Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

additional route table entries for VPN tunnels

Featured Replies

Hello,

I'd like to know if there is a way to specify additional routes in tables created for VPN tunnels and if so how does one do it.

I've created a VPN tunnel in "Settings > VPN Manager" with peer type "VPN tunneled access for docker". I can assign containers to a new custom network that got created and everything works fine from the container's perspective - it does reach the internet through the tunnel. The container exposes a port that I want to be reachable from local networks other than the one Unraid is on. Packets from other local networks do reach the container but responses are routed through the VPN tunnel which is not what needs to happen.

In my setup Unraid's main interface has address 192.168.5.99.

When the tunnel is created I see the following changes to the routing setup:

  1. ip rule shows new entry:

    from 172.31.200.0/24 lookup 200
  2. ip route show table 200 shows

    default via 10.14.0.2 dev wg0
    192.168.5.0/24 via 192.168.5.1 dev br0

I need more entries for local networks in this table, say I'd need an entry for a local network that Unraid is not aware of like:

192.168.1.0/24 via 192.168.5.1 dev br0

I've verified that when such an entry is added manually the responses are routed correctly to the origin of the request. Manual entries won't be recreated after the machine's restart so I need a more permanent solution.

In the UI in tunnel's settings when I click on the "eye" icon I see roughly the following interface definition:

[Interface]
#name
PrivateKey=...
Address=10.14.0.2
PostUp=logger -t wireguard -- 'Tunnel WireGuard-wg0 started'; /usr/local/emhttp/webGui/scripts/update_services
PostDown=logger -t wireguard -- 'Tunnel WireGuard-wg0 stopped'; /usr/local/emhttp/webGui/scripts/update_services
PostUp=ip -4 route flush table 200
PostUp=ip -4 route add default via 10.14.0.2 dev wg0 table 200
PostUp=ip -4 route add 192.168.5.0/24 via 192.168.5.1 dev br0 table 200
PostDown=ip -4 route flush table 200
PostDown=ip -4 route add unreachable default table 200
PostDown=ip -4 route add 192.168.5.0/24 via 192.168.5.1 dev br0 table 200

I'm wondering if there's a way to influence this definition and add additional PostUp/PostDown pairs.

I'll be grateful for any hints on how to achieve the above.

Thanks,

Tom

  • 3 months later...

Yeah, this is all I want:

1) Containers I specify us the VPN tunnel

2) Everything else (bridge-networked containers, host) stays the same, not using the VPN tunnel.

3) The VPN tunnel rebuilds itself as needed (the PIA token has a lifetime)

4) If the VPN tunnel goes down, it doesn't affect anything that doesn't use it

Why is this so hard? @SpaceInvaderOne 's tutorial gets you up and running, but you don't realize that unwanted traffic is going over the tunnel, and when the tunnel fails the host suddenly loses network.

For example, I have a DuckDNS container running to update my domain with my current IP address. It's on the bridged network. It thought my IP address was that of the VPN endpoint, and updated the DNS entry. Then all my Caddy-managed reverse proxy names like "photos.mydomain.com" were not resolving to my server.

I was able to get everything working except my host traffic is still going over the tunnel while it's up. I had to use a combination of (1) a refresh script that includes IPtables tweaks like you're describing, (2) routing rules in my go script. See https://forums.unraid.net/topic/197609-unraid-vpn-manager-tunnel-wg0-not-showing-up-in-docker-containers/#findComment-1621149

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.