostUp=ip -4 route add 10.10.179.0/24 via 10.10.179.1 dev br0 table 200 PostUp=iptables -t nat -A POSTROUTING -o br0 -s 10.13.13.0/24 -j MASQUERADE PostDown=logger -t wireguard -- 'Tunnel WireGuard-wg0 stopped'; /usr/local/emhttp/webGui/scripts/update_services PostDown=ip -4 route flush table 200 PostDown=ip -4 route add unreachable default table 200 PostDown=ip -4 route add 10.10.179.0/24 via 10.10.179.1 dev br0 table 200 PostDown=iptables -t nat -D POSTROUTING -o br0 -s 10.13.13.0/24 -j MASQUERADE to clarify, I can ping Unraid host, but I can't reach out to any other hosts on LAN. Edited May 8, 20251 yr by noonamer
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.