vmlinuz Posted February 7, 2022 Share Posted February 7, 2022 bonsoir j'ai un soucis le remote tunneled access fonctionne pas chez moi ; j'arrive a me connecter au vpn avec mon telephone une fois connecté il a plus d'acces internet mes j'arrive a pingué mon téléphone depuis l'interface wireguard si quelqu'un a une idée merci Anthony Quote Link to comment
trurl Posted February 7, 2022 Share Posted February 7, 2022 1 hour ago, vmlinuz said: merci Anthony Anyone wishing to reply go to this thread Quote Link to comment
mgadbois Posted February 11, 2022 Share Posted February 11, 2022 Running UnRAID 6.10.RC2 utilizing the built-in wireguard VPN. I can connect a phone and laptop just fine. I can ping the unRAID server and get to the internet all through the tunnel. What I can't do is get to other things on my local network that oare on teh same VLAN as the unRAID server. I have the tunnel set for "Remote tunnel access". Seems I am missing a route somewhere, but can't figure it out. Routing table shown below. unRAID is 10.5.254.80/24 and vpn clients are 10.5.253.2 and .3 Thoughts on this one? astro-server-diagnostics-20220211-1000.zip Quote Link to comment
ljm42 Posted February 11, 2022 Author Share Posted February 11, 2022 On 2/5/2022 at 10:53 PM, J05u said: I am having no issues to connect to my server via wireguard, but i can't connect to dockers on my network 46 minutes ago, mgadbois said: Seems I am missing a route somewhere, but can't figure it out. Sounds like you need to add a static route to your *router* so that devices on your network can communicate with the WireGuard network pool. See the "Complex Networks" portion of the first post in this thread. If you continue to have issues, read the section below that that explains how "Use NAT", "host access to custom networks", and having a static route all interact. Certain combinations do not work well together. Quote Link to comment
mgadbois Posted February 11, 2022 Share Posted February 11, 2022 Added static route in my Router and all works now. Thanks 1 Quote Link to comment
nxtiak Posted February 15, 2022 Share Posted February 15, 2022 I was on vacation for a week, when I got back my flash drive had some issues so I restored from a week old backup. Anyways everything is fine except my WireGuard isn't working. It won't stay Active. I click slider, it shows Active, I change tabs and go back and it's Inactive. I uninstalled the Plugin, reinstalled and same thing, my old Peers still there too. Any ideas? How do I completely erase WireGuard so when I install it, it's brand new? Logs show nothing. Quote Link to comment
MylesM Posted February 16, 2022 Share Posted February 16, 2022 I'm trying to use the "server hub & spoke access" type of access so that some of my peers should be able to talk to eachother. My peers can connect and they can ping the server, but they can't ping eachother and the server can't ping them either. Did I miss something? Quote Link to comment
ljm42 Posted February 16, 2022 Author Share Posted February 16, 2022 On 2/14/2022 at 9:59 PM, nxtiak said: How do I completely erase WireGuard so when I install it, it's brand new? Go to Settings -> VPN Manager. For each tunnel, change the slide from Basic to Advanced, then choose the Delete Tunnel option. Quote Link to comment
ljm42 Posted February 16, 2022 Author Share Posted February 16, 2022 18 hours ago, MylesM said: I'm trying to use the "server hub & spoke access" type of access so that some of my peers should be able to talk to eachother. My peers can connect and they can ping the server, but they can't ping eachother and the server can't ping them either. Did I miss something? You'll want to ping the tunnel IPs, not the lan/wan IPs. The tunnel has its own network range: The server usually has a .1 address in that pool: And then each peer has a unique address in that pool: Quote Link to comment
nxtiak Posted February 16, 2022 Share Posted February 16, 2022 7 minutes ago, ljm42 said: Go to Settings -> VPN Manager. For each tunnel, change the slide from Basic to Advanced, then choose the Delete Tunnel option. Thanks I figured this out last night, but then when I tried to set it up again, nothing would save. Type a name, generated key, etc.. clicking save would do nothing. Think my USB is bad or ? Quote Link to comment
ljm42 Posted February 16, 2022 Author Share Posted February 16, 2022 2 minutes ago, nxtiak said: Thanks I figured this out last night, but then when I tried to set it up again, nothing would save. Type a name, generated key, etc.. clicking save would do nothing. Think my USB is bad or ? When you hit save, does the cursor move to a new field so you can fix a value? i.e. maybe you are using an invalid character in the name. If not, try switching the slider from basic to advanced and see if it moves to a field now. Quote Link to comment
nxtiak Posted February 17, 2022 Share Posted February 17, 2022 4 hours ago, ljm42 said: When you hit save, does the cursor move to a new field so you can fix a value? i.e. maybe you are using an invalid character in the name. If not, try switching the slider from basic to advanced and see if it moves to a field now. When I type anything in the Local Name (anything like 1234 or myserver) and click Apply, the cursor goes to Local Public Key to enter a value, I click generate keypair, then I click apply and the page refreshes and nothing is saved. I go to advance and type something in all the fields and same thing happens. Quote Link to comment
ljm42 Posted February 17, 2022 Author Share Posted February 17, 2022 3 hours ago, nxtiak said: When I type anything in the Local Name (anything like 1234 or myserver) and click Apply, the cursor goes to Local Public Key to enter a value, I click generate keypair, then I click apply and the page refreshes and nothing is saved. I go to advance and type something in all the fields and same thing happens. Can you try a different browser? Quote Link to comment
nxtiak Posted February 17, 2022 Share Posted February 17, 2022 1 hour ago, ljm42 said: Can you try a different browser? I just tried with Firefox and same thing happens. Screen refreshes when I click Apply. Quote Link to comment
bonienl Posted February 17, 2022 Share Posted February 17, 2022 Can you open a terminal window and show the output of (assuming you want to activate tunnel 0) wg-quick up wg0 Quote Link to comment
nxtiak Posted February 18, 2022 Share Posted February 18, 2022 8 hours ago, bonienl said: Can you open a terminal window and show the output of (assuming you want to activate tunnel 0) wg-quick up wg0 root@Server:~# wg-quick up wg0 wg-quick: `/etc/wireguard/wg0.conf' does not exist root@Server:~# Quote Link to comment
bonienl Posted February 21, 2022 Share Posted February 21, 2022 The conf file should reside on your usb drive. Have tried to do a file system repair of the usb drive? Take the drive out (after shutting down) and run a repair on a windows machine. Quote Link to comment
nxtiak Posted February 22, 2022 Share Posted February 22, 2022 5 hours ago, bonienl said: The conf file should reside on your usb drive. Have tried to do a file system repair of the usb drive? Take the drive out (after shutting down) and run a repair on a windows machine. So I did that last week and it found errors. So today I decide it's probably time to swap out the USB drive. Just did it and I'm able to save configuration but can't activate wg-quick up wg0 now gives an error: root@Server:~# wg-quick up wg0 [#] ip link add wg0 type wireguard Error: Unknown device type. Unable to access interface: Protocol not supported [#] ip link delete dev wg0 Cannot find device "wg0" root@Server:~# Quote Link to comment
Fatcat87 Posted February 27, 2022 Share Posted February 27, 2022 I have wireguard up and running and I am able to connect to my unraid server from anywhere. It works awesome. I am working out of the country currently and I am still able to connect to my local network but I was under the impression that I could use the wireguard vpn to get around geo-blockers and visit websites and video services as if I was in my home country (USA). But when I try and hit for instance a local Florida news website www.WESH.com I get stopped saying: Quote Sorry, this content is not available in your region. My type of access is "Remote Tunneled Access" TIA 1 Quote Link to comment
Thomas K Posted March 4, 2022 Share Posted March 4, 2022 (edited) Hi, the setup "Remote access to LAN" works fine and the client is connected and can ping the IPs in the remote LAN. But in the config I said "Local tunnel firewall" Allow and only set 10.0.0.11 as allowed. Nevertheless am I able to ping 10.0.0.10 (Unraid Server itself) - no other hosts. Is that by design and cannot be removed? Attached the generated iptables config: # Generated by iptables-save v1.8.5 on Fri Mar 4 21:31:04 2022 *mangle :PREROUTING ACCEPT [585916432:1133041336885] :INPUT ACCEPT [40469455:499819706678] :FORWARD ACCEPT [546394462:633615039025] :OUTPUT ACCEPT [32114760:4849559837] :POSTROUTING ACCEPT [578543223:638470079442] :LIBVIRT_PRT - [0:0] -A POSTROUTING -j LIBVIRT_PRT COMMIT # Completed on Fri Mar 4 21:31:04 2022 # Generated by iptables-save v1.8.5 on Fri Mar 4 21:31:04 2022 *nat :PREROUTING ACCEPT [98:29053] :INPUT ACCEPT [67:21594] :OUTPUT ACCEPT [32:2057] :POSTROUTING ACCEPT [60:9200] :DOCKER - [0:0] :LIBVIRT_PRT - [0:0] -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE -A POSTROUTING -j LIBVIRT_PRT -A POSTROUTING -s 172.17.0.2/32 -d 172.17.0.2/32 -p tcp -m tcp --dport 3875 -j MASQUERADE -A POSTROUTING -s 172.17.0.4/32 -d 172.17.0.4/32 -p tcp -m tcp --dport 8181 -j MASQUERADE -A POSTROUTING -s 172.17.0.4/32 -d 172.17.0.4/32 -p tcp -m tcp --dport 8080 -j MASQUERADE -A POSTROUTING -s 172.17.0.4/32 -d 172.17.0.4/32 -p tcp -m tcp --dport 4443 -j MASQUERADE -A POSTROUTING -s 10.253.0.0/24 -o br0 -j MASQUERADE -A DOCKER -i docker0 -j RETURN -A DOCKER ! -i docker0 -p tcp -m tcp --dport 3875 -j DNAT --to-destination 172.17.0.2:3875 -A DOCKER ! -i docker0 -p tcp -m tcp --dport 7818 -j DNAT --to-destination 172.17.0.4:8181 -A DOCKER ! -i docker0 -p tcp -m tcp --dport 1880 -j DNAT --to-destination 172.17.0.4:8080 -A DOCKER ! -i docker0 -p tcp -m tcp --dport 18443 -j DNAT --to-destination 172.17.0.4:4443 COMMIT # Completed on Fri Mar 4 21:31:04 2022 # Generated by iptables-save v1.8.5 on Fri Mar 4 21:31:04 2022 *filter :INPUT ACCEPT [2045:465504] :FORWARD ACCEPT [188:71769] :OUTPUT ACCEPT [1269:1510752] :DOCKER - [0:0] :DOCKER-ISOLATION-STAGE-1 - [0:0] :DOCKER-ISOLATION-STAGE-2 - [0:0] :DOCKER-USER - [0:0] :LIBVIRT_FWI - [0:0] :LIBVIRT_FWO - [0:0] :LIBVIRT_FWX - [0:0] :LIBVIRT_INP - [0:0] :LIBVIRT_OUT - [0:0] :WIREGUARD - [0:0] :WIREGUARD_DROP_WG0 - [0:0] -A INPUT -j LIBVIRT_INP -A FORWARD -j DOCKER-USER -A FORWARD -j DOCKER-ISOLATION-STAGE-1 -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -o docker0 -j DOCKER -A FORWARD -i docker0 ! -o docker0 -j ACCEPT -A FORWARD -i docker0 -o docker0 -j ACCEPT -A FORWARD -j LIBVIRT_FWX -A FORWARD -j LIBVIRT_FWI -A FORWARD -j LIBVIRT_FWO -A FORWARD -j WIREGUARD -A OUTPUT -j LIBVIRT_OUT -A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 3875 -j ACCEPT -A DOCKER -d 172.17.0.4/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 8181 -j ACCEPT -A DOCKER -d 172.17.0.4/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 8080 -j ACCEPT -A DOCKER -d 172.17.0.4/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 4443 -j ACCEPT -A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2 -A DOCKER-ISOLATION-STAGE-1 -j RETURN -A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP -A DOCKER-ISOLATION-STAGE-2 -j RETURN -A DOCKER-USER -j RETURN -A WIREGUARD -o br0 -j WIREGUARD_DROP_WG0 -A WIREGUARD_DROP_WG0 -s 10.253.0.0/24 -d 10.0.0.11/32 -j ACCEPT -A WIREGUARD_DROP_WG0 -s 10.253.0.0/24 -j DROP -A WIREGUARD_DROP_WG0 -j RETURN COMMIT # Completed on Fri Mar 4 21:31:04 2022 Edited March 4, 2022 by Thomas K Quote Link to comment
bonienl Posted March 4, 2022 Share Posted March 4, 2022 The WireGuard tunnel terminates on Unraid itself, you can not exclude Unraid as a destination. IPtables is used for accessing or blocking other devices in your LAN. Quote Link to comment
Thomas K Posted March 5, 2022 Share Posted March 5, 2022 (edited) -A WIREGUARD -o br0 -j WIREGUARD_DROP_WG0 -A WIREGUARD_DROP_WG0 -s 10.253.0.0/24 -d 10.0.0.11/32 -j ACCEPT -A WIREGUARD_DROP_WG0 -s 10.253.0.0/24 -j DROP -A WIREGUARD_DROP_WG0 -j RETURN Why are the iptables rules created on br0 and not wg0? A tcpdump shows, that the traffic from the peer to the wireguard host is not crossing br0 - only wg0, so the rule does not match. Traffic from the peer to other local lan destinations cross br0 and so the rule matches. Edited March 5, 2022 by Thomas K Quote Link to comment
Thomas K Posted March 5, 2022 Share Posted March 5, 2022 Worked it out, you have to filter the INPUT chain of the wg0 device incoming. My example if some else needs it: iptables -N WIREGUARD_INPUT iptables -N WIREGUARD_DROP_WG0_INPUT iptables -A INPUT -j WIREGUARD_INPUT iptables -A WIREGUARD_INPUT -i wg0 -j WIREGUARD_DROP_WG0_INPUT iptables -A WIREGUARD_DROP_WG0_INPUT -s 10.253.0.0/24 -d 10.0.0.11/32 -j ACCEPT iptables -A WIREGUARD_DROP_WG0_INPUT -s 10.253.0.0/24 -j DROP iptables -A WIREGUARD_DROP_WG0_INPUT -j RETURN 1 Quote Link to comment
bonienl Posted March 5, 2022 Share Posted March 5, 2022 This is a nice enhancement. I see for a future update. 1 Quote Link to comment
Thomas K Posted March 6, 2022 Share Posted March 6, 2022 That would be great of a future update. Streamlined version building on existing WIREGUARD_DROP_WG0 iptables -N WIREGUARD_INPUT iptables -A INPUT -j WIREGUARD_INPUT iptables -A WIREGUARD_INPUT -i wg0 -j WIREGUARD_DROP_WG0 Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.